Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Job Seeking Hacker Gets 30 Months In Prison

samzenpus posted more than 2 years ago | from the hire-me-or-else dept.

Crime 271

wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."

cancel ×

271 comments

Sorry! There are no comments related to the filter you selected.

lol told (0)

serkit (2358056) | more than 2 years ago | (#38935665)

He sure got told.

Good (5, Insightful)

Viol8 (599362) | more than 2 years ago | (#38935709)

Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

Re:Good (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38935725)

Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

Hard to blame him. After Obama fucks up the job market so bad and lies about unemployment numbers (people dropping out of the workforce doesn't mean "more jobs" created), some people get desperate. Guess if your desperete enough prison is a roof over your head and 3 meals a day.

Re:Good (5, Funny)

hamburger lady (218108) | more than 2 years ago | (#38935737)

clearly, this whole thing is obama's fault.

Re:Good (-1)

Anonymous Coward | more than 2 years ago | (#38935807)

Absolutely everything is the current president's fault! You see, the president is the one who makes all the decisions. They make all the laws and their policies always reign supreme.

Therefore, it is Obama's fault.

Re:Good (-1)

Anonymous Coward | more than 2 years ago | (#38935833)

bull this has started because bush was allowing corporations to run themselves how the **** ever they wanted with no oversight. obama just inherited this mess.

Re:Good (1, Funny)

Anonymous Coward | more than 2 years ago | (#38935859)

Wrong, still Obama's fault! Stop living in the past. The economy, cost of tuition, cancer - all Obama's fault, as sayeth the great Lord Limbaugh!

Re:Good (0)

t4ng* (1092951) | more than 2 years ago | (#38935911)

**whoosh**

Re:Good (2, Informative)

Delarth799 (1839672) | more than 2 years ago | (#38936509)

Damn right! He is the president and has access to the magic wand of "make shit instantly happen" and he has yet to use it for anything to help the country out.

Re:Good (0, Offtopic)

Runaway1956 (1322357) | more than 2 years ago | (#38936037)

Uhhhh - yeah. 'Cause the job market, the housing market, nor any other markets tanked until Obama was sworn in to office. Yes, I remember clearly - Bush left everything looking so rosy and cheerful.

Sorry - I tried. It's going to take me about 30 years of senility before I can believe that story.

Re:Good (5, Insightful)

hrvatska (790627) | more than 2 years ago | (#38936081)

The guy is a citizen of Hungary. He did the illegal intrusion and attempted blackmail while in Hungary. He was arrested when he arrived in the US for a 'job interview'. Hungary's economy is more fucked up than the US economy, and they did it all on their own.

Re:Good (0)

Anonymous Coward | more than 2 years ago | (#38936107)

Where is the option for "-1, Retarded"?

Re:Good (0)

Anonymous Coward | more than 2 years ago | (#38936503)

I don't think Obama should feel bad about non-US citizens trying to extort US companies into employment.

Re:Good (0)

EdIII (1114411) | more than 2 years ago | (#38936533)

Guess if your desperete enough prison is a roof over your head and 3 meals a day

You would have to be pretty desperate to want to get reservations at a "hotel" that offers gang rape in the showers as a service.

Re:Good (5, Interesting)

Adriax (746043) | more than 2 years ago | (#38935867)

I'm guessing Marriott's monetary claims are mostly "It's his fault we have to pay all this money, we wouldn't have to fix anything if he hadn't used those flaws to break in."
He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Re:Good (4, Insightful)

phantomfive (622387) | more than 2 years ago | (#38936155)

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this? I couldn't find anything related to it in the article. Do you have some preconceived idea of how companies should act, and then judge them without checking the evidence? That's a serious cognitive bias.

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Re:Good (5, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#38936237)

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Except that users are part of the system that is being attacked. As Bruce Schneier put it, only amateurs attack machines; professionals target people.

It is true that user training is hard. It is equally true that the system should be resilient to stupid users, just as it should be resilient to malicious users. Spear-phishing and trojans are just a way to get non-malicious users to behave maliciously, and the system should be designed to contain the damage that malicious users can cause. There are a variety of technical measures that can be taken to prevent malicious users from leaking information or otherwise violating the security of the system; a large company should be taking these sorts of measures.

Re:Good (2)

phantomfive (622387) | more than 2 years ago | (#38936413)

Oh yeah? You've discovered a way to prevent spear-phishing attacks from doing damage? Please tell.

Re:Good (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#38936511)

I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system. The entire point of MLS systems is to ensure that users cannot leak or alter sensitive information, beyond what is necessary for their job. "Inside jobs" are a problem that has been extensively worked on, and resilience to such attacks is not completely impossible. There are cryptographic approaches to dealing with potentially malicious parties within a given system, which can ensure that security is maintained even if some of the participants are corrupted.

We really do not have to throw our hands in the air and declare spear-phishing to be some kind of ultimate attack that cannot be defended against.

Re:Good (1)

phantomfive (622387) | more than 2 years ago | (#38936635)

Good point. There is always the balance between security and ease of use.

In this case it doesn't look like the guy got much other than a few documents, at least that's all the article mentions, so I maybe they do have some protections.

Re:Good (2)

EdIII (1114411) | more than 2 years ago | (#38936603)

He has a point, and so does the other poster. Marriott cannot absolve themselves of all blame here and trumping up enormous costs is kind of way to shift the expense they should have already been paying to secure their systems. A million dollars is a little over board. I'm not blaming the victim here either, just saying that it is a little bullshit to pile all those costs on to the hacker afterwards.

As far as preventing trojans being sent to employees you could look at it preventing all file transfers over IM, removing all executable attachments on email, all attachments on email that cannot be decompressed, locking out USB drives from connecting, disabling auto-play, etc.

An intercepting proxy and whitelist can also be pretty effective when combined with anti-virus and anti-malware from the workstations.

Now if you mean mitigating damage once the trojan is installed, that is where document management, behavioral analysis, systems that employ data diode techniques, and limited access per employee and workstation can help.

Sure, you could attempt privilege escalation once on the machine, but if all the attacker can get is the user credentials, and the workstation itself cannot be used to obtain suitable credentials to compromise other workstations or servers on the network, then I would call that damage mitigation.

Of course, none of this is fool proof, but you seemed to indicate that it was not possible to prevent it at all.

Re:Good (1)

phantomfive (622387) | more than 2 years ago | (#38936671)

removing all executable attachments on email, all attachments on email that cannot be decompressed,

Companies that do this drive me crazy.

Really? (3, Insightful)

DRMShill (1157993) | more than 2 years ago | (#38936657)

Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

Let's call a horse a horse here. This man was a criminal. He deserved what he got.

Re:Good (0)

Anonymous Coward | more than 2 years ago | (#38936677)

If it is anything like it was a few years ago. His hack probably wasnt that hard...

Hotels are in the business of renting rooms per night. Not IT. They just do not have the people, resources, or will to put in a decent IT infrastructure. IT costs money. These are the same guys who hire most of their cleaning staff from illegal aliens (because they can get them cheap) and look the other way. You think they give a rats ass if they have military hardened IT infrastructure? Not until they are embarrassed into doing something better.

Yet they have the money to basically throw the book at this dude. What he did was wrong. But they also need to fix their own mess...

Re:Good (1, Interesting)

Glonoinha (587375) | more than 2 years ago | (#38936073)

It's "1337" hacker. Just sayin'.

And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

Re:Good (3, Funny)

zwede (1478355) | more than 2 years ago | (#38936297)

It's "1337" hacker. Just sayin'.

And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

I guess you haven't seen the 'math' used in file sharing law suits then.

Re:Good (-1)

trout007 (975317) | more than 2 years ago | (#38936075)

I don't see why Blackmail should be illegal. In this case he hacked their system so that is a crime. But the blackmail itself is just a negotiation.

Re:Good (1)

ScentCone (795499) | more than 2 years ago | (#38936365)

But the blackmail itself is just a negotiation.

No, it's extortion. And that is a crime.

Re:Good (2)

JamesP (688957) | more than 2 years ago | (#38936597)

So in this case it's blackemail?

First Post! (-1)

Anonymous Coward | more than 2 years ago | (#38935711)

First Post!

Geez what a moron (5, Funny)

Weaselmancer (533834) | more than 2 years ago | (#38935713)

I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

Think outside the box, man.

Re:Geez what a moron (0)

Anonymous Coward | more than 2 years ago | (#38935793)

If it's a large and messy enough company he might be able to sneak himself on the payroll without being detected, but he'd still get caught if he can't disguise the bank account somehow.

Re:Geez what a moron (1)

Intrepid imaginaut (1970940) | more than 2 years ago | (#38935999)

Eh just sneak his bank account onto the list of approved ones surely? This is seriously grounds for an internet Darwin though.

Re:Geez what a moron (5, Interesting)

Weaselmancer (533834) | more than 2 years ago | (#38936153)

Actually I was thinking something similar. In a large enough company communication becomes a real problem. Departments don't really communicate much. If you were to study your target a while and figure out who everyone's superiors are and the like, all it would take is a well-crafted email from some higher-up that says "hey hire this guy" and the odds are the underling wouldn't go back to their boss and say "are you sure?" - they'd just start the paperwork. Large companies are dysfunctional that way. They kind of have to be. The more people in the company the less practical being well informed is.

Re:Geez what a moron (0)

Anonymous Coward | more than 2 years ago | (#38935981)

He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.

You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.

Re:Geez what a moron (0)

Anonymous Coward | more than 2 years ago | (#38936135)

He's not American, and may not have even been to the US before he was "tricked" into flying over. He has no rights in the US.

Re:Geez what a moron (5, Informative)

snowgirl (978879) | more than 2 years ago | (#38936201)

He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.

You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.

Except no one induced him into breaking the law. The very first contact that he had with Marriot contained proof that he had already committed a crime.

Entrapment only works when the originating idea for the crime came from a police officer, or an agent thereof. (If a cop tells a confidential informant to get a gang to rob a specific store, then that would be entrapment as well.)

Re:Geez what a moron (0)

Anonymous Coward | more than 2 years ago | (#38936145)

I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

Think outside the box, man.

hahahah so awesome

Cost them $1Million (5, Insightful)

Bradmont (513167) | more than 2 years ago | (#38935715)

So how much of that $1 million in salaries was spent repairing the security holes, which they should have done anyway?

Re:Cost them $1Million (1)

ohnocitizen (1951674) | more than 2 years ago | (#38935889)

Exactly. Or on the interview/sting itself, and drawing that information out of him? It was a good move for them to make, but some of that reported cost was an intentional and smart investment on Marriot's part rather than a cost.

Re:Cost them $1Million (0)

Anonymous Coward | more than 2 years ago | (#38936113)

Yes, they would have to do that anyway, so it should not be factored into the damages calculation. AND, keep in mind that they will also have to do a pretty heavy audit to look for back doors, deal with potential fallout from compromised customer information, data repair, and so on which they can reasonably attribute to this genius' exploits. In an large enterprise environment, none of this will be cheap or easy, so I would think the claims are somewhere in the ballpark, though padded heavily based on certain assumptions.

Secret Service? (0)

Anonymous Coward | more than 2 years ago | (#38935719)

Why the Secret Service? Since when is the computer infrastructure of a private corporation a matter of national security?

Re:Secret Service? (5, Informative)

PessimysticRaven (1864010) | more than 2 years ago | (#38935733)

Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.

Re:Secret Service? (1)

Nidi62 (1525137) | more than 2 years ago | (#38936033)

Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.

Wow, the movie Hackers actually got something right!

Re:Secret Service? (5, Informative)

betterunixthanunix (980855) | more than 2 years ago | (#38936271)

Moreover, their portrayal of the approach the secret service takes to civil liberties was on the ball. The secret service arrested Craig Neidorf for publishing a document that had been sent to him by someone else in the magazine he edited, Phrack. They also failed to recognize that non-corporations could operate communication services during their raids on bulletin board systems. They searched the backpacks of people at 2600 meetings in the early 90s, regardless of whether those people were suspects in any investigation and without obtaining any search or arrest warrants.

I guess referring to them as the SS would not be too far from the truth...

$400K-$1M seems low (1)

jd2112 (1535857) | more than 2 years ago | (#38935745)

or perhaps I'm just too used to seeing monetary estimates by the Movie and Music industries. For example, the jobs counted as being affected by the entertainment industry as part of the SOPA/PIPA debate included all the employees of the Department of Engraving and Printing. Why you ask? Because they make the $100 bills that the movie and music execs use to snort coke while coming up with the estimates of jobs affected by the movie and music industry. Perfectly logical right?

$1 mil? Seriously? (1)

Anonymous Coward | more than 2 years ago | (#38935747)

While he was wrong (and a total fu*king idiot) to try to blackmail them into hiring him, I'm so tired of seeing these ridiculous and obviously made-up damages.
It seems like every time a cracker gets into *any* system, they always have so stupidly high number in damages.... unless they didn't know about it beforehand or the person isn't found. Then, the damages just happen to be next to nothing (usually)

Re:$1 mil? Seriously? (5, Insightful)

Score Whore (32328) | more than 2 years ago | (#38936177)

Why do you think the damages are made up?

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do. Much more than just applying a security patch. You've got to figure out what happened and which systems were affected. Which means that even if you have a situation like this where the attacker tells you how they got in, you don't know if they are lying. So you have to do a security survey of every single system on your network to make sure there are no back doors, root kits, or altered data. Just reviewing could readily cost you hundreds to thousands of dollars per system. You may be facing multiple nuke-n-pave situations on your servers (may cost you $5,000 - $10,000/system.) Which means you will be losing data or will have to recreate data. If you have a centralized reservation system they may have to take that down in which case you are idling thousands of workers worldwide as well as losing business during the downtime. That's probably measured in thousands of dollars per minute in costs and losses. You've got to bring in your legal team and executive management so they can determine if non-IT related actions that need to be taken (offer your customers identity theft protection?) Who knows how much that is, but it could easily be north of $100,000. Probably you'll be bringing in security experts to review your policies, practices and implementation. A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees. Those consultants will be working with your IT staff who will not be doing their normal work, so that's another $5,000 - $10,000/week.

$400,000 - $1,000,000 is an easy number for an IT organization to reach in a large company. A business the size of Marriott may well have a central IT staff numbering between 750 - 1000 people. If they have a particularly efficient team and are on the low end of staffing (750) and have good control of salary ($60,000/yr), they have annual staff costs over $56,000,000. Diverting 10% of those means $108,000/week.

Re:$1 mil? Seriously? (1)

Imrik (148191) | more than 2 years ago | (#38936735)

Except the hacker didn't create the holes in the network, so any costs devoted to finding and fixing them shouldn't be included, only the costs of detecting and fixing the damage itself should be included.

Re:$1 mil? Seriously? (3, Insightful)

ScentCone (795499) | more than 2 years ago | (#38936411)

I'm so tired of seeing these ridiculous and obviously made-up damages

Did you even bother to read the summary, let alone the article? They had a lot of work to do in interacting with the feds in advance of busting this guy in person (he was cracking/extorting from Hungary). This involved many employees, corporate lawyers, etc. You tie up those sorts of man-hours, including the time to gather and preserve an unknown until you're done pile of forensic information from a huge IT footprint at a company that size ... I'm surprised the cost wasn't higher.

What I'm tired of are people who are so vitriolically anti-business in their mindset that they won't even do the mental work of thinking something like this through, lest it take some of the fund out of Complaining About The Man.

How someone can be that smart in hacking.. (4, Insightful)

hcs_$reboot (1536101) | more than 2 years ago | (#38935761)

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".

Re:How someone can be that smart in hacking.. (1)

ProfM (91314) | more than 2 years ago | (#38935809)

True, that MAY work, however, I think in today's litigious mindset, he'd be charged with some sort of computer crime, even if he was above-board and with good intentions.

Re:How someone can be that smart in hacking.. (5, Insightful)

artor3 (1344997) | more than 2 years ago | (#38935815)

You haven't met many computer nerds, have you?

Re:How someone can be that smart in hacking.. (1)

couchslug (175151) | more than 2 years ago | (#38936117)

That's why man requires punitive measures to keep order.

Most folks "get it". For those who refuse to get it, a knouting is in order.

Re:How someone can be that smart in hacking.. (5, Insightful)

Dogtanian (588974) | more than 2 years ago | (#38935969)

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

No, no, no, no, NO.

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

Re:How someone can be that smart in hacking.. (0)

Anonymous Coward | more than 2 years ago | (#38936363)

I dunno. I mean, "here's security holes you have, you should hire me to fix them" is definitely still problematic and could land you in trouble. But I don't see anything provocative about "I noticed you have these security holes; here's the procedure you should take to fix them. BTW I'm looking for work if you could use help." I don't think they have any moral or legal basis for being upset with that.

Re:How someone can be that smart in hacking.. (0)

Anonymous Coward | more than 2 years ago | (#38935997)

That would still come off as blackmail. "I found a security hole in your systems, hire me and I'll fix it. Don't hire me and, well, I found a security hole in your systems ..."

Re:How someone can be that smart in hacking.. (2)

X.25 (255792) | more than 2 years ago | (#38936007)

What makes you think he was smart in hacking?

Re:How someone can be that smart in hacking.. (2, Interesting)

roman_mir (125474) | more than 2 years ago | (#38936035)

He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?

Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.

Re:How someone can be that smart in hacking.. (3, Insightful)

ranpel (1255408) | more than 2 years ago | (#38936039)

Someone can have skills and lack the maturity and wisdom to wield them easily enough. It's more of a willingness to engage in a clearly criminal endeavor with those skills that is relevant. He could just as easily have delivered his findings, suggest they shore up, wish them luck and maybe hint that he's looking for a new gig and if they find themselves in need of someone that can shore up then to feel free to drop a message on this anonymous drop box. Gaining access to information is one thing but using that information quite another. The option this guy chose not only exposed himself rather awkwardly but is one quite deserving of a good stint in jail.

Re:How someone can be that smart in hacking.. (1)

phantomfive (622387) | more than 2 years ago | (#38936199)

His hack doesn't seem to have been that hard, actually. In fact, I'll bet you could do something similar if you are a programmer.

He sent a trojan directly to certain individuals in the company, and got them to open it. Once it's been opened, then you have access to a lot of things.

Re:How someone can be that smart in hacking.. (1)

cluedweasel (832743) | more than 2 years ago | (#38936267)

That's just asking for trouble. A young friend of mine thought of a good way of drumming up business for his business (just him!). He drove around town connecting to open wireless networks at various businesses. He'd then browse to network shares on other computers on that network. Then he'd go into the business, show them what he'd found and offer to fix it for a fee. It doesn't take much imagination to see where this is going. After the 3rd accusation of being a hacker and a blackmailer, he decided it wasn't such a great idea after all. Of course, to this day (and this was 4 years ago), there are still businesses around here, including accountants, healthcare providers and lawyers, with fully open wireless networks connected straight into their main server(s) and desktops.

Re:How someone can be that smart in hacking.. (1)

quantaman (517394) | more than 2 years ago | (#38936679)

Except he didn't really find a hole in their systems. He found he could email some employees malware, trick them into opening it, and now he has a backdoor into the system. Now they could stand to strengthen up their IT policies/employee training a bit, but this isn't like he found a backdoor in their web server, and it's possible the docs he accessed weren't even particularly confidential.

Probably the reason he couldn't arrange an IT job interview with Marriott, and claim good security skills is he didn't have good security skills. Frankly I've come to suspect that 90% of the hacking incidents we hear about are basically script kiddies trying a bit of social engineering. I'm sure there's a few real genuine black hat hackers who are writing the rootkits and malware, but I have a feeling we'd be unimpressed by the quality of most "hackers".

And besides, what kind of work environment does he expect when he "demanded a job with Marriott in order to prevent the public release of the Marriott documents".

This story needs more press. (4, Insightful)

goodmanj (234846) | more than 2 years ago | (#38935817)

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

Honestly, any janitor could tell you instantly why this plan is idiotic.

Re:This story needs more press. (2)

tunapez (1161697) | more than 2 years ago | (#38936207)

I am an eJanitor, you insensitive clod!

Re:This story needs more press. (2)

Zadaz (950521) | more than 2 years ago | (#38936357)

Yes, it needs more press, but not for that reason.

The word "hacker" is already synonymous with "Skeevy computer criminal" in the mind of the general public â" despite the fact that's not what the hacker community means to those who actually make up the hacker community.

Call criminals who use computers criminals. Don't call them hackers. It makes hackers look bad.

Let me show you my back door (5, Interesting)

wdhowellsr (530924) | more than 2 years ago | (#38935819)

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security. During the meet and greet the head developer asked me if I had left any back doors at my previous contracts. I looked at him strange because the thought never even crossed my mind which is the difference between a hack and a professional.

After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

There is a fine line between genius and insanity but stupid is all by itself.

Re:Let me show you my back door (2)

Corbets (169101) | more than 2 years ago | (#38935905)

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security.

Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

Re:Let me show you my back door (4, Insightful)

wdhowellsr (530924) | more than 2 years ago | (#38935991)

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Damn, now I'm hungry.

Re:Let me show you my back door (0)

Anonymous Coward | more than 2 years ago | (#38936089)

if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

why would the value of their recipes be dependent on whether or not i've eaten at their restaurants?

Re:Let me show you my back door (1)

Anonymous Coward | more than 2 years ago | (#38936253)

oh, of course, celebrity endorsement -- I am after all Slashdot's most prolific writer.

Re:Let me show you my back door (1)

Anonymous Coward | more than 2 years ago | (#38936023)

Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

Size matters. I hate to burst your bubble but were you under the impression that your small town banks employ crack info security teams or something because they're in the financial industry? Hahahahahaha.

http://www.darden.com/careers/support_center.asp
1200 people at their HQ alone, but sure, because the business is in the restaurant industry they probably all wear chef hats.

Re:Let me show you my back door (1)

cluedweasel (832743) | more than 2 years ago | (#38936429)

Size matters. I hate to burst your bubble but were you under the impression that your small town banks employ crack info security teams or something because they're in the financial industry?

Worryingly enough, one of our local banks still advertises for NT4 and Exchange 5.5 admins.

Re:Let me show you my back door (1)

cdrudge (68377) | more than 2 years ago | (#38936005)

After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

I guess I could never work at Darden either. I would have to lie to get a job, or if I told the truth they already have admitted they couldn't hire me.

My past two employers I know have admin or otherwise secure pages that I can almost guarantee haven't changed their passwords. If I were asked that question, I would have to admit that technically I do have a "backdoor", but it's not MY backdoor nor was it anywhere within my control to change the credentials to it. Or I could just lie and say I don't have access, but then starting off an career with a company with a lie isn't exactly putting your best food forward either.

Re:Let me show you my back door (1)

wdhowellsr (530924) | more than 2 years ago | (#38936123)

It's funny that you should say that because he asked me a similar question about the security failings of previous contracts and how I would overcome them. As I work with WCF often I talked about the problems with using the out of the box implementations and how encryption, handshakes and at the very least not publishing methods can reduce security breaches.

Now I wouldn't have shown him the security breaches but if you simply said that you know for a fact that many companies that you have worked for never change their passwords you would have been fine.

Re:Let me show you my back door (0)

Anonymous Coward | more than 2 years ago | (#38936705)

I'm pretty sure knowing where a companies administration website is and a log in for it doesn't qualify as a "backdoor".

That would actually be the FRONT DOOR.

In 20 years I have never done anything malicious to any company I've ever worked for no matter how upset I've been with them, but I probably could login to every single one of their sites to this day and I would definitely answer NO when asked if i had a backdoor and it wouldn't be lying.

Re:Let me show you my back door (1)

Anonymous Coward | more than 2 years ago | (#38936017)

""Let me show you my back door"... I gotta say I almost didn't finish reading the rest of your post after this bit.

Re:Let me show you my back door (0)

Anonymous Coward | more than 2 years ago | (#38936041)

Ewwwwwww, is this another goatse link...?

As soon as they saw his name... (-1, Flamebait)

tomhath (637240) | more than 2 years ago | (#38935825)

Attila Nemeth, a 26 year-old Hungarian citizen

Atilla the Hun

Wrong Way... Do Not Enter (1)

LostCluster (625375) | more than 2 years ago | (#38935851)

This guy got it all wrong. There is no such thing as capture the flag hacks leading to jobs. Who gave him the idea that this would work out in his favor? Tech smarts was there, but no sign of the minimal business smarts it takes to hold a job was there.

i'm trying to grasp the level of stupidity here (4, Funny)

circletimessquare (444983) | more than 2 years ago | (#38935853)

"hi, i'm arnold, i stole your tv. would you like to hire me to put a lock on the bathroom window i broke into?"

i'm trying to put myself in the thinking here, and no... i just can't understand. i've reached my stupidity simulation threshold. i simply cannot understand a person this dumb

Re:i'm trying to grasp the level of stupidity here (1)

Anonymous Coward | more than 2 years ago | (#38936309)

Welcome to slashdot. Enjoy your stay.

this guy should have hired a lawyer first... (2)

number6x (626555) | more than 2 years ago | (#38936327)

Hi, I'm Steve B., You may know me from youtube videos of my rousing speaches at Microsoft developer conferences.

I didn't invent your android phone or any of the software on it, but I have found a flaw in the system that I can exploit. Its a flaw in the legal system but that's not important.

If you don't want me to activate this exploit, you need to pay me $30.00 for every phone you sell.

It's a good thing he didn't pirate music (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38935857)

30 months? It is a good thing he didn't pirate some MP3s. Then they would really be mad at him.

So, did he release the blackmail stuff yet? (1)

Normal Dan (1053064) | more than 2 years ago | (#38935871)

On one hand it would make sense for him to release it out of spite or whatever. On the other hand, they did technically hire him, so...

Re:So, did he release the blackmail stuff yet? (0)

Anonymous Coward | more than 2 years ago | (#38935957)

On the other hand, they did technically hire him, so...

Huh? No they didn't. They flew him in for an "interview".

Re:So, did he release the blackmail stuff yet? (0)

Anonymous Coward | more than 2 years ago | (#38935973)

In what way did they hire him?

Re:So, did he release the blackmail stuff yet? (1)

AragornSonOfArathorn (454526) | more than 2 years ago | (#38936497)

Eh? How would he release the info? Unless the Secret Service is as dumb as he is, he was probably whisked off to the "interview" as soon as he got off the plane, and then arrested. He hasn't been unsupervised since he set foot in the US.

hacking... (2)

jmb1990 (1979110) | more than 2 years ago | (#38935891)

Hacking is alot like sex, you go in and out and hope you don't leave anything that can be traced back to. Hes done half of that joke, now hes in prison he'll probably experience the second half to. Dont drop the SOAP.

Secret service? (1)

HolyMackerelBatman! (1291838) | more than 2 years ago | (#38935899)

I thought the Secret Service protected diplomats and US currency. Why were they getting involved with a security breach at a hotel? Unless the documents he had were for the concierge arranging hookers for visiting politicians.

Re:Secret service? (1)

Anonymous Coward | more than 2 years ago | (#38936057)

That's their main job, but their duties were expanded after 9/11 [wikipedia.org] to include various electronic crimes.

Re:Secret service? (1)

betterunixthanunix (980855) | more than 2 years ago | (#38936193)

https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#1984 [wikipedia.org]

The secret service has been involved in investigating computer crime for decades now. They are well-known for their attacks on free speech, their violations of civil rights, and their propensity for exaggerating the economic cost of hacking.

Re:Secret service? (1)

phoebusQ (539940) | more than 2 years ago | (#38936069)

Computer Crime falls under US SS jurisdiction.

Re:Secret service? (1)

betterunixthanunix (980855) | more than 2 years ago | (#38936163)

Since the mid-80s, the Secret Service has had the authority to investigate cases of computer hacking. They became famous for bungling these cases in the early 90s:

https://en.wikipedia.org/wiki/Operation_Sundevil [wikipedia.org]

HAHA (-1)

Anonymous Coward | more than 2 years ago | (#38935955)

and that is the exact message we need ot open the flood gates on SCREW the govt

YOU DONE GOOD AGAIN
and its why i made my last post
regarding some hacker applying for a job....

Title vs summary (2)

kakyoin01 (2040114) | more than 2 years ago | (#38936133)

The title and summary seem to convey different things. "Job Seeking Hacker Gets 30 Months In Prison" sounds like a hacker was trying to get a hacking job somewhere, while the summary makes it clear that he hacked his way into getting said job. Just saying.

Nonetheless, blackmail is blackmail. Malicious hacking involving the exposure of private data to unwarranted eyes ought to be punished.

Laugh (1)

koan (80826) | more than 2 years ago | (#38936159)

Would've been cheaper to hire him.

Not a good starter... (1)

larys (2559815) | more than 2 years ago | (#38936275)

If you're trying to appeal to someone, the point is to show them your skills are useful and/or indispensable to their company...not that you're a loose cannon that will resort to illegal methods to get your point across. Someone had mentioned previously that his actions were arrogant, but it's not just that...he was using a brilliant skill to do something stupid and poorly-thought-out. It was a masochistic feat so dramatic that it should have a place in the record books for its sheer idiocy. That being said, doesn't his desperation in trying to land a job say something about the state of the country. As a whole, some changes need to be made or this will likely only be the first of these types of actions on the part of the unemployed. --And who could blame them? When you're grasping at nothing trying to feed your family when there are no jobs to be had or none that can even pay you enough to get by, what do you expect? The country needs to take care of its citizens. Those at the top may well be important but a country's citizens are its foundation. If their well-being is so thoroughly lacking, essentially, the very foundation of the country is in a state of rot. In all cases, no structure -- however grand -- can possibly stand without its foundation. Food for thought.

What an idiot (0)

Anonymous Coward | more than 2 years ago | (#38936349)

The whole damage cost estimate is bull but the hacker got what he deserved as blackmail is definitely a crime.

Now, though still with some risks, he could have just "informed" them of the security vulnerabilities he "discovered" and imply at most that he was seeking employment or working as a possible security contractor. Make yourself look as a security researcher while not actually threatening them. Of course most companies gives 2 shits about security so the chances of someone like him getting hired is slim to begin with. If it fails anyways, do like most researchers and publish it after a period of time to add to your portfolio for the next job hunt.

Do you see what happens? (2)

CxDoo (918501) | more than 2 years ago | (#38936553)

Do you see what happens when you fuck a stranger in the ass?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?