Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Student Jailed For Facebook Hack Despite 'Ethical Hacking' Defense

Soulskill posted more than 2 years ago | from the judge-didn't-buy-it dept.

Facebook 356

Diamonddavej writes "The BBC reports that software development student Glenn Mangham, a 26-year-old from the UK, was jailed 17 February 2012 for eight months for computer misuse, after he discovered serious Facebook security vulnerabilities. Hacking from his bedroom, Mangham gained access to three of Facebook's servers and was able to download to an external hard drive the social network's 'invaluable' intellectual property (source code). Mangham's defense lawyer, Mr. Ventham, pointed out that Mangham is an 'ethical hacker' and runs a tax registered security company. The court heard Mangham previously breached Yahoo's security, compiled a vulnerability report and passed on to Yahoo. He was paid '$7000 for this achievement,' and claims he was merely trying to repeat the same routine with Facebook. But in passing sentence, Judge Alistair McCreath said despite the fact he did not intend to pass on the information gathered, his actions were not harmless and had 'real consequences and very serious potential consequences' for Facebook. The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"

cancel ×

356 comments

Sorry! There are no comments related to the filter you selected.

Uhh (5, Insightful)

The MAZZTer (911996) | more than 2 years ago | (#39087495)

This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

Re:Uhh (5, Insightful)

Jah-Wren Ryel (80510) | more than 2 years ago | (#39087557)

This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.

Re:Uhh (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39087613)

His actions did have consequences. I work for a large company with lots of publicly facing servers. If the guy had hacked into our servers, he may well have tripped an IDS or some other log analysis process, which would have alerted us to someone being somewhere they shouldn't be. Imagine how many man hours would be involved in identifying the intrusion.

Now that's not to say that I don't disagree with the rest of your post: the holes obviously existed, and if a black hat had got in they'd have to respond in the same manner. The thing is, a black hat would (hopefully) be found and prosecuted too, for the same reasons.

Re:Uhh (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#39087929)

Look asshole, it's 2012. Whether you like it or not, the President of the United States is Halfrican. Take your racist "black hat" bullshit back to the 1800s you cock-smoking faggot.

Re:Uhh (-1)

Anonymous Coward | more than 2 years ago | (#39087945)

Sorry. Replace "black hat" with "jiggaboo hat".

Re:Uhh (5, Insightful)

rgbrenner (317308) | more than 2 years ago | (#39087675)

The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

Your welcome.

I would like my reward now.

Re:Uhh (5, Insightful)

russotto (537200) | more than 2 years ago | (#39087775)

The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

Your welcome.

I would like my reward now.

OK, we'll sentence you based on the potential damage you might have done -- to wit, you could have accidentally burned the entire house down while you were there, and the fire could have spread to the entire neighborhood and killed a bunch of people.

Sentence the man for what he did: breaking into the computers. Not based on crap like "Potentially what you did could have been utterly disastrous to Facebook"

Re:Uhh (1)

RightSaidFred99 (874576) | more than 2 years ago | (#39087951)

OK, you go do $200k worth of damage to a casino or bank lobby and we'll see how well you fare in court. You do understand that when someone gets the security guys rolling after a break-in it costs a lot of manpower to respond, right?

Re:Uhh (1)

epyT-R (613989) | more than 2 years ago | (#39087991)

fortunately the law is supposed to be based on what was DONE, not what could've been done.. of course, that limits the power of overreaching police forces and the egos of cowardly politicians so maybe not anymore..

Re:Uhh (1)

10101001 10101001 (732688) | more than 2 years ago | (#39087989)

The lock on your bedroom window is crap.

When it's possible for a lock to be virtually unbreakable, a lock being "crap" is pretty much inexcusable, especially when it's there not to thwart robbers from a single bedroom window but a multi-billion dollar company. But, you know, other than that, great analogy... Actually, it makes me wonder why more shareholders don't sue their CEOs for gross incompetence. I mean, you might get more out of buying one share of stock and suing the CEO than you'd get out of the reselling the actual stock.

Re:Uhh (3, Insightful)

tibit (1762298) | more than 2 years ago | (#39087999)

That's not even remotely the same: one happens in the physical world, the other is pretty much a bunch of numbers being sent between computers on a network without any other consequences at all -- he didn't log into their servers and issue rm -rf, did he? No data was lost/deleted, there was no material/financial loss, so what the heck? It seems almost like a mind crime: he knows what he's not supposed to know, and nothing else, and he's not blackmailing anyone over it, nor is he intending to. Sure someone's feathers got ruffled, but -- to me -- it seems like Facebook basically says: we have a big ego, and we have lotsa money to show for it. And we won't mind jailing people just to show how big of an ego we have.

Re:Uhh (4, Insightful)

poity (465672) | more than 2 years ago | (#39087781)

There is a common sentiment on Slashdot that whatever good intentions a company may have, its gathering of data without permission constitutes both a violation and a risk. That risk being the potential for the data in their hands to be compromised by yet another party. Can this logic not also apply to this Glenn and his company as well?

Re:Uhh (4, Insightful)

Dahamma (304068) | more than 2 years ago | (#39087793)

While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

Why does everyone keep calling him "the kid"? He's 26 years old. Just because he's a student doesn't make him some naive, innocent minor - he clearly knew what he was doing...

Re:Uhh (0)

Anonymous Coward | more than 2 years ago | (#39087877)

They call him kid because he a retard. No one older than 16 with half a brain would have done something so stupid.

--
Marcan, asshole [mailto] and proud.

Re:Uhh (1)

Anonymous Coward | more than 2 years ago | (#39087825)

Bull.

That's like saying if the guy breaks into my safe and steals my banking info he's not responsible for me having to close all those accounts and open new ones. It's my own fault for not using an 100% impenetrable safe, right?

Your argument requires the assumption that someone would eventually have gained access. We can't assume that without knowing all the details of what this guy did. The next security audit, the next patch, or whatever might have closed the hole. It might have happened the next day. We'll never know.

But before that could happen, this guy took it upon himself to put the data "out there". Can anyone be certain he didn't make a copy? What about his employees? Was he hacked himself? We can't answer that. So anyone with half a brain is going to assume the data is out there and prepare.

So yeah, his actions have caused some "real consequences". He, in fact, turned potential consequences into real consequences and moved second order potential consequences into first order potential consequences.

"Damage" (1)

betterunixthanunix (980855) | more than 2 years ago | (#39087567)

He also did not cause any real harm. I guess how far to the left or right one leans determines whether or not the line should be drawn at "causing harm" or "had no business doing it."

Re:"Damage" (5, Insightful)

spire3661 (1038968) | more than 2 years ago | (#39087919)

Causing a full security review after a known penetration costs REAL WORLD MONEY. You have to pay people for the expense of figuring out what happened. It is interesting that you disregard this aspect of the problem entirely. He had no business being there, flat out. There is no inherent right to crack other people's property. I find nothing wrong in the law saying 'thou shalt not penetrate others network without explicit permission or authority.' This person had neither.

Re:Uhh (1, Insightful)

AmiMoJo (196126) | more than 2 years ago | (#39087597)

I'd say it was a valuable public service, much like a journalist investigating a company. Rather than being prosecuted the story here should be that apparently some random guy was able to hack into Facebook where hundreds of millions of people's most personal data is kept. The fact that it cost Facebook money to fix is irrelevant as they should have fixed the problems anyway. If someone pushes on your security door and it falls off the hinges that should not be criminal damage.

By prosecuting the guy all they have done is ensure that in the future people who manage to find these holes will either just exploit them for criminal gain or post giant .torrent of personal data to The Pirate Bay. It will also discourage others from pointing out problems they find so that criminals can just carry on exploiting them with no way for us or the companies affected to know about it.

Re:Uhh (3, Insightful)

Dahamma (304068) | more than 2 years ago | (#39087751)

By prosecuting the guy all they have done is ensure that in the future people who manage to find these holes will either just exploit them for criminal gain

Or maybe it will make some of those people think twice before they do it in the first place...

Re:Uhh (3, Insightful)

Dekker3D (989692) | more than 2 years ago | (#39087917)

There will always be people trying to do this, whether hobbyist or professionals making a quick buck. So any leak -needs- to be fixed. Your argument implies that it's possible to scare people into never ever doing this sort of thing again, and people have been trying to do just that for years already. Newsflash: people still hack into servers, and all the scare tactics have only served to punish those who went public with their findings-... the ones who mean to do right and point out the risks, rather than keep it to themselves and use it for personal gain.

Scare tactics are not having the intended effect. Perhaps it'd be good if people started thinking of other solutions?

Re:Uhh (2)

0111 1110 (518466) | more than 2 years ago | (#39087949)

Or maybe it will make some of those people think twice before they do it in the first place...

Or maybe it won't. Putting people in jail for victimless crimes doesn't have any positive benefits for society. Only negative ones.

Re:Uhh (3, Insightful)

rgbrenner (317308) | more than 2 years ago | (#39087641)

Not only that, but it almost sounds like bribery. He hacks into Yahoo, downloads confidential data, then "asks" them for a reward?

Why did he need to download facebook source code after he found the vulnerability? Why did he need to breach the server at all? Much less 3 servers?!

Re:Uhh (1)

maxdread (1769548) | more than 2 years ago | (#39087691)

No where does it sound like bribery/blackmail, you implied it.

Google has been known to give rewards to those who find problems in their security or a bug (as in the case of chrome). Why would it be so far fetched to think Yahoo did the same?

Re:Uhh (1, Interesting)

rgbrenner (317308) | more than 2 years ago | (#39087737)

Let me ask you this.. if Yahoo didn't pay the reward, what would he have done with that confidential info? Does he sell it to someone else?

Why does he have it at all? He can disclose the security problem to yahoo and they can verify it.. that does not require he steal something from the server.

Re:Uhh (1)

Dekker3D (989692) | more than 2 years ago | (#39087925)

It does: you'd need some proof. If you have the choice of reacting to every single claim that just tells you the steps and stuff (plenty of which might end up being useless or fake), or just reacting to the ones that actually got something they shouldn't have, the latter is much more likely to be cost-effective in terms of time spent investigating the leak.

Re:Uhh (1)

Lennie (16154) | more than 2 years ago | (#39087745)

It isn't bribery, he just helped find more vulnerabilities. :-)

But really, sometimes it takes evidence to convince these companies to look at something.

I'm sure sending them part of their source code would get their attention.

Re:Uhh (1)

Lumpy (12016) | more than 2 years ago | (#39087749)

True, find breach, send info to facebook on how to do it from a fake untraceable account.

you do a good deed, stay anonymous from litigious bastards, and increase your karma.

Anyone doing any other way is scamming for something. real white hates do it secretly and for free.

Physical world analogy. (3, Insightful)

khasim (1285) | more than 2 years ago | (#39087653)

So you're walking through the business district of a city and just jiggling door knobs to see if anyone left anything unlocked.

Why? Because you're a "white hat".

That's the FIRST issue that you have to get through to the judge.

Once you find an open door, you go inside and take some important stuff out. So that you can prove to the company that you were inside.

That's the SECOND issue you have to get through to the judge.

Then, you call the company and tell them that door X is unlocked and you can prove it because you have property Y.

The company (being unenlightened and still thinking in physical world terms) calls the cops and you are arrested. Even though you intended to give property Y back to the company.

It makes sense that way.

So, do NOT freelance. If you do NOT have a signed contract with the company you CAN be prosecuted. You have to put in the EXTRA EFFORT to distinguish your actions from the actions of the bad guys. A signed contract does that.

Re:Physical world analogy. (1)

spire3661 (1038968) | more than 2 years ago | (#39087931)

"If you do not have a signed contract with the company you can and SHOULD be prosecuted." FTFY

Re:Physical world analogy. (1)

tmosley (996283) | more than 2 years ago | (#39087975)

Note he didn't take any property. It's more like he made copies of some files from their filing cabinet, or took a picture of the inside of their building.

The worst thing he could be charged with is the electronic equivalent of B&E. Of course, this being Slashdot, I didn't read the article, and just glanced at the summary, so I'm not sure if that is what happened or not.

Re:Uhh (1)

epyT-R (613989) | more than 2 years ago | (#39087955)

good, well I hope the next time zuckerberg has a heart attack, his neighbor gets a signed agreement from him before calling 911. after all, corporations are people, right? (yes I know this is the UK, but it would be no different in the US) the only 'costs' were associated with a byzantine, bought-out legal system and not with mangham himself.

$200,000? (3, Insightful)

koan (80826) | more than 2 years ago | (#39087497)

So Zuckerberg had to go to his wallet instead of pulling change from his pants pocket, maybe the hacker should have been less ethical and just sold the code.

Re:$200,000? (0)

Anonymous Coward | more than 2 years ago | (#39087555)

You can be sure that when any other hackers find security problems with Facebook it won't be Facebook they notify first.

Re:$200,000? (3, Insightful)

Dahamma (304068) | more than 2 years ago | (#39087767)

What does that matter? $200,000 is $200,000, just because the victim "can afford it" doesn't change the crime itself.

Re:$200,000? (1)

Spykk (823586) | more than 2 years ago | (#39088013)

Unless $200,000 is what it cost to fix the vulnerability that was already there. Would you sue your neighbor for the price of a new radiator if he pointed out yours was leaking?

Judges from the 20th century have to go (0, Flamebait)

A beautiful mind (821714) | more than 2 years ago | (#39087501)

It is inexcusable to let people pass judgement in matters they don't comprehend.

Re:Judges from the 20th century have to go (5, Insightful)

bieber (998013) | more than 2 years ago | (#39087571)

Who says he doesn't understand the issue? What this kid did was illegal and wrong, regardless of his "ethical" motivations for doing it. If you suspect that there's a security vulnerability somewhere, then you can notify the owner of the systems in question about it. If they feel inclined, they might ask you to do some penetration testing for them. If you just go ahead and do it without permission, though, you're illegally accessing someone else's systems without their consent, and by all means you should be convicted and sentenced for it. If I forget to lock my door on my way out of my house one day and come home to find an "ethical" thief in my home waiting to educate me on the importance of locking my doors, you can bet that I'll be calling the police.

Re:Judges from the 20th century have to go (1)

Anonymous Coward | more than 2 years ago | (#39087645)

Explain how reporting a vulnerability to a company causes damages. Maybe it was illegal, but it is certainly not damaging. In your thief example, you could get the guy jailed for breaking and entering, but you couldn't get him to pay you for the stuff he didn't take.

Re:Judges from the 20th century have to go (3, Informative)

bieber (998013) | more than 2 years ago | (#39087823)

You must have missed the part where he downloaded their (trade secret) source code, and could have (may have, for all we know) done whatever he wanted with it.

Re:Judges from the 20th century have to go (0)

Anonymous Coward | more than 2 years ago | (#39088003)

Reporting the vulnerability is harmless, beneficial even. The intrusion causes the damage and it's what's illegal. You can tell companies about their security problems all day long and never get into legal trouble. The problem is that an unauthorized hacker basically has to commit a crime to know about the vulnerabilities, especially if he also wants to know/report the severity and damage potential.

People really need to let go of the early 90s. Computer security has long ago abandoned the concept of white hat hacking without authorization. IMHO it's a stupid shift because the dangerous hackers are almost impossible to catch when everything is connected to a world wide network on which a large percentage of hosts are botnet drones. So in reality actual security is the only security and without well-meaning intruders, the defense will be unprepared against real threats, but the CEOs and lawyers disagree. This means that you don't help people who don't want your help. If you want to be a white hat hacker, then get permission first. Pays better as well. If you can't resist temptation and have to hack without prior written authorization, then hide your ass well and never ever ask for money, a job or anything else in return for your unwanted "services". Don't accept offers either, because offering a job and/or money to a hacker after the fact is a playbook move to get you convicted and put away. Too much work for too little gain? Exactly. Don't do it.

Re:Judges from the 20th century have to go (3, Interesting)

korean.ian (1264578) | more than 2 years ago | (#39087709)

From the article:
"Judge McCreath told him
'This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled.'"
I think we can pretty clearly see where the judge's opinion lies.

Re:Judges from the 20th century have to go (4, Insightful)

korean.ian (1264578) | more than 2 years ago | (#39087731)

Also as to the judge's understanding:
"'You and others who attempt to hack really must understand how serious this is, the creation of that risk the extent of that risk and the cost of putting things right.' "

As others have said - the risk was there whether or not the kid hacked in. He didn't create the risk.

Re:Judges from the 20th century have to go (1)

Dekker3D (989692) | more than 2 years ago | (#39087947)

Perhaps in the judge's point of view, if nobody ever hacked, there would not be a risk like this. So, people hacking stuff creates said risk. So... people who hack anything must be punished for the existence of this risk, no matter what they hacked or why they hacked.

Re:Judges from the 20th century have to go (2)

RightSaidFred99 (874576) | more than 2 years ago | (#39087971)

The risk was when he stole the data, not when he broke in.

Re:Judges from the 20th century have to go (1)

JazzHarper (745403) | more than 2 years ago | (#39087587)

It is inexcusable to let people pass judgement in matters they don't comprehend.

I think the judges understand the law quite clearly. Unauthorized access is against the law. Many people have tried the "ethical hacker" defense and it almost always fails.

Re:Judges from the 20th century have to go (1)

OzPeter (195038) | more than 2 years ago | (#39087589)

It is inexcusable to let people pass judgement in matters they don't comprehend.

I'm pretty sure that the 20th Century Judges fully comprehend[1] the 20th Century laws that are the basis these types of cases.

[1] For the average judge. I know there are outliers in either direction.

Re:Judges from the 20th century have to go (4, Funny)

Chas (5144) | more than 2 years ago | (#39087635)

Considering that most of the judge from the 21st century are, at most, 12, and not even lawyers, let alone judges, yet kinda makes this tough.

Re:Judges from the 20th century have to go (1, Funny)

Anonymous Coward | more than 2 years ago | (#39087851)

1. "Judges from the 20th century" is an expression, it means judges who don't comprehend modern technologies and values.

2. Even if taken literally, a judge from the 21st century would be someone who was appointed a judge in this century, of which there are many.

3. Considering your epic failure at intelligence, I'd say you're a complete waste of oxygen.

Alas, no mod points (2)

jamrock (863246) | more than 2 years ago | (#39087865)

Considering that most of the judge from the 21st century are, at most, 12, and not even lawyers, let alone judges, yet kinda makes this tough.

I salute you sir; nicely done. Although the disturbing thought did occur to me that perhaps the GP was in fact calling for the reinstatement of nineteenth century judges to adjudicate these newfangled matters.

Re:Judges from the 20th century have to go (0)

Anonymous Coward | more than 2 years ago | (#39087659)

The privacy regulations existing and coming will and do cause significant consequences in the field of ethical hacking. He did pass over to the side of dark hats when he performed the act of downloading. He should have stopped at the successful transfer command and report only the requirements leading to the possibility of compromise in the interest of covering his own ass from damages claims. Even a trivial port scan is considered a crime or an invasion of a computer system by the authorities these days, though. I not saying it's sane.

Re:Judges from the 20th century have to go (1)

icebike (68054) | more than 2 years ago | (#39087665)

The judge followed the law. That is what he is OBLIGATED to do.

When we get to the point of allowing ANY LAME excuse as a reason to violate ANY law we will have lost everything the rule of law offers to society.

I can see the excuses from the witness stand:

Why yes, officer, I did shoot you, I was performing a public service by testing your bullet proof vest. You should get a better one, yours is all bloody anyway.

Yes, Mr. Banker, I did test your vault door last night, as a public service and to guarantee my money was safe, but sadly I had to withdraw my funds (and the funds of other concerned citizens) after the vault door proved ineffective against 5 pounds of C4. Sorry about the rest of your building. Its all for the best you know.

Its perfectly obvious that he was trying to break in without authorization, and he would have had to be trying for a long time. No way he gets it right the first try.

And even if he found it by accident (yeah right) he should have written a bug report or an email complaining that his perfectly valid use of facebook accidentally discovered a flaw. You don't steal the silver and the jewelry just to point out to your neighbor that he failed to lock the front door when he went out of town.

Re:Judges from the 20th century have to go (1)

Lumpy (12016) | more than 2 years ago | (#39087755)

"The judge followed the law. That is what he is OBLIGATED to do."

Which was his first mistake. A jury is NOT obligated to follow the law and a Jury can find someone not guilty in spite of the law if they find a law unjust.

Problem is most judges bullshit the jury and tell them they have to follow what the law says. in reality the do not.

Re:Judges from the 20th century have to go (1)

icebike (68054) | more than 2 years ago | (#39087839)

What makes you think this UK Judge was presiding over a Jury Trial?

Re:Judges from the 20th century have to go (1)

tmosley (996283) | more than 2 years ago | (#39088007)

We like to think of our friends across the pond as being progressive. Sadly, this assumption becomes more and more invalid with each passing day.

The $200,000 figure... (1)

Anonymous Coward | more than 2 years ago | (#39087503)

The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"

So, they spent money securing unsecured servers?
Can we use the cost of having to install locks and security systems in homes to deal with theft to increase the punishment of the thieves?
He broke in through the window, now my house needs $xxx for a security system which protects windows as well, and its all his fault

Re:The $200,000 figure... (2)

poity (465672) | more than 2 years ago | (#39087621)

Can we use the cost of having to install locks and security systems in homes to deal with theft to increase the punishment of the thieves?

It seems you're writing this with the assumption that this guy is being fined $200k. He isn't. Facebook can choose to pursue damages in civil courts, just as a burglarized home owner can. But that's not what's happening yet and your post kind of jumps the gun with that assumption.

Re:The $200,000 figure... (0)

Anonymous Coward | more than 2 years ago | (#39087687)

But in passing sentence, Judge Alistair McCreath said despite the fact he did not intend to pass on the information gathered, his actions were not harmless and had 'real consequences and very serious potential consequences' for Facebook. The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"

I know its an assumption with not much backing it, but the above statement does hint towards a relation between the dollar amount and 'real consequences and very serious potential consequences' (I do agree that spending $200k is a real consequence).
And, having "'real consequences and very serious potential consequences'" has influenced his punishment
Yes, I know what I'm saying doesnt have a concrete base, but it makes sense if you look at the facts
There arent many other alternatives I can think of with this specific chain of events

Re:The $200,000 figure... (1)

poity (465672) | more than 2 years ago | (#39087809)

For the record, I agree with most people here that the $200k "damage" figure is bs. Unless he infected their system or took down security in some way, that $200k cost was only the cost of patching their preexisting vulnerability. Facebook would have have difficult time arguing for damages if that were the case.

Re:The $200,000 figure... (1)

spire3661 (1038968) | more than 2 years ago | (#39087977)

Because specialized labor to fix the problem costs nothing, amirite? Labor costs money. The labor to fix this kind of problem is close to or above the 6 figure/year range.

Re:The $200,000 figure... (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39087747)

He broke in through the window, now my house needs $xxx for a security system which protects windows as well, and its all his fault

Is your house a mansion with lots of valuables lots of people are dying to steal from you?

Seriously? 200k (0)

Anonymous Coward | more than 2 years ago | (#39087507)

If that's all they spent, then they are either some serious cheapskates or someone was a complete idiot.

$200,000? (1, Insightful)

leptons (891340) | more than 2 years ago | (#39087511)

Sounds like Facebook spent $200,000 fixing their security holes that he found. Security through obscurity is not security. In light of his 'tax-registered security company' status, and past efforts with Yahoo, I think the judge in this case made the wrong decision.

Re:$200,000? (1)

RightSaidFred99 (874576) | more than 2 years ago | (#39088001)

Security through obscurity is not security.

Why do people keep parroting this nonsense? It is security. It's just not total (or in some cases even nearly adequate) security.

Obscurity makes it more difficult to break into something, therefore it improves security. Do you know that you probably use security through obscurity every day? Namely your PIN numberis obscured. Someone looks over your shoulder and your security is shot.

The problem with security through obscurity is when you overestimate its effectiveness, which is often very low.

We have a whole generation of people, likely the same ones who parrot "never ever use GOTO, my teacher tought me that", who overuse that tired nonsense about security through obscurity in every circumstance.

This is not ethical hacking.. (0)

Anonymous Coward | more than 2 years ago | (#39087523)

White hat ethical hacking is only ethical when you have permission.

Let this be a lesson to all (5, Insightful)

erroneus (253617) | more than 2 years ago | (#39087527)

In the case of companies like Yahoo, you can do this. But in the case of Facebook, it's better to sell any uncovered flaws to interested parties other than Facebook or to simply release the information anonymously to the public.

These "damages" are the lawyer's fees associated with making claims against the "criminal" and the programmers needed to correct the vulnerability... (which are probably the same programmers whose code was vulnerable in the first place.)

Facebook, you just set the tone for how security researchers will reveal your vulnerabilities in the future. You just made a very uncomfortable bed for yourself to lie in.

Re:Let this be a lesson to all (4, Insightful)

davecb (6526) | more than 2 years ago | (#39087657)

A new way to profit: leave the holes in place, and charge anyone who discovers them. If the person is stupid enough, he or she will do more than notify you. If they exceed what a random uninterested person would do with the the hole, they've just self-identified as a criminal. You can therefor recover enough money from them to pay for fixing the holes.

This creates a whole new meaning for "honeypot" (;-))

--dave

Re:Let this be a lesson to all (2)

poity (465672) | more than 2 years ago | (#39088005)

You can therefor recover enough money from them to pay for fixing the holes.

why would they do that when they can get far more by hyping up their IPO?

Re:Let this be a lesson to all (2)

poity (465672) | more than 2 years ago | (#39087701)

Even better, audit smaller sites with permission so you build up a portfolio of clients before pursuing business with the big guys. That way you don't have to lie about your income on your tax forms, you don't draw negative attention to yourself or your business, and instead of selling for chump change what few holes you do find, you make a steady income from secure sites as well as insecure sites.

You know, what smart security pros do?

Re:Let this be a lesson to all (2)

cavreader (1903280) | more than 2 years ago | (#39087783)

Security Researches get permission before penetration testing and there is a lot of money to be made in legitimate security work. Just breaching a company computer network is a crime. It does not matter if you steal any information or cause any harm.
How about I come over and break into your house when you are not home and leave a note telling you how I did it? I'll try breaking in again a few days later to see if you took measures to keep me out. If I can still break in then I will be justified in taking or destroying anything I want because after all you were warned.
The "Anonymous" childish attacks are effectively guaranteeing that draconian laws and sentences get handed down in any case involving breaching any computer system. They justify their attacks for some ephemeral causes but have yet to accomplish anything accept annoy people and provide the politicians with the headlines they need to pass even more restrictive laws on the use of the Internet.

Re:Let this be a lesson to all (2)

erroneus (253617) | more than 2 years ago | (#39087939)

The difference is that people are CONSTANTLY trying to break into sites like facebook and often successfully. This guy isn't the first and won't be the last. By not publishing the information, he did them a favor. By asking for a reward, he may have entered a grey area. But by prosecuting this guy, they have sent out a rippling message that facebook is not to be dealt with openly or honestly.

I get that they should be contacted "beforehand" and permission should be acquired, but the fact is, real criminals do not do this. Facebook should not encourage white-hats (or even grey hats) from turning black hat by punishing the "not black hats." Facebook has shown itself for what it is and has acted against its very community which is partially made up of people who have an interest in internet technologies and the security of the services which run on them.

They have needlessly made a target of themselves by drawing the ire of both professional and aspiring internet security people out there.

On an only slightly-related note, "cyber-security" is becoming such a voodoo religion out there often persued by people who barely know the buzz-words. If you thought "terrorist" was a nebulous term, try "cyber-terrorist" on for size. Things will only get more ugly moving forward.

Re:Let this be a lesson to all (1)

RightSaidFred99 (874576) | more than 2 years ago | (#39088015)

What a bunch of nonsense. You're not fooling anyone. How about _real_ ethical hackers find the vulnerability and report it to Facebook without breaking in and stealing their data? How's that for an idea there, Corky?

Sugarcoat it all you want... (5, Insightful)

MindPrison (864299) | more than 2 years ago | (#39087585)

...but a breach into any company is a break-in-and-entering if you haven't been assigned to do so for testing the security vulnerabilities by the company itself.

It's kind of like catching a thief without any goods, but inside of your home. Uhm...I'm just testing your security system, now you know you have a weak system, thank you - I'll mail you the bill.

Re:Sugarcoat it all you want... (0)

Anonymous Coward | more than 2 years ago | (#39087769)

No, it's like someone who succeeds to break into a surveillance company's office, leaves immediately and sends a letter "hey I found out your door wasn't locked last night. you should really fix this"

Re:Sugarcoat it all you want... (1)

RightSaidFred99 (874576) | more than 2 years ago | (#39088025)

Right. Which is...illegal.

Re:Sugarcoat it all you want... (0)

Anonymous Coward | more than 2 years ago | (#39087891)

No need to sugarcoat. He got identified during a security audit and made "copious" admissions to police, which is just sloppy practice. No identification that this was done with any sort of ethics in mind other than previous history and post-arrest explanations. Lastly, there isn't any cross-references to the Yahoo! bounty or how it was handled: this facebook attack had a payload.

Too bad (1)

foxx1337 (1292800) | more than 2 years ago | (#39087591)

Lesson learned, next time: hack; post details on 4chan; ???; profit!

"Ethical Hacker"? (2)

zanian (1621285) | more than 2 years ago | (#39087595)

I call bullshit. He "runs a tax registered security company," which means his motivation was largely if not entirely monetary. Hardly ethical.

Scumbag Facebook is evil, simply don't use them! (-1)

Anonymous Coward | more than 2 years ago | (#39087605)

Don't use them, they abuse their users and those that use them deserve what they get when a person or persons lacking ethics and honesty, locate, hack and abuse vulnerabilities. This simply displays a total lack of concern for the users and their privacy/ safety on facebooks service.

Poor Yahoo (5, Funny)

Dr. Evil (3501) | more than 2 years ago | (#39087615)

"You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said.

ooo, that's got to hurt.

How money was spent dealing with the issue? (1)

tchernobog (752560) | more than 2 years ago | (#39087627)

The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.

That is, doing a security audit, implementing tests and fixing bugs? If you have poorly tested code, and you notice it because someone is trying to get in through the back door, you should not try to charge them for your own faults.

Hopefully, you would have spent that money anyway.

If you hadn't, then good thing someone came in before you had also to face more serious consequences (as in a public exploit or distributed attack).

Re:How money was spent dealing with the issue? (1)

Ziekheid (1427027) | more than 2 years ago | (#39087669)

Beside that, if it wasn't a student from the UK but some cliché bad guy from a country where Facebook can't do shit we could see all the info ending up right on the web. I don't know why but for some reason I want this to happen..

$200,000 is bullshit (1)

Ziekheid (1427027) | more than 2 years ago | (#39087637)

Claiming he caused $200,000 in damages is absurd, what is the actual damage? Fixing vulnerabilities that were there in the first place?
I always think it's funny that when hackers get busted and the company has to spend a ton of cash on securing their servers/software they claim it's somehow the hacker that caused the damages. They had to be secure in the first place.

Re:$200,000 is bullshit (2)

Lennie (16154) | more than 2 years ago | (#39087761)

It usually boils down to all the time spend (thus money) that was needed to reinstall all the servers in the datacenter with a new known good image ?

Re:$200,000 is bullshit (2, Informative)

Anonymous Coward | more than 2 years ago | (#39087867)

I'm sympathetic to that argument. Post-intrusion followup, investigation, rootkit removal (read -- bare metal installation after hdd imaging), these are all legitimate expenses incurred even in the case of a white hat.

Fixing the problem they found is not. Conducting an audit to look for similar problems is not.

Related: How's that related to this? https://www.facebook.com/whitehat/ Did he not follow the procedures?

As an aside (0)

Anonymous Coward | more than 2 years ago | (#39087663)

he found out that the admin password was "dieZuckers".

judge should send facebook programmers to jail (0)

Anonymous Coward | more than 2 years ago | (#39087671)

Because their actions are actually the real cause of 'real consequences and very serious potential consequences' for Facebook. Why should Glenn Mangham pay for mistakes made by facebook employees?

Hackers (1)

Flipstylee (1932884) | more than 2 years ago | (#39087717)

You don't hack a bank across state lines from your house, you'll get nailed [awesomefilm.com] by the FBI.

But in all seriousness, really? Has this guy not read the news ever? Throwing out common sense, ahh nevermind.

Mr. Patel (2)

93 Escort Wagon (326346) | more than 2 years ago | (#39087727)

The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'

Mr. Patel? Is that Mr. Synthesizer Patel? I guess he discovered music wasn't paying the bills.

Not just IP, but IIP! (0)

Anonymous Coward | more than 2 years ago | (#39087795)

Hacking from his bedroom, Mangham gained access to three of Facebook's servers and was able to download to an external hardrive the social network's 'invaluable' intellectual intellectual property (source code).

That sounds mighty intellectual...

isnt this the wrong way around ? (1)

Anonymous Coward | more than 2 years ago | (#39087803)

Shouldn't we be jailing the Facebook people for not securing our data properly ??????

26 years old (-1)

Anonymous Coward | more than 2 years ago | (#39087831)

is not a kid. That is a grown individual. Only in the nanny state that the US is turning into, that allows adults to the age of 26, to stay on their parents health insurance would this individual be viewed as a "kid." Time to grow up.

Re:26 years old (1)

spire3661 (1038968) | more than 2 years ago | (#39087995)

Hes a Brit you twit.

Moral of the Story (0)

Anonymous Coward | more than 2 years ago | (#39087871)

Key kids, here's the take-home message: Did you discover a serious security vulnerability in a corporate or government agency? DO NOT TELL THEM. You will be fucked in the ass. If you think you can get away with it, sell the info. Otherwise publish it anonymously.

200K damages (1)

dutchwhizzman (817898) | more than 2 years ago | (#39087879)

In the Netherlands, damages are only that what you have to spend to put the original situation back. If that means reinstalling 3 servers from scratch, I doubt you'd be looking at 200K. However, if you need to do forensics to actually establish that it was just the 3 servers and you need an external company to do that because privacy regulations from the government mandate that, 200K sounds plausible.

If you were never planning on releasing or selling any of the vulnerabilities you found. If you were willing to give them to the person/business you hacked in to, without any compensation, you'd be called an ethical hacker. Mind you, that doesn't make it less illegal to do the hacking. You just won't be guilty of other crimes.

As a business, it makes no sense to have an ethical hacker prosecuted, since they are providing a service for you that would normally cost you a very substantial amount of money. However, not paying people will not help getting people to be "ethical" with you. Getting them prosecuted will not help either, they will just hide their tracks better and simply sell anything they find to the highest bidder, or put it out in the open for anyone to abuse. Groups of people with "poor impulse control" might take offense from a judgement like this and take their frustration out on the company that decided to get the hacker prosecuted.

Do it right. (1)

dLimit (2495802) | more than 2 years ago | (#39087885)

This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.

26 isn't really a "kid", is it. But true, they should have granted him more benefit of the doubt of what his intentions were. But still, one can not simply go hacking stuff and say you're "pen testing". Penetration testing has procedures that need to be followed to avoid getting into shit like this guy.

just wondering... (0)

Anonymous Coward | more than 2 years ago | (#39087901)

is it something like 'real consequences and very serious potential consequences' for facebook -> 'dude, you're fucking up our IPO' -> massive lawyer attack?

Few remarks/questions... (0)

Anonymous Coward | more than 2 years ago | (#39087909)

After reading those post I have several questions/remarks:

1. Is it better for some vulnerability to be found by a guy that will report it, or by someone who will exploit it? With this jail sentence, those that will report it will be discouraged to do so.

2. Even if this sentence prevents someone from hacking facebook, it won't discourage bad guys from some obscure, or less obscure, countries. When vulnerability is there, it will be exploited, sooner or later. Facebook is very attractive target.

3. If I had a security company and I wanted to check if there are any vulnerabilities present in Facebook server and/or code it follows that I have to seek a permission from Facebook. How many people do regularly try to hack Facebook? How many actually find something? What if all of them would ask FB a permission? Isn't that apsurd when you think a bit about that?

4. Facebook says that damages are $200,000. Well, I just wonder how high damages would be if Anonymous, LulSec or similar had found the vulnerability. I believe that in that case FB would immediately agree on aforementioned $200,000 for damages.

Eight Months for "Computer Misuse?" (0)

Anonymous Coward | more than 2 years ago | (#39088017)

I wonder if their definition of "computer misuse" differs from mine.

I'm envisioning people spending eight months in jail for using their CD drive tray as a cup holder, logging into AOL or installing Windows XP.

he broke the 11th commandment (1)

Alex (342) | more than 2 years ago | (#39088019)

Saying "I'm an ethical hacker" when you get caught, doesn't mean you don't do time.

It means you are an idiot.

Alex

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?