Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hilton Hacker Gets 11 Months

Posted by Zonk on from the shades-of-dade-murphy dept.

B747SP writes "Well, the guy who 'acquired' the contents of Paris Hilton's Sidekick telephone and published them on the Internet has had his day in court. T-Mobile USA and the State of Massachusetts are pleased to report that he has been sentenced to 11 months in a juvenile facility. He's also not allowed to own or use a computer, a cellphone, or any other device that can access the Internet for two years. It turns out that the Hilton hack was just one of many Bad Things(tm) that he had been up to: calling in bomb threats to schools, creating T-Mobile accounts for himself and his friends, breaking in to data broker LexisNexis' systems are just a few of his exploits."

9 of 390 comments (clear)

  1. Re:Hmm by gstoddart · · Score: 4, Interesting

    This is one idea that I really don't understand. Why would the security firms want to hire someone who has hacked into computers? Homicide detectives don't hire murderers, the SEC doesn't hire fraudsters, the ATF doesn't hire drunk smokers w/ unregistered firearm violations....

    When computer security was in its infancy, the person who broke into your system was the most qualified to stop other people. For a bunch of years, people who pulled off significant hacks (Mitnick) would get recruited. Basically, it takes a crook to catch a crook.

    The guy who the movie "Catch Me If You Can" was based on ended up in the employ of the FBI detecting counterfeit stuff because he was so damned good at it.

    Then people started arresting those who did such things. It's far less common for these people to get security jobs after their jail-time.
    --
    Lost at C:>. Found at C.
  2. Re:YRO? by Seumas · · Score: 2, Interesting

    Maybe because, in America, we have this sentimental nutty idea that "the punishment should fit the crime" and imprisoning anyone (much less a kid) for a year or more for cracking someone's cellphone while violent criminals get away with little or no penalty is hard to justify.

  3. Re:Hmm by Titusdot+Groan · · Score: 5, Interesting
    the SEC doesn't hire fraudsters

    Actually they do. The famous example was Joe Kennedy who headed the SEC when it was first created. Roosevelt said it "took a thief to catch a thief." He basically outlawed every dirty trick he used to become rich himself.

  4. Why am I surprised... by Leomania · · Score: 2, Interesting

    breaking in to data broker LexisNexis' systems

    Now, I realize that no interconnected computer system can be 100% secure, but shouldn't a place like LexisNexis be able to keep kids like this out? Was he really that good, or are they just really lousy at computer security?

    --
    You don't use science to show that you're right, you use science to become right.
  5. Re:Hmm by Anonymous Coward · · Score: 1, Interesting
    I wouldn't hire this kid simply because he would open me up to lawsuits from my stockholders.

    If this is true, IT is in for some trouble.

    I was a young computer punk before "hacking" had become "cool". I broke in to computer systems. I traded illicit information and software. The difference is that I was never caught (or did enough damage to make myself noticable as far as I can tell - it would be disingenuous to claim that I did no damage at all).

    Today I work in information security. I've worked for small businesses. I've worked for Fortune 50 corporations. And I've worked for the US Government. I'm not alone. Throughout my career I have met and worked with plenty of others who have a simular history and now hold jobs with considerable responsibility. We're everywhere - it's just that some people don't know it.

    A key difference is that neither I nor the people I've mentioned were hired because of criminal records. We were hired because the skillset we gained and the mindset we have is needed by our jobs.

    If there is something to criticize here, it's the mistaken belief that a criminal record makes one hirable. It's not the record, it's the ability. What some of these kids get nailed with hardly highlights impressive ability as far as I have seen.
  6. Re:Hmm by Shoggoth+of+Maul · · Score: 2, Interesting

    It's not just the antisocial behavior. In order to be an attractive hire for one of these agencies or companies, you have to be something of a virtuoso. The people you hear about who dodge jailtime by getting hired by the people who caught them were offered those jobs because they were innovative in their lawbreaking, and had demonstrated that they had the critical thinking skills that distinguish successful criminals and good troubleshooters.

  7. Re:Nice kid by RWerp · · Score: 2, Interesting

    He's probably insane and should have medical treatment. Putting him in the prison sounds pretty stupid to me.

    --
    "Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
  8. Re:Computer as Necessity by bmetzler · · Score: 1, Interesting
    These days, you can do just about anything and it's very rare for an American court to stop you from driving because - at least in most of America - life without a car is nearly impossible. They can put restrictions on your driving, but they usually can't stop you from owning/using a car entirely.

    I don't know, there are many cities with an option called "public transportation." And indeed, taking away a drivers license is a pretty common and not too unique penalty. And if you don't have a drivers license you'll probably get pretty comfortable riding a bus, or walking perhaps.

    Same with internet/cell phones. A computer/cellphone may be as necessary to life as a car. But that doesn't prevent you from losing the right to use them. If they meant that much to him, he probably should have respected them a little bit more. But he chose his actions, and now has to live with his consequences. Yeah, sucks to be him. But under the current system, that's life.

    -Brent
  9. First Hand Experience by 1nt3lx · · Score: 5, Interesting

    I have first hand experience with this particular individual. I wanted to reply to every post I've read on this page and address each point individually. However, there are too many points to address and too many of my own to add.

    My Experiences
    My first experience with this kid was three years ago. I am a consultant for the school department in which he was attending high school.

    One afternoon I got wind of a report that a couple of computers were "operating themselves." Of course, they were not, they were being controlled by VNC. We took the computers out of the library, found the backdoor, and analyzed all the files. We were also able to identify the backdoor that was installed, as well as the many utilities that were downloaded from a file-serving website he had setup.

    Many of the files contained portions or the entirety of a first name. The website the files were downloaded from contained the same first name.

    The backdoor was installed on the premesis. It was installed before the start of school. The utilities were downloaded during school hours.

    We did a first name search in the SIS system, we found five or so individuals with the same first name. None were enrolled in a class that had a computer in the classroom. We then did an attendence search on those individuals. Only one was absent the date the utilities were downloaded. We had our guy, we were confident, but the evidence was circumstantial.

    We decided to put the compromised (Windows 98) systems back on the network under surveillance, or specifically tethereal. The systems immediately connected to irc.mircx.com and joined a channel with the first name, again.

    For a few days nothing happened. No activity, other than the PING/PONG of IRC. That weekend, however, he bit. He bit hard, too. He searched the names and phone numbers of guidance counsellors, secretaries, and other school personnelle. He obviously conducted some rather trivial social engineering. He was able to gain access to the SIS system, which runs on OpenVMS.

    We tracked his every move, I laughed and laughed as he struggled with VMS. Time after time he would break the telnet connection because he was stuck in EDT, or because he confounded the DEC Basic application. He queried himself multiple times, tried to change information about his enemies, I assumed, and made unsuccessful attempts to change his own grades.

    The administration didn't buy it. He cried foul, denied any knowledge of computers, claimed he was botted, claimed hackers were out to get him. They didn't pursue the issue, but we 'secured' the network. We dropped all IRC traffic and all VNC traffic. The next day we were subjected to a crippling DDOS, and a bomb threat was called into the school. We couldn't prove it was related and got no support from above.

    A few months later, he was cought red handed trying to break into an attendance-entry web interface, by a librarian. He was suspended and removed from computer classes. Case closed, at least from our perspective. A few more days of DDOSes, but that ended quickly.

    The next school year, bizarre things started happening again. The High School's network was secured, but the middle schools were not locked down as well. Again, the SIS system was being accessed after hours from backdoored systems. Again, social engineering had taken place. We locked down that building, but the accesses were still happening. It was determined that an unsecured WAP had been installed on site and he was sitting outside the building accessing the network. (Sometimes I wonder why they pay me when they do things like that despite my objections).

    Of course, we had even less evidence this time to point to him but it was obviously him. The IRC backdoors were the same, the names were the same, the passwords were the same, but the administration still refused to act. We secured that network and the after hours accesses stopped, but unusual activities continued to arouse suspicions.

    U

    --
    The List of Grievances with Slashdot.