Slashdot Mirror
Hack a Million Systems and Earn a Job
An anonymous reader writes "It has been a number of years since the fantasy that hackers will be offered a job by those who they hacked was even a potential reality, but this might still be the case in New Zealand. An 18-year-old hacker responsible for writing a number of applications used by an online group called 'the A-Team' that allowed the creation of a million-plus machine botnet and a range of credit card fraud activities to take place, has walked free from court sans conviction despite pleading guilty. And to top it all off, the NZ police force were interested in talking to the hacker about working for them, and 'several computer programming companies' were also chasing him for his skills."
...so I'll be driving everywhere with my foot to the floor, hoping for a drive by 2010!
Oh great. I'm twenty and I'm comparitively useless and old. That's so depressing. :(
This has been on the news for awhile in NZ, the funny thing is the paper the other day said tens of thousands, then another one said hundreds and now it's a million!
Awesome.
This is a great step forward for black hats everywhere! And a great step forward for aspiring CS students ... and a step back for mankind. *siigh*
at least it was 2 forward and one back...
This guy has already proven that he will break the law. By working for the police department, he can write the systems for them, then later leave and hack their system. The guy has already been proven that he can't be trusted, so why work with him.
According to a local story he was discharged without conviction because he didn't show criminal intent, rather he was he motivated by proving his abilities, and conviction would be unduly detrimental to his future prospects.
The NZ Police force have stated they are not offering him a job, yet somehow all the NZ media are saying companies are lining up to offer him a job. I've seen nothing but speculation and rumours.
While it's unfortunate that he has a form of Aspergers, the kid should have been convicted.
Read this: http://slashdot.org/firehose.pl?op=view&id=763499 I tell you what. this coutry is great in so many respects but they are really bad at punishing people. I have been the victim of crimes many many times here and there is so little that they can do to the offenders when they are caught because the law is so leniant. Did you know that it is now even illegal to smack your child in NZ?
http://projectleader.wordpress.com
Typical, they are a decade behind the rest of the world.
Next thing you know they'll be all rushing to register domain names for amazing new website so they can capture some of that VC money for their startup.
“Common sense is not so common.” — Voltaire
...why! This goes against everything my parents ever told me!
How silly.
Some of us do this kind of shit for fun. For pranks.
Why would this Owen kid accept a job and have to work for someone else breaking into shit he may not even want to? It's boring as fuck. He made more money just infecting people's computers and stealing their CC numbers. According to TFA he costed them $20M of "real damages". You have a small chance making that kind of money working for someone else, and even a smaller chance doing it legally.
Maybe I'm just an anarchist; but I don't want to get paid for RE'ing. I do it to piss people off instead.
Ah well, at least they aren't portraying it as a BIG FUCKING DEAL anymore. Which is a good thing all around for crackers and what have you.
Don't hire him, he's an asshole!
Post them, and 100,000 sites at least will go down the following week. Easy, you won't have to do anything. Oh. A million sites? Damn.
Honestly, he's an 18 year old with Asperger's. In other words, he's a lonely teenage nerd, with a literal handicap in the personality department. The only thing to do is give the kid a job.
Asperger's, like autism, makes cause and effect a little difficult to process. That said, people with Asperger's also tend to be very methodical (as his computer expertise can attest.) Setting down a clear set of expectations for him about how to behave in the computing realm is difficult, but it's not the same thing as trying to reform a hardened hacker. He's young, and he's not entirely with it, at least not in terms of personal interaction. I imagine that's exactly why he hasn't been charged.
Oh...
um, oops...
I for one welcome...
Bah.
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
they let him go without a booting
Some more context might be useful. Walker had mild Aspergers syndrome; criminals were paying him to work, but the judge believed that he was unaware of what they were doing with his work. Even the crown prosecutor acknowledged that he had not profited financially, nor had he used the botnet (which, I guess, he helped make) for fraudulent purposes.
Summary: Aspergers kid develops amazing programming skills; gets exploited by bad guys; when it all blows up his family starts paying more attention to him and he gets more sociable. Judge realises that he done wrong, but he didn't mean wrong; sending him to prison would ruin his life and cost taxpayers money, whereas keeping him out of prison will let his family set him straight and turn him into a profitable, functioning member of society.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Dear /.,
Eat a cock. I posted this days ago, with a link to the NZ article, and you wait for a UK one?
The GNAA will hear of this. As will Man/Woman in his never-ending quest to rehabilitate the swastika.
By the time you finish reading this sentence will end.
In a situation like this, why *not* co-opt them? If the damages can be undone or leave no lasting harm, it surely makes sense to channel and redirect that skill. Sure, credit card scams and phishing attacks can ruin lives in worst case scenarios, or otherwise cause a great deal of inconvenience, but no extraordinary or lasting damage should have been done in this case once things have been set straight. Chalk up another point for the perils of data security in the modern world and put him to work in community service, have him serve a jail sentence, or...make use of his skills to help better the community he put at risk. Criminals are not always prone to repeating their crimes and he wouldn't do anyone much good if he's left uneducatced or put behind bars - the best he can hope for then is a job that won't pay much and leaves room for him to consider using his skills for selfish reasons. Better to put valuable skills to good use in the midst of professionals who could keep an eye on him and train him. It's not their place to try and instill a desire to follow the law, but they can certainly make it to his advantage to do so. And I'd think it more of a deterrent to know you're working with professionals that would be slightly harder to sneak something past than your average law enforcement. You run the risk of just creating a better criminal, but you also have the chance to create a better law enforcer.
What they really should have done is force him to work for them. The logic for most crimes should be: commit a crime, be forced to work with police to prevent crime. The more they get, the easier it is to catch others, the more they get etc. Of course if he doesn't even have to do that, then I just hope he'll get murdered.
Help fight spam
Without going into details, I got my start as a software engineer by hacking into a well known corporate system and being offered a job. I didn't get caught, but rather let them know about it (in a very nice way!) This was more than 20 years ago now, so I dare say the climate towards benign systems hacking is probably a tad more hostile today. Intent and methods probably saved my bacon, even then.
}#q NO CARRIER
I worked as tech support for a small local isp a few years back, and this kind of thing happened to a guy who was hired with me. When we were all sitting in the conference room getting the legal brief, one of the stipulations was something like, "You cannot work here if you've ever been convicted of a computer hacking-related crime" or something to that effect.
The lady said it with that haha-I-know-no-one-in-this-room-is-that-smart kind of way, but the guy sitting next to me got real quiet and asked if he could talk to her outside. Turns out he cracked into a bunch of university computers down in georgia or someplace and it was a pretty big deal, and he had used this local isp as his springboard. It was iffy for a while but they gave him the job anyways, since he did the crime when he was a young teenager.
Reubens, if you're reading this, feel free to correct me if my details were wrong.
-b
No offense, but I've stopped responding to AC's.
Followed this case closely.... especially the thing that brought him down: a UPenn student named Ryan Goldstein, aka Digerati...
http://lamp.dailypennsylvanian.com/thespin/2007/11/29/penn-student-enters-the-matrix/
A wannabe hacker who got kicked out of an IRC group frequented by a group called Splinter Security for being a pedophile:
http://www.scriptkitty.net/files/Digerati-Exposed.zip
[NSFW]
Whose teenage angst could not be contained... and hired a NZ skript kiddie named AKILL... who agreed to use his botnet to do a DDOS against TAUnet... as this would somehow make Splinter Security Group realize how much of a mistake they'd made in banning Ryan for being a pedo and beg for him back.
IN EXCHANGE FOR THIS: Ryan offered up some bandwidth on an engineering lab server so that AKILL could update the code on his botnet.
The way they got caught: As it turns out, people notice when your 40,000 node botnet tries to download an executable off of a server that normally sees no activity.... ALL AT THE SAME TIME. As it turns out, that server crashes, the traffic doesn't stop, people notice something's wrong and call the feds.
It's all quite funny.
As a society, we need to realize that criminals or 'outcasts' (for whatever reason) can be extraordinarily intelligent. As a society, we need to learn how to harness their skills.
Frank Abagnale (the main character of said movie) turns from a check-forger into a designer of secure checks... by using his knowledge of what's hard to forge. We're all better off as a result.
There was a kid a couple of months ago who had the creative and technical skill to make a CounterStrike map of his school. I sure as hell can't do that. Now instead of letting him do an independent study in game design or 3d modeling, or even teach a class (after school or whatever), they sent him to a 'special' school (where they send all the stupid bullies).
We need to give people who possess this intelligence another outlet.... otherwise they'll continue to eat our lunch. Being on the wrong side of the law is obviously more interesting, which is presumably the appeal - a Google-style approach of 'work on cool projects on a flexible schedule' ought to keep them interested enough to do productive work.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
letting some criminals off easy due to their "usefulness", then yes, it's a step backwards for justice.
damaged by dogma
So did he say to himself on the way to the interview, "I just love it when a plan comes together!"?
Cole's Axiom: The sum of the intelligence on the planet is a constant. The population is growing.
discriminate against a dummy, you get a dummies response. not all people are born criminals, but influenced by a greater source. This kid was knowing he wouldn't get far with an ill (I am that ill, just not mentally) and I have encountered broken before adulthood begins. I hope he gets everything his mind is capable of.Hating instantly with elistism is going to catch up. Look at america. I would swear I heard this story alot longer ago than this posting...but that is the mental phenomona my repeated daily internet is. I wish I was dumb enough to forget what is repeated.Good luck to the asperger hacker...
Personality disorders such as Aspergers can be debilitating, but at some point we must all take responsibility for our own actions. No one else can.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Corrective justice > Retributive justice.
Fool me once, shame on you. Fool me twice, watch it -- I'm huge!
"My child, you have come to me my son. For who now is your father if it is not me? I am the well spring, from which you flow. When I am gone, you will have never been. What would your world be, without me? My son." -Thusla Doom.
Get down on your knees and pray for the mercy of Thulsa Doom! It is only by His energies that you are allowed to live on His planet. You are unworthy to be in His presence and yet He allows you to persist in your pathetic life. If He desired to do so you would be dead before you read the rest of this post. You owe your lives to such The Master.
Thulsa Doom!
I think the biggest problem with these "slashdot hacker hacks Bank of New Zealand and gets a job there" is the by product of some sick fantasy that people are less awesome than they think they are. Most people never get their "15 minutes" and I doubt a real hack would want his (which is usually getting hauled off to fucking jail).
On a side note,money isn't everything and yes today's hacker needs to put food on his table I doubt there are millions of dollars just waiting for these people at the end of the rainbow being defended by the magic script kiddie Commander Taco.
FUCK SLASHDOT! -- and yes, I am using plain old text now...getting fucking tired of HTML in the only site on the internet that makes using it a pain in the fucking ass.
The crown will plainly show the prisoner who now stands before you, was caught red handed 0wn1ng people, 0wn1ng people of an almost HUMAN nature.
This will not do.
Sorry, couldn't resist.
Russian Hackers remain free, while hackers of other race are in jail.
That is because the government is controlled by the Ashkenazi "Jew", which its genetics does not related to the people of Palestine but linked to Russia.
A scholarly article about the origin of the so called "Jews":
http://catholicvoice.co.uk/khazar.htm
1. Nothing is stopping him from doing a little work "on the side". You hiring him does not mean he is not going to write rootkits. It also doesn't mean he's not going to take money to work against you.
2. He's gaining knowledge of your systems. When someone later outbids you, he's not only working against you, but doing so from a stronger position (while at the same time denying you any benefit you might have gotten from him).
Waaahhh he has Aspergers waaahhh. Does that excuse his behavior? No. Typical defense of making someone out to be the victim of (fill in blank) to gain sympathy. He could have done something useful or even creative but chose this path instead. The only person you are fooling are the idiot mods.
Only the State obtains its revenue by coercion. - Murray Rothbard
Why is this modded Funny? In this case it's a perfectly reasonable justice system. He's already been fined NZ$15,000 (~US$11,000) which would likely be a lot for him.
The judge looked at the situation and the context (including the fact that he's autistic), took into account that the police weren't too interested in seeing him in jail (NZ police are interested in actually preventing crime rather than simply locking people up), decided he's young and is probably unlikely to do it again if given a second chance, took into account that he's received other forms of discipline already, noted that he'd actually realised and accepted the consequences of what he did and was willing to try and pay reparations, noted that an on-the-record criminal conviction would limit him in a lot of ways for the rest of his life and probably put him in a position where he'd more likely offend again, and determined that all of this information outweighed the possibility of a discharge-without-conviction encouraging others.
This seems like a very good justice system to me. The judge is actually considering the case on its merits and taking into account that throwing someone into jail will just make it more likely they'll re-offend when they get out.
And to top it all off, the NZ police force were interested in talking to the hacker about working for them, and 'several computer programming companies' were also chasing him for his skillz.
There, fixed that for ya.
Like I wrote back in 2001 Hiring hackers - why it might not be a good idea
There has been a long, ongoing debate about this issue, and recently it has resurfaced in public. Should companies hire hackers convicted of computer crimes? The general theory is that these "hackers" are elite commando style computer security experts that can tighten up your network in a weekend marathon of pizza and pop. Often nothing is further from the truth.
The first concern I would have is: are these people really any good at computer security? Now this may sound like a rather silly question, but it bears asking. The most obvious clue would be that they have been caught and convicted of a computer related crime. If they are such great "hackers" why did they get caught? Kevin Mitnick, a very famous hacker, was caught several times, and spent time in jail. Most hackers possess very little actual skill. They simply follow in the footsteps of others. It is very easy to download precompiled exploit scripts from sites such as rootshell and then use them to break into systems. Even assuming for a moment that this person has any advanced computer security skills related to breaking into networks, this does not mean they have the skills needed to secure networks. It is one thing to find a weakness and exploit it, but it is an entirely different matter to fix it properly.
Securing a network takes a lot more then plugging a few technical holes. Even if I were to walk into your network and fix every single existing problem, it would not make your network secure. Security is a procedure with many steps, assessment, definition of needs, planning, implementation, review, and so forth, which amounts to a never ending cycle. Even if you hire a brilliant hacker that secures you against all known attacks, new problems will crop up. Even if your hacker has these qualities, their ethics are extremely questionable. There is a famous saying among lawyers: "never put a perjurer on the stand", which boils down to "if you know he's lied before, chances are, he might do it again". How can you trust your newly hired hacker not to slip backdoors into the system that they might later exploit. While it is true that any trusted employee might try to do something like this it certainly seems silly to put yourself in a higher risk category.
A company has a fiduciary responsibility to stockholders. They are entrusted with their stockholders' money and are expected to make decisions that will increase it without unnecessary risk. Engaging in high risk behavior means legal liability. For example, would it be reasonable to sue the corporation for not taking proper care and responsibility in hiring someone they know to have offended before? Considering the position of trust most security administrators are placed in (they have administrative access to servers, monitor users' network usage, read incoming and outgoing e-mail and so on) is it really wise to hire these people? A person with administrative access to a server, or physical access to the network can break into systems and leave backdoors with nary a trace. Would you expect a bank to hire criminals convicted of armed robbery to transport money on the grounds they know what to look out for? Would you hire a burglar to install the alarm system for your house?
While it would be nice if all criminals that got caught were rehabilitated, used their skills for good rather than evil, and never offended again, this is not a perfect world. By breaking the law, for whatever reason (curiosity, maliciousness, etc.) they have chosen to violate rules generally accepted in most countries and societies. They have (at a bare minimum) shown poor decision making, and while they may not specifically want to re-offend, they may be tempted by a short term gain and take a chance (as they have in past).
Summary
While it is possible to find a convicted hacker with the skills you want, it is exceedingly ra
Aspergers isn't a personality disorder.
http://en.wikipedia.org/wiki/Personality_disorder#List_of_personality_disorders_defined_in_ICD-10_.28F60-F69.29
It's a neurobiological disorder.
http://www.udel.edu/bkirby/asperger/aswhatisit.html
We are all, of course, ultimately responsible for our actions. ... Except that some neuro-atypical people may not be. But I think the judge had the right idea here.
Cleverly disguised as a responsible adult.
And he was reborn, and he bore a white hat. Are these people serious?
... in 2008 a hack commando unit were supposed to be sent to prison for a crime they did commit(!), though the captured leader goes free after trial (to the NZ underground) and now survives as a hacker of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire...the A-Team. Bam bam bam!!!
Reading these comments and others ones on reports of serious crime in the US, I get the very distinct impression that a very large sub-set of the US population are a bunch of intolerant and vituperative red-necks who have yet to discover the phrases: "There but for the grace of God go I", "He who is without blame, should cast the first stone", and that " ... and lead us not into temptation", has the corollary: "Thou shall not tempt".
I just wish that the people who enable this sort of crime by selling computer systems which are insecure by design, and out-of-the-box configuration, could be brought to account.
I know it will never happen, but I cannot help but wish it would.
Perhaps networked computer administration should become a professional occupation with legally enforceable codes of practice.
As far as young Mr. Owen Thor Walker is concerned, while he has not had an official conviction recorded against him, he, and his family, have suffered quite a heavy informal penalty.
Sounds more like a cracker to me.
In my hometown in Australia I broke in and found 2200 credit card numbers of my then ISP's customer database. I told them about it and they offered me a job as their System Administrator. I was 16 at the time and the Internet was new. I wouldn't dare try it now for fear of going to Jail - even if my intentions were not in anyway malicious. The law doesn't really understand the hacking culture. In this case I don't know if Mr A-Team was quite so innocent in his ambitions but I don't think its necessarily a bad thing to hire someone who knows a system so well they can get in the back door without you even noticing. I'm not saying I'm an awesome hacker or anything but in my case there were no more breaches after I started working there.
And according to this article:
The article does not say why he was fired.
If the police weren't desperate for a solution to this growing problem, this kid would be doing time. I predict this action will help to fuel the fire, and create more hackers "trying to earn a job". What the hacker himself has to watch out for, are people that he helped rip off. Some of them will take punishment into their own hands, since the authorities let him walk Scott-free. I wouldn't want that type of paranoia hanging over my head.
"...'cause I seen a million systems, and I hacked 'em all..." Yeah. Hair Bands Rule! :-P
---As my daddy used to tell me: "You gotta be smart before you can be a smartass."
I currently work in the computer security industry, and am working towards getting my Certified Ethical Hacker certificate. Hiring some kid who went and did a load of stuff that was at the very least unethical kind of devalues the certificate and makes a mockery of those who seek to obtain it in order to rise in this industry. Loads of places require that their penetration testers/security analysts obtain the cert and having some other employer just ignore that shows that no, the cert isn't really required, and ethics are unimportant.
For the most part we don't have a really good way of measuring the skills of a cracker (Yes I am old school and I don't like calling these people hackers) Oh you broke into a million systems by running a pre-made script all that shows is you have no life. But if you were without any scripts find a new security hole learn to exploit it on your own personal network or in a controlled environment, shows that you just may know what your doing and have the ethics to not cause collateral damage as well to boot. Who would you want to hire.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So, explain to me how having aspergers should get him benefits - he's socially retarted, then again, most geeks are ... and he's extra smart.
sorry if I don't feel bad for him...
If Frisco's past hiring of IT staff is any indication, this kid is right up their alley!
http://www.theregister.co.uk/2008/07/16/sf_sysadmin/
----Snip----
Security is a procedure with many steps, assessment, definition of needs, planning, implementation, review, and so forth.
----Snip----
Oh, man... do we hate documentation or what?
The funny thing is all he did was cobble together known available exploits.
http://blogs.zdnet.com/security/?p=1502
"He is neither a hacker, nor a computer genius possessing some kind of unique skills, he's just someone proving for yet another time that it's not a matter of lack of capabilities for committing cybercrime, but a matter of courage to so. "
He's a cut-and-paste script kiddie, not a talented system breaker. The real system breakers are the people that actually wrote the code.
His real talent is using google and ctrl+c/ctrl+v.
ROFL. A monkey can break vulnerable systems with a payload/rootkit someone coded for them and some balls. The NZ gov is a bunch of idiots.
-Viz
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
Keep your friends close.
Keep you enemies closer.
Maybe the companies/police want to see how he does his things so that can change their code to counter act it.
Back in my day if you ever wanted to steal a credit card you had to go mug someone! You youngins have it easy these days.
it always cracks me up when people (including hacker/cracker types" think hackers are so smart. being devious and doing things you arent supposed to doesn't make you smart. messing around on computers isn't some rare talent... seriously.
so if you want to be a bad kid and play around, sure go ahead... get a few kicks, annoy a few people. but dont delude yourself into thinking you are special b/c you play a game that crosses the laws.
An anonymous reader writes [...] the fantasy that hackers will be offered a job by those who they hacked [...] might still be the case
Glass, is that you?
..I know someone who kickstarted a fantastic career managing IT security for large organisations from criminal beginnings. Admittedly that was ten or so years ago and these crimes are viewed more seriously now..
Yep, this makes me sick. Let's see, hire a hacker to protect your systems. What a great idea! I mean, what are the chances that he will steal all our sensitive information and sell it? What are the chances he will steal our customer's data and ruin our reputation as a business so no one will ever deal with us again? I have a better idea, we will be proactive about it and make the whole thing public, so people can stop doing business with us now rather than after we get screwed! Hire a professional. Hire someone with ethics. There are a lot of people who know how to hack. Some of us choose not to because of this, umm, ethical thing. We realize that we should do the right thing. Next thing you know assassins will be hired to protect people, and bank robbers will be hired as Brinks truck drivers. When will business "get it?" Wait, that was a stupid question. Morons.
Open Source: Eroding the Digital Divide
"creation of a million-plus machine botnet" Who on /. can out do that? Where's that X-prize man?