Job Seeking Hacker Gets 30 Months In Prison

wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."

Good

[Viol8]

Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

Re:Good

[hamburger+lady]

clearly, this whole thing is obama's fault.

Re:Good

Wrong, still Obama's fault! Stop living in the past. The economy, cost of tuition, cancer - all Obama's fault, as sayeth the great Lord Limbaugh!

Re:Good

[Adriax]

I'm guessing Marriott's monetary claims are mostly "It's his fault we have to pay all this money, we wouldn't have to fix anything if he hadn't used those flaws to break in."
He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Re:Good

[Glonoinha]

It's "1337" hacker. Just sayin'.

And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

Re:Good

[hrvatska]

The guy is a citizen of Hungary. He did the illegal intrusion and attempted blackmail while in Hungary. He was arrested when he arrived in the US for a 'job interview'. Hungary's economy is more fucked up than the US economy, and they did it all on their own.

Re:Good

[phantomfive]

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this? I couldn't find anything related to it in the article. Do you have some preconceived idea of how companies should act, and then judge them without checking the evidence? That's a serious cognitive bias.

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Re:Good

[betterunixthanunix]

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Except that users are part of the system that is being attacked. As Bruce Schneier put it, only amateurs attack machines; professionals target people.

It is true that user training is hard. It is equally true that the system should be resilient to stupid users, just as it should be resilient to malicious users. Spear-phishing and trojans are just a way to get non-malicious users to behave maliciously, and the system should be designed to contain the damage that malicious users can cause. There are a variety of technical measures that can be taken to prevent malicious users from leaking information or otherwise violating the security of the system; a large company should be taking these sorts of measures.

Re:Good

[zwede]

It's "1337" hacker. Just sayin'.

And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

I guess you haven't seen the 'math' used in file sharing law suits then.

Re:Good

[ScentCone]

But the blackmail itself is just a negotiation.

No, it's extortion. And that is a crime.

Re:Good

[phantomfive]

Oh yeah? You've discovered a way to prevent spear-phishing attacks from doing damage? Please tell.

Re:Good

[Delarth799]

Damn right! He is the president and has access to the magic wand of "make shit instantly happen" and he has yet to use it for anything to help the country out.

Re:Good

[betterunixthanunix]

I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system. The entire point of MLS systems is to ensure that users cannot leak or alter sensitive information, beyond what is necessary for their job. "Inside jobs" are a problem that has been extensively worked on, and resilience to such attacks is not completely impossible. There are cryptographic approaches to dealing with potentially malicious parties within a given system, which can ensure that security is maintained even if some of the participants are corrupted.

We really do not have to throw our hands in the air and declare spear-phishing to be some kind of ultimate attack that cannot be defended against.

Re:Good

[JamesP]

So in this case it's blackemail?

Re:Good

[EdIII]

He has a point, and so does the other poster. Marriott cannot absolve themselves of all blame here and trumping up enormous costs is kind of way to shift the expense they should have already been paying to secure their systems. A million dollars is a little over board. I'm not blaming the victim here either, just saying that it is a little bullshit to pile all those costs on to the hacker afterwards.

As far as preventing trojans being sent to employees you could look at it preventing all file transfers over IM, removing all executable attachments on email, all attachments on email that cannot be decompressed, locking out USB drives from connecting, disabling auto-play, etc.

An intercepting proxy and whitelist can also be pretty effective when combined with anti-virus and anti-malware from the workstations.

Now if you mean mitigating damage once the trojan is installed, that is where document management, behavioral analysis, systems that employ data diode techniques, and limited access per employee and workstation can help.

Sure, you could attempt privilege escalation once on the machine, but if all the attacker can get is the user credentials, and the workstation itself cannot be used to obtain suitable credentials to compromise other workstations or servers on the network, then I would call that damage mitigation.

Of course, none of this is fool proof, but you seemed to indicate that it was not possible to prevent it at all.

Re:Good

[phantomfive]

Good point. There is always the balance between security and ease of use.

In this case it doesn't look like the guy got much other than a few documents, at least that's all the article mentions, so I maybe they do have some protections.

Re:Good

[phantomfive]

removing all executable attachments on email, all attachments on email that cannot be decompressed,

Companies that do this drive me crazy.

Re:Good

[EdIII]

Seriously?

Not allowing .exe files in emails drive you crazy? Especially when email was never truly designed for file transport in the first place?

Not allowing compressed file attachments that cannot be scanned drives you crazy?

Well tough cookies buddy. If you need to send files back and forth with a user on my network you can go through different channels, and whatever they are, you can bet that the file will be scanned and the user will not be allowed to install software. If you are trying to protect from being scanned or opened, you are already wrong to do so. The user has no basis or justification to need privacy (from the system) when exchanging information across email. Part of the data diode and behavioral analysis I mentioned.

None of what I said prevents normal file transfers needed in the course of business. Just executable files.

I hardly see how that is unreasonable.

If I wanted to go overboard and be unreasonable I would remove PDF attachments.

Re:Good

[rtfa-troll]

[...] beyond what is necessary for their job [..]

I don't want to pick nits with what was an excellent answer to the standard "there's nothing we can do" excuse. However, if you have MLS then even information which is needed for your job is likely to be protected. By running the email in one security zone and the customer information in another (they don't even need to be low and high) you can ensure that information does not leak from one to the other.

Of course, by the time you are doing this, the idea of allowing automatically executable content in email would be laughable, so likely you wouldn't be speared in the first place.

Re:Good

[Lehk228]

not allowing users to execute code or load scripts which have not been approved. this isn't rocket surgery, if your users can run arbitrary code on your network, it's probably not your network anymore

Re:Good

[slashdotresearch_mj]

Since I'm slight afraid to google this I'll just ask. What is a "1337" hacker?

Re:Good

[SteveFoerster]

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this?

That's what I'd do. Why let a perfectly good crisis go to waste?

Re:Good

[Creepy]

The math makes sense, but the way they group it with "other costs" it is deceiving - the keywords are actually salaries and consulting expenses, not other costs. They obviously had to hire and/or contract some computer security professionals to fix their broken security and make sure it doesn't happen again and they're blaming part of the expense as having to hire these professionals. To put this in perspective, it is a lot like saying "we had to hire desk guards because people were just taking the keys to sleep in the rooms without paying for them and that is costing us an additional $400,000 in salaries."

Re:Good

[Creepy]

naive or sarcasm... not sure - going with the former

1337 is leetspeak (internet slang that actually predates the internet, but that is quibbling) for leet, which is slang for elite, so it means elite hacker.

Re:Good

[phantomfive]

Very few companies will put up with that kind of restriction. Also, I don't think you can do this if you have a windows network with Microsoft Office. Does office allow you to sign VB scripts?

Re:Good

I would reset your password daily.

Re:Good

[MisterSquid]

Damn right! He is the president and has access to the magic wand of "make shit instantly happen" and he has yet to use it for anything to help the country out.

He definitely had a "make shit instantly happen” button when it came to bin Laden.

Re:Good

[DaveV1.0]

but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

And, drunk chicks are just trying to shift the blame when they call the guys who fuck them when they are passed out "rapists".

Re:Good

[Coeurderoy]

Well, mostly he was seriously stupid, he might have got a job if he would have shown the weaknesses, and offered to help them, making sure that if they didn't want him, he would just forget about it, or if they would be interested make at a latter time an intrusion test.
He should also make sure that he can explain how to pull documents out, but not actually do it.
That way he would not have to go to jail... (or at least very much lower the risk of...)

But nobody sane hires a blackmailer without immediately thinking about how to put the idiot in jail...

Re:Good

[Coeurderoy]

Not really, they probably panicked, and hired a couple of outside consultants to check their security.
And since they probably didn't have a real inside expert (or they would not need this) they also needed a senior security manager...
So all in all 3 persons with expensive rare skills hired on short notice.
for let's say 3 month.
180 days * average 1500$/day => 270 K$ + at least one senior manager and one assistant to track what their are doing...
"et voila" => 400 k$
Add cost of building, chairs, computers, etc....
 

Re:Good

[Coeurderoy]

Nope, Hacking in might be presented as a "friendly door rattling to make sure it is well closed", it really becomes a crime when it is used for nefarious purposes...
Blackmailing is always bad, and a crime.

Negotiating would be: "your system is way open, I know where, and I'd love to work for you, but if you do not care, well I will not waste my time writing a report if you are not paying for it, be happy "i'm a nice guy" you might not be so lucky with the next one who finds all the fails in your infrastructure"...

Sending it to the "board of directors" and investors, or the press would be wistleblowing, yet another legal situation....

Publishing on a blackhat forum, would also be "bad"...

Re:Good

[EdIII]

If you were the IT guy at my company, I would complain to the CTO until I got an exception to your restriction. I don't care about your petty concerns when they get in the way of doing my job. Neither does anyone else.

Good fucking luck. I am the CTO.

Petty? Setting aside your childish attitude, your job does not come first. The company comes first. Without the company... you don't have a job.

You are part of the problem. Instead of trying to understand the "why" of a policy you actively undermine it with a blatant and flagrant attitude mixed with ignorance, shortsightedness, and selfishness.

As the CTO, I need to protect the integrity of the company. That means making sure that there exists policies, software, and infrastructure design to protect corporate assets. Part of corporate assets is data. Customers trust us with their medical records, insurance policies, financial information... I could go on.

Am I to tell a customer that we had 1,000,000 records leaked because you wanted to transfer around executable files and bitched and moaned along with a couple of other people till you got your way? Hardly sounds reasonable. In fact, it makes me look I just was not doing my job.

Funny how that works out huh? Everything I try to do to reasonably find a balance between use of the system and security of the system is seen as some sort of fascism by people like you and you actively bitch and moan to try to undermine it. Yet.... when something goes wrong.... well that's my fault. The particulars are not relevant, such as your behavior and participation, because I was just supposed to magically create a world where you have no restrictions and everything works in perfect safety.

Now instead of acting like a child, why don't you give me an actual reason why you need to send executables and protected, nested, compressed files around in email?

This whole conversation got started with you saying it was impossible to prevent data leakage and penetration, I then offered a reasonable response, at which point you said you would try to undermine it to your fullest extent. How much sense does that make?

Re:Good

[EdIII]

And yes, my docs are confidential and none of you IT monkeys should be able to read them ...

There is your first problem. Already there is no room for reasonable cooperation without mutual respect and understanding.

IT should be a 'business enabler'

WRONG, WRONG, AND WRONG.

I am not just "IT". I am the CTO.

Enabling you to do your job is only one part of my job, and not even the most important. I must prioritize my responsibilities. In order to keep the company safe and sound I have to reasonably find a balance between the use of a system and the security of a system. That is first and foremost. Figuring out how to make your life easier comes in second.

Do you really think there is a danger? Hackers targeting your company would simply send the latest 0-day, which your anti-virus wouldn't catch anyway.

Yes, Yes I do. Absolutely. Hackers would not just "send the latest 0-day". They will try social engineering, dropping flash drives in the parking lot, probing of Internet facing assets, email phishing attacks, etc.

How can their 0-day get through if all email attachments are locked down to document file types only, and those are inspected and have certain functionality removed?

I don't care about little Hitlers in IT that talk about staff as 'The user has no basis or justification to' ... WTF!

With respect, I get paid to decide the basis and justification for your actions.

Anything the user needs for business you should provide!

Wrong. Anything that the business needs, I need to find a reasonable solution that the user can work with while satisfying the primary needs for the business. Which is that reasonable balance between use and security I spoke of earlier. It's not Burger King, it's not what you want when you want it.

but instead of 'being reasonable' and blocking everything you should provide a solution to enable that user in secure file-sharing with people if there is a business need

I completely agree. Which is why I completely block email, especially on inbound, but have other means of secure document sharing between you and corporate clients. Which is important to note, I don't view the customers as your customers, but the company's customers.

In your case, which is not unusual, email is not the best and most secure method. A secured website that allows you to share very specific data with customers is best. We have vendors and service providers that have very strong data policies as well. They would never ever send a PDF via email. Secured PDFs are downloaded via a web portal with multiple user account credentials that I get to control via another management portal. I can then review all of it as part of my job.

I understand your need. My job is not fill your need the way you want. Why? Simply put, you ain't the CTO buddy. I am the CTO. When something goes wrong, it is my ass on the line, not specifically yours. If it is bad enough, like a huge data breach, your livelihood is affected along with countless others. That's a responsibility I would have to live with.

So that's why I carefully consider your needs. What is it you are trying to do? How can I make that the easiest way possible for you? How do I make it secure and satisfy our data security policies and the vendors? Multiple vendors? How do I make your life easier and more efficient?

At the end of day, believe or not, I exist to make your lives easier so you can be more productive, while also protecting the company to the best of my ability. It's not to be a dick and make your life hell for "funsies".

And yes, my docs are confidential and none of you IT monkeys should be able to read them ...

I'm going to touch on this twice beca

Re:Good

[phantomfive]

This whole conversation got started with you saying it was impossible to prevent data leakage and penetration, I then offered a reasonable response, at which point you said you would try to undermine it to your fullest extent

My apologies. Your original response was quite good.

I was merely trying to point out that locking down systems to the extent necessary is often more trouble than it is worth. If, on the other hand, you are trying to protect medical records and things that MUST be kept private, it makes sense to lock things down as much as possible.

Re:Good

[EdIII]

With your attitude, you're right. You would not be working for my company.

Very simply that is because I am a very fair and reasonable CTO. When users (which includes you) get out of line and have no justifications for their actions that create liability for the company, when I provide efficient and workable alternatives, they get disciplinary action all the way up to being fired.

The reason why is that I am well respected by the people in my company from top to the bottom. I have always worked well with people to find solutions without endangering the company, or creating a hostile work environment between IT and the users.

You would not fit into our company. You cannot even give me:

1) A good reason why you need to send that type of data in email.
2) A cogent description of your needs for me to find a solution.

How can I begin to help when you refuse? You have no respect for my job, my responsibilities, or a willingness to participate in problem solving or conflict resolution.

You are the weakest link. Good bye.

Re:Good

[laurelraven]

Now instead of acting like a child, why don't you give me an actual reason why you need to send executables and protected, nested, compressed files around in email?

First of all, I wish all CTOs thought like you...I'm lucky that the closest equivalent to a CTO at my job does. Second, I've found the above quoted to be the best argument to shut people up who just want to do anything and everything that they shouldn't. They almost never have a good reason.

My favorite example is our 15 minute screen lockout (which should be lower, but which I can't get approval to lower, nor anyone to actively lock their screens). When I first implemented it, I got all manner of complaints, mostly to the tune of "I have to type in my password 10 times a day now!".

Boo hoo. I type my 18 character mixed case w/specials and numbers password probably at least 50 times a day. I'm sure your 7 character simple password is causing you so many hand cramps. [/rant]

Re:Good

[tsa]

I would. It's good to see a CTO who understands technology for a change.

Re:Good

[DarkOx]

Technical means are not the only component to security posture. IT security should be engaged in Security awareness training and all employees who access information systems should get some amount of said training related to the value of the information they can access.

Re:Good

[metacell]

The guy is a citizen of Hungary. He did the illegal intrusion and attempted blackmail while in Hungary. He was arrested when he arrived in the US for a 'job interview'. Hungary's economy is more fucked up than the US economy, and they did it all on their own.

Now see what you did. How are we supposed to have a good argument, when you drag facts into it?

Re:Good

[L4t3r4lu5]

If this post could have a soundtrack, it would be "Hero" by the Foo Fighters.

You can be my boss.

Re:Good

[DarkOx]

Outside consults have their place even if you have a strong in house security team. One of the problems IT security has is they are not as big as operations. Its really pretty hard for your security analysts to stay on every system component operations installs, and you really can't properly audit that which you do not understand. See the financial sector for proof of that.

So what most in house teams do is focus on the highest value, highest risk, and most frequently changed systems and processes. So they can keep with auditing and authoring policy for operations.

   

Re:Good

[nhat11]

When you have a thousand employees sitting around doing nothing for like 1-5 days, it adds up.

Re:Good

[JourneymanMereel]

Petty concerns? Wow, if you consider $400,000 - $1 million "petty", then could you please send me some petty amount of money?

Blocking .exe files sent by email is not unreasonable nor is it uncommon. You can complain to the CTO all you want, but if he's any good at his job he's been hearing ridiculous complaints like your so long that he has a "bitch-slap" email already composed and ready to go only needing to fill in a few blanks.

Re:Good

[cusco]

I have the feeling they would be relieved to know that. Seriously, though, why the frack would you complain about not being able to receive .exe or .cmd files as email attachments? Sure, it would be slightly more convenient if tech support were able to send me the newest hot fix as an attachment, but having to download from a link that they email is not the end of the world.

Re:Good

[swillden]

I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system.

+1

Most of my job as a security engineer is about devising and implementing countermeasures against malicious or stupid action by insiders. If you can defeat potentially-malicious insiders (while still enabling them to do their jobs), outsiders have no chance.

Re:Good

[cusco]

Damn, I wish you worked for our company.

Re:Good

[tehcyder]

a sane email policy that will allow his employees to compete

What compete in the virus spreading industry by passing on .exe and dodgy .zip files?

Re:Good

[tehcyder]

I don't see why Blackmail should be illegal. In this case he hacked their system so that is a crime. But the blackmail itself is just a negotiation.

Always good to get input from the world of finance.

Re:Good

[cusco]

And when the salescritters spend the entire training emailing and texting from their phone, and then toss the unread training docs in the recycle bin on the way out the door of the classroom . . .

Re:Good

[EdIII]

And it's people like you who spend so much goddamn time worrying about little "issues", that if given the power to do so by the company management, you'd drag the entire business down from accomplishing its actual goals all in the name of preventing these "issues."

And it's people like you who don't want to worry about any issues that even remotely have the perception of slowing you down until it costs the company HUGE. I really don't know who you deal with, but the attempt to protect company data is not a little "issue".

And when you introduce bureaucracy into every goddamn file copy operation, and require justification and paperwork for every stupid special situation that comes up, what kind of parasitic overhead does this introduce to the business as a whole?

That's insane. Where did you get that from my posts?

You describe a situation where I am like those aliens from Hitchhikers Guide to the Galaxy where you have to sign endless forms for every single possible action.

I never even alluded to that. You don't need to send exe's in file attachments or receive them. I have a different solution for you, that works all the time, and you don't have to ask every time to use it.

In other words, I.T. technicians play all the same political bullshit games that every other group does, while of course, usually also being the ones who cry loudest about what whatever those assholes over in H.R., management, etc are doing. (The victim mentality is popular here, due to the overabundance of beta-male types.) Your attitude is: "If you are kind to me and can eloquently explain your 'need', then I MAY be so kind as to grant you your humble request.....OR if you don't treat me with the respect I feel I *deserve*, I will make your life hell." This petty clannish behavior does nothing more than make you an obstacle, not a solution finder or problem solver. How does it feel to be directly dragging down the company bottom line?

No. My attitude is that mutual respect, cooperation, and communication are the foundation in which we can all solve our problems, get work done, and have a less stressful life.

You may it sound like I am a tyrant, when I am not. I am very approachable, patient, and when we are done talking I aim to leave you informed with a better understanding of the problem and the belief that I am going to provide you a tool to do what you want better than you though possible when we started.

It's hilarious just how much you have misjudged me.

I.T. is a liability, NOT an asset; always remember that. The real assets are a) the knowledgeable and skilled people directly involved in the company's main business, b) the capital i.e. the computer systems you are hired to maintain. Well, the computer is only valuable as long as it's facilitating the operator in accomplishing his job. Who cares how virus-free or clean and well maintained the computer is, if it adds 30% onto the company's labor overhead due to the silly restrictions and arbitrary bullshit the I.T. department has dreamed up? How big of a problem is a virus infestation compared to developers quitting in disgust due to your unwarranted and heavy handed intrusion upon their dignity and job description?

Why have some people made this as hard as peace in the Middle East?

IT is not a liability. We are a crucial asset.

Your position and argument is laughable at best. How big of a problem could an infestation be? Seriously!!?!?

There are practically no viruses out there anymore, but malware, trojans, etc.. It's funny how you think you are the only professionals in the company worth anything as if we could be replaced by Geek Squad.

As we speak, there are organized groups out there actively targeting the top businesses in the US. What would a breach cost your company? What would the loss of a huge number of customer records cost you? Trademark secrets? Des

Re:Good

[Miser]

I completely agree with Edlll, however my experience has been that when I'm the CTO, there's a CEO (with an MBA of course) that loves to override my decisions when the whiny users complain that they "can't get their work done" (read: don't want to learn the systems in place to securely transfer data around). He's my boss, and I really cannot argue unless I find another job. Finally I got to the point where I didn't/wouldn't compromise my principles (and he tried to replace me by running ads in the local papers while I was still there) and was then shown the door. (mutual separation, they call it).

Now I work for a small company where I'm quite a bit more valued. The pay is less, but the stress is less. Would I go back to being a CTO? Yes, but with a clear, well written contract. :)

-Miser

Re:Good

[Sir_Eptishous]

Go Get 'Em!!!

Re:Good

[EdIII]

there's a CEO (with an MBA of course) that loves to override my decisions when the whiny users complain that they "can't get their work done"

I don't get an override exactly, but when the company is unable to put certain policies in place due to financial constrictions or otherwise I just write a letter. Part of the well written contract, and that is best asset that anybody in IT can have. A very well defined relationship with the company is essential.

Some CTO's and IT people get too emotionally involved and treat the network and corporate assets like it is their personal property to be defended at all costs. I see it as a job, I do it to the best of my ability, give the most options and information to those needing to make decisions, and that's all there really is to it.

In the letter I just state my position, explain what is going on, what I believe the consequences could be, and ask them to sign it. I have had people ask me why, and even get a little upset, but I have just explained that it so in case something happens we can remember it and that I am not liable. I make it clear that I take orders from them, like any good soldier, but I am making sure that they are fully informed and the letter serves as record that I was not negligent by staying silent.

I had to learn the hard way early on that the costs of staying silent, or making it personal in any way, shape or form, was a massive mistake. Just be professional about it.

The most famous one is where I advised a client to get offsite backup and a secondary NAS RAID for real time backup of changed files. It was turned down. I had them sign the letter. About a year later the Enterprise RAID crapped with a busted drive and the headers were overwritten. Ended up costing about 90x the backup fees in immediate replacement and data retrieval costs and a couple thousand times more in lost productivity across the entire company.

I was the consult that they had on retainer to prevent it.... and I showed them the letter when they were going beserk. At that point it was kind of hard to be angry with me and I ended up spending the next 5 weeks getting their company back up and online.

Guess how fast they bought the backup solutions I recommended previously? :)

As a CTO now though, I rarely get into such a situation. With my experience, people skills, and management skills I have been fairly successful at explaining why my proposal is in the best interests for the company. It also helps to have options and solutions instead of just "no we can't do that".

The best answer is, "I am not sure how to do that, but let me think about it and find the best solution for you".

Re:Good

[torgis]

From the article:

The Department of Justice announced on Friday that Attila Nemeth, 26, a Hungarian citizen, was sentenced by a U.S. District Judge and will serve a prison sentence for transmitting malicious code to Marriott International Corporation’s computers and threatening to reveal confidential information obtained from the company’s systems if Marriott didn’t offer him a job.

No friggin' way. Marriott got hacked by Attila the Hun? Really? You can't make this stuff up.

Geez what a moron

[Weaselmancer]

I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

Think outside the box, man.

Re:Geez what a moron

[Intrepid+imaginaut]

Eh just sneak his bank account onto the list of approved ones surely? This is seriously grounds for an internet Darwin though.

Re:Geez what a moron

[Weaselmancer]

Actually I was thinking something similar. In a large enough company communication becomes a real problem. Departments don't really communicate much. If you were to study your target a while and figure out who everyone's superiors are and the like, all it would take is a well-crafted email from some higher-up that says "hey hire this guy" and the odds are the underling wouldn't go back to their boss and say "are you sure?" - they'd just start the paperwork. Large companies are dysfunctional that way. They kind of have to be. The more people in the company the less practical being well informed is.

Re:Geez what a moron

[snowgirl]

He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.

You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.

Except no one induced him into breaking the law. The very first contact that he had with Marriot contained proof that he had already committed a crime.

Entrapment only works when the originating idea for the crime came from a police officer, or an agent thereof. (If a cop tells a confidential informant to get a gang to rob a specific store, then that would be entrapment as well.)

Re:Geez what a moron

[SteveFoerster]

He's not American, and may not have even been to the US before he was "tricked" into flying over. He has no rights in the US.

Of course he doesn't. Why should he be any different from the rest of us?

Re:Geez what a moron

[X10]

I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

Think outside the box, man.

He could have put himself in the employee database, for a fair salary, at a non-existent Marriott office.

Re:Geez what a moron

[elucido]

He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.

You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.

It never happens quite like that. First they never say what these people are being recruited for do they?
So even if this guy was naive and thought he would get recruited by the Secret Service or some other group there was no guarantee.

Also these "recruits" are typically given the worst jobs and then tossed away like trash when they arent useful. Look at Albert Gonzalez as an example.

Why would anyone want to be him?

Re:Geez what a moron

[LoztInSpace]

Are you sure you're not just making stuff up about how you think a large company works? Assuming they passed any security/background checks, they'd need to provide SSN, address, banking details, next of kin etc. The phantom employee would show up on all email lists and reporting structures. They would be allocated a manager and at some point you would assume scheduled to do work of some kind. Even on day one, a pass would need to be issued, a photograph taken, an induction course participated in, a desk, phone, computer allocated and set up. Even the shittest manager usually actually meets their staff day one or soon after. You'd need buy in from a serious number of people to create a fake employee. I doubt the attempt would work. Now if he got himself onto a vendor list or faked approval for some kind of mythical online subscription or service, that might work.

Re:Geez what a moron

[antifoidulus]

For what it's worth, entrapment usually involves not only originating the idea, but also use of coercion(force, blackmail etc) to get someone to commit a crime. Otherwise those pointless drug and prostitution busts wouldn't be possible, and the police could save a lot of taxpayer money by not busting people who aren't criminals :P

Re:Geez what a moron

[hobarrera]

Offsite employee? Lots of huge companies have lots of work-at-home employees. (I've work for a mayor software company that prefered this).

Re:Geez what a moron

[tehcyder]

I don't think the idea was to set up a ghost employee, but rather to manipulate the system so that he got a real job at Mariotts.

Re:Geez what a moron

[tehcyder]

Just because someone has done something stupid before, how does that make it entrapment if someone else decides to do the same thing off his own bat?

Re:Geez what a moron

[tehcyder]

For what it's worth, entrapment usually involves not only originating the idea, but also use of coercion(force, blackmail etc) to get someone to commit a crime. Otherwise those pointless drug and prostitution busts wouldn't be possible, and the police could save a lot of taxpayer money by not busting people who aren't criminals :Pcriminals

If you are convicted of breaking the criminal law you're a criminal. The issue isn't about entrapment it's about having stupid laws in the first place.: You can't blame the police for arresting hookers and druggies if those activities are illegal.

Re:Geez what a moron

[tehcyder]

He could have put himself in the employee database, for a fair salary, at a non-existent Marriott office.

It may come as a shock to you but there are such things as HR and internal audit systems to stop people getting away with things like that. Otherwise every payroll manager would just bung a couple of ghost employees on the books and triple their salary.

Re:Geez what a moron

[snowgirl]

For what it's worth, entrapment usually involves not only originating the idea, but also use of coercion(force, blackmail etc) to get someone to commit a crime. Otherwise those pointless drug and prostitution busts wouldn't be possible, and the police could save a lot of taxpayer money by not busting people who aren't criminals :P

I'm sorry.. but where is the inducement to commit the crime with drug and prostitution busts? The police are allowed to present opportunity to commit the crime, but they cannot give the idea to the person.

Leaving a $100 bill on the ground is ok, but telling the person about the $100 and telling them to take it is inducement. While one could say that "usually" entrapment involves coercion, it's simply the easiest way to prove entrapment, not necessarily the most common.

The difference with drug and prostitution here is again, presenting opportunity, rather than inducing behavior. Placing an undercover officer dressed like a hooker on the streets is not inducing behavior. Johns are soliciting the hookers just because they look like hookers, not because a police officer told them, "hey, let's go get some hookers!" As well, police placing stings for prostitutes are answering adverts, and so they are not inducing any behavior of the hooker, as the hooker is already soliciting prostitution.

As for drugs, drug dealers regularly deal in business, and if a cop patrons that drug dealer, then the drug dealer was already doing business, and the cop isn't inducing any behavior. This is unlike the case where an undercover cop asks someone "hey, do you think you could score me some of drug XY?" If the person is not already known to be engaging in drug sales, then the officer is inducing the person into committing a crime. Note the subtle difference between "hey, can you do something unusual and get me some coke?" and "hey, you're selling coke, let me buy some from you."

Re:Geez what a moron

[Weaselmancer]

No that's not my gist at all. My vector is to intercept communications between department heads during a round of hiring, and insert yourself as the frontrunner. Delete anyone better than you, and slip in a glowing letter from some higher-up about how impressed they were with you and hey why don't you hire this guy? That sort of thing. Just a couple of deletes and a faked email or two.

The SSN and banking details and all that would be taken care of by HR on your first day. Faking all that one step removed from the hiring process would be much more complex and risky. Not my notion at all.

I'm just thinking that if this guy really wanted to be a Marriot employee this would probably be the way that has the best chance for success. Other than being the best candidate, obviously.

Cost them $1Million

[Bradmont]

So how much of that $1 million in salaries was spent repairing the security holes, which they should have done anyway?

Re:Cost them $1Million

[ohnocitizen]

Exactly. Or on the interview/sting itself, and drawing that information out of him? It was a good move for them to make, but some of that reported cost was an intentional and smart investment on Marriot's part rather than a cost.

Re:Cost them $1Million

[cupantae]

Apparently, the MPAA made the estimate for them based on the logic that each file hacked incurs the file's original production costs.

Re:Secret Service?

[PessimysticRaven]

Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.

$400K-$1M seems low

[jd2112]

or perhaps I'm just too used to seeing monetary estimates by the Movie and Music industries. For example, the jobs counted as being affected by the entertainment industry as part of the SOPA/PIPA debate included all the employees of the Department of Engraving and Printing. Why you ask? Because they make the $100 bills that the movie and music execs use to snort coke while coming up with the estimates of jobs affected by the movie and music industry. Perfectly logical right?

$1 mil? Seriously?

While he was wrong (and a total fu*king idiot) to try to blackmail them into hiring him, I'm so tired of seeing these ridiculous and obviously made-up damages.
It seems like every time a cracker gets into *any* system, they always have so stupidly high number in damages.... unless they didn't know about it beforehand or the person isn't found. Then, the damages just happen to be next to nothing (usually)

Re:$1 mil? Seriously?

[Score+Whore]

Why do you think the damages are made up?

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do. Much more than just applying a security patch. You've got to figure out what happened and which systems were affected. Which means that even if you have a situation like this where the attacker tells you how they got in, you don't know if they are lying. So you have to do a security survey of every single system on your network to make sure there are no back doors, root kits, or altered data. Just reviewing could readily cost you hundreds to thousands of dollars per system. You may be facing multiple nuke-n-pave situations on your servers (may cost you $5,000 - $10,000/system.) Which means you will be losing data or will have to recreate data. If you have a centralized reservation system they may have to take that down in which case you are idling thousands of workers worldwide as well as losing business during the downtime. That's probably measured in thousands of dollars per minute in costs and losses. You've got to bring in your legal team and executive management so they can determine if non-IT related actions that need to be taken (offer your customers identity theft protection?) Who knows how much that is, but it could easily be north of $100,000. Probably you'll be bringing in security experts to review your policies, practices and implementation. A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees. Those consultants will be working with your IT staff who will not be doing their normal work, so that's another $5,000 - $10,000/week.

$400,000 - $1,000,000 is an easy number for an IT organization to reach in a large company. A business the size of Marriott may well have a central IT staff numbering between 750 - 1000 people. If they have a particularly efficient team and are on the low end of staffing (750) and have good control of salary ($60,000/yr), they have annual staff costs over $56,000,000. Diverting 10% of those means $108,000/week.

Re:$1 mil? Seriously?

[ScentCone]

I'm so tired of seeing these ridiculous and obviously made-up damages

Did you even bother to read the summary, let alone the article? They had a lot of work to do in interacting with the feds in advance of busting this guy in person (he was cracking/extorting from Hungary). This involved many employees, corporate lawyers, etc. You tie up those sorts of man-hours, including the time to gather and preserve an unknown until you're done pile of forensic information from a huge IT footprint at a company that size ... I'm surprised the cost wasn't higher.

What I'm tired of are people who are so vitriolically anti-business in their mindset that they won't even do the mental work of thinking something like this through, lest it take some of the fund out of Complaining About The Man.

Re:$1 mil? Seriously?

[Imrik]

Except the hacker didn't create the holes in the network, so any costs devoted to finding and fixing them shouldn't be included, only the costs of detecting and fixing the damage itself should be included.

Re:$1 mil? Seriously?

[Mitreya]

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do. Much more than just applying a security patch. You've got to figure out what happened and which systems were affected.

I am almost certain that they counted the "applying a security patch" and "closing the hole" he had found. Tell me if you really think they carefully excluded that component?
And that is definitely dishonest, since whatever hole he found was a pre-existing condition. What's the car analogy... Suppose I fool your car door-lock into opening and steal something from your glove-box compartment. Do damages include redesign of the electronic door system to make such break-in impossible in the future?

Re:$1 mil? Seriously?

[HiggsBison]

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do.

Of course. Reactive security audits are much more expensive than proactive security audits. Life sucks when you are inept. What he did was inexcusable, but to put all the blame on a script kiddie is just unprofessional. If a criminal organization had broken in it could be way more expensive.

Concentrate on fixing the problem, not the blame.

Re:$1 mil? Seriously?

[Seraphim1982]

Except the hacker didn't create the holes in the network,

How do you know that?

More specially, how do you that once he had access the hacker didn't introduce new vulnerabilities into the system?

Re:$1 mil? Seriously?

[Shoten]

A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees.

Actually, you came in way low on that. I've been one of those consultants, and you end up doing WAY more than a 40 hour week when cleaning up a major incident. The first engagement I did, we billed 100 hours each in the first 5 days, and indeed we were billed at $250/hr...for a grand total of an even $100,000 for just the first week. That was a decade ago; costs are higher now. This also didn't include travel or expenses, or any opportunity costs of delayed projects (there were many). We ended up having to go over the entire environment with a fine-toothed comb, discerning what may or may not have been owned. Anything in doubt got nuked and totally rebuilt (not recovered from backup) just like you said. Fortunately, they had good backups of their databases, so recovery of that data went just fine...but databases are the one thing that is least likely to be properly recovered from backup media, owing to the MUCH greater complexity of doing those backups right. I don't even know where to begin on determining the cost, if it turns out you lose a database instance as a result.

Re:$1 mil? Seriously?

[Score+Whore]

I certainly never said they didn't include applying security patches and closing holes. I said that it's more than that. As soon as someone is wandering around your network you don't know what systems have been compromised. He emailed an executable to an employee. The employee ran the executable. The program installs itself on the employee's machine and provides a mechanism for the intruder to stage additional attacks on your network. Maybe he installed a key logger which gives him the employee's credentials which are then used to access a system the employee is authorized to use. From there the intruder uses a not publicly known local privilege escalation to install kernel modules which roll out into a root kit on a database server. This allows him to collect credentials from anyone logging into the database or the system hosting the database. Any ssh-agents running? Well since he's root he can use any of those to log into other systems. And so on and so on. Along the way the intruder also modifies some documents, updates a few databases and installs lots of back doors to ensure future access. Everything has to be verified and cleaned up. And none of it is necessarily a failing of the IT organization.

Don't think of it as a car, think of it as a jogger who is mugged in the park and shoved onto a broken stick ending up impaled through the stomach. You don't just pull the stick out and put a band-aid on it. You have to go in there and see if any part of the stick broke off inside the jogger. You have to see if there are any internal injuries that need fixing up.

Re:$1 mil? Seriously?

[gnasher719]

Well, I think a security audit to look for other security problems should not be attributed to the hacker, nor should the effort to close the hole that the hacker used. These are things they would have done for example if their own security experts had found the hole.

However, checking what the effects of the intrusion were, to prevent further damage, that should be attributed to the hacker.

Let's say you find a way to enter a building which shouldn't have been possible, and leave a bomb. Closing the hole and checking all the entrances is not due to you. But removing the bomb, and searching the whole building in case there is a second bomb, that is due to you.

Re:$1 mil? Seriously?

[Sir+Realist]

True, but from the original article:

"Marriott said it had to engage more than 100 of its employees in a thorough search of its network to determine the scope of the incident and to identify the data that may have been compromised. As a result, Marriott claims that the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."

The expenses quoted weren't run up catching the guy, they were run up finding the holes in their security. This is not an expense incurred because ToolBoy the Idiot HaX0r broke into their system, its an expense incurred because their security system has holes in it. They should have spent that money locking down the system from the outset.

ToolBoy is still an idiot, but claiming those expenses are his fault is a bit much.

How someone can be that smart in hacking..

[hcs_$reboot]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".

Re:How someone can be that smart in hacking..

[ProfM]

True, that MAY work, however, I think in today's litigious mindset, he'd be charged with some sort of computer crime, even if he was above-board and with good intentions.

Re:How someone can be that smart in hacking..

[artor3]

You haven't met many computer nerds, have you?

Re:How someone can be that smart in hacking..

[Dogtanian]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

No, no, no, no, NO.

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

Re:How someone can be that smart in hacking..

[X.25]

What makes you think he was smart in hacking?

Re:How someone can be that smart in hacking..

[roman_mir]

He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?

Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.

Re:How someone can be that smart in hacking..

[ranpel]

Someone can have skills and lack the maturity and wisdom to wield them easily enough. It's more of a willingness to engage in a clearly criminal endeavor with those skills that is relevant. He could just as easily have delivered his findings, suggest they shore up, wish them luck and maybe hint that he's looking for a new gig and if they find themselves in need of someone that can shore up then to feel free to drop a message on this anonymous drop box. Gaining access to information is one thing but using that information quite another. The option this guy chose not only exposed himself rather awkwardly but is one quite deserving of a good stint in jail.

Re:How someone can be that smart in hacking..

[couchslug]

That's why man requires punitive measures to keep order.

Most folks "get it". For those who refuse to get it, a knouting is in order.

Re:How someone can be that smart in hacking..

[phantomfive]

His hack doesn't seem to have been that hard, actually. In fact, I'll bet you could do something similar if you are a programmer.

He sent a trojan directly to certain individuals in the company, and got them to open it. Once it's been opened, then you have access to a lot of things.

Re:How someone can be that smart in hacking..

[cluedweasel]

That's just asking for trouble. A young friend of mine thought of a good way of drumming up business for his business (just him!). He drove around town connecting to open wireless networks at various businesses. He'd then browse to network shares on other computers on that network. Then he'd go into the business, show them what he'd found and offer to fix it for a fee. It doesn't take much imagination to see where this is going. After the 3rd accusation of being a hacker and a blackmailer, he decided it wasn't such a great idea after all. Of course, to this day (and this was 4 years ago), there are still businesses around here, including accountants, healthcare providers and lawyers, with fully open wireless networks connected straight into their main server(s) and desktops.

Re:How someone can be that smart in hacking..

[quantaman]

Except he didn't really find a hole in their systems. He found he could email some employees malware, trick them into opening it, and now he has a backdoor into the system. Now they could stand to strengthen up their IT policies/employee training a bit, but this isn't like he found a backdoor in their web server, and it's possible the docs he accessed weren't even particularly confidential.

Probably the reason he couldn't arrange an IT job interview with Marriott, and claim good security skills is he didn't have good security skills. Frankly I've come to suspect that 90% of the hacking incidents we hear about are basically script kiddies trying a bit of social engineering. I'm sure there's a few real genuine black hat hackers who are writing the rootkits and malware, but I have a feeling we'd be unimpressed by the quality of most "hackers".

And besides, what kind of work environment does he expect when he "demanded a job with Marriott in order to prevent the public release of the Marriott documents".

Re:How someone can be that smart in hacking..

All fear the internet tough guy.

Re:How someone can be that smart in hacking..

[Mitreya]

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

It seems like a reasonable risk to me. He may have gotten a job like that - and if not, then he'd be no worse off. I mean, what's Mariott going to do in revenge? Not fluff his pillows when he stays there? I wouldn't approach a government agency like that of course, but with private company seems reasonably safe.
The only obvious failing here is that he did something illegal and even provided proof of that. Otherwise they would (hopefully) not be able to prove any damages at all.

Re:How someone can be that smart in hacking..

[rtfa-troll]

I don't think they have any moral or legal basis for being upset with that.

Technically you are right. This is why they have better lawyers than you. To ensure you don't "get away on a technicality", like for example being innocent. Basically, when you are risking a jail term based on a misunderstanding it's just not worth it.

Re:How someone can be that smart in hacking..

[Lehk228]

+1

corporate security loves a good witchhunt, and they will likely go after you for jail time and far more money than you have.
BR> if you find an exploitable hole in a system used by a big company, the best thing you can do is make an infographic detailing how to exploit said hole and what do do afterwards, wardrive a few towns over until you find an open AP, and post it all over 4chan and other places like that.

the corporations have demonstrated an inability to be reasonable, time and time again, no need to risk your nuts protecting their interests for free.

Re:How someone can be that smart in hacking..

[Loosifur]

No moral or legal basis for being upset, huh?

"Hi, I noticed you'd left your front door unbolted, and your big-screen television is clearly visible from the street. Also, just to check, I climbed over your back fence and tried the back door, which you left unlocked. When I got inside and heard your dog barking I was a little worried, but it turns out he's really friendly. I've taken the liberty of writing up a list of suggestions for you to make your house more secure; it's taped on the front of your fridge. Incidentally, I just happen to sell alarm systems, if you're interested..."

Re:How someone can be that smart in hacking..

[nibbles2004]

sorry didn't see the "L" , i totally got the wrong impression about the type of interview you conduct, my apologies

Re:How someone can be that smart in hacking..

[Dogtanian]

I mean, what's Mariott going to do in revenge? Not fluff his pillows when he stays there?

Er, they (*) are going to make the case that part or all of his activities constituted hacking of or intrusion into their system, leading to his possible arrest.

Unless it's *very* clear that the guy has done nothing wrong- and believe me, this is an area where the lines can be blurred, and even if they aren't can be made to appear that way- he's going to have to defend himself against these accusations with both the police and a court system that probably won't be as tech-savvy as they should be and could quite possibly be swayed into prosecuting a case that probably shouldn't be, by people with a spurious air of authority.

You might get on the front page of Slashdot and a bunch of nerds campaigning for your release, but you'll still have to go through all this even if you do manage to prove your innocence.

The only obvious failing here is that he did something illegal and even provided proof of that. Otherwise they would (hopefully) not be able to prove any damages at all.

This is the kind of dangerous naivity I was talking about.

As someone pointed out, in the Mariott case (where the guy was admittedly guilty AFAICT (**)), their costs probably included the cost of fixing the hole that should have been fixed anyway (regardless of whether it had been hacked- though of course, if it hadn't been, no-one would have fixed it until it was!)

I'm pretty sure that an outright malicious party on a witchhunt would be able to "show" damages if they were so inclined.

(*) This reply doesn't relate specifically to Mariott, but to how a hypothetical party in their position *might* react to what the other person considers a "good faith" report of a security hole. (I've no idea how Mariott specifically would respond.)

(**) Though as someone said when this previously came up, this story does smack of something where there's more to it than we're hearing.

Re:How someone can be that smart in hacking..

[Dogtanian]

If possible, it would be reasonable to notify the appropriate party(s) at the company of the hole beforehand, to give them a chance to fix it- taking care, however, to protect your identity for the reasons given above.

Re:How someone can be that smart in hacking..

[poemofatic]

How someone can be that smart in hacking and that stupid otherwise?

You're new here, aren't you?

Re:How someone can be that smart in hacking..

[darkonc]

If you've played DND, (or any other role-playing game), you'd know that intelligence and wisdom are rated separately.

I'd rate this guy as intelligence:18 Wisdom:3

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

Better to find a non-security issue to fix.

Re:How someone can be that smart in hacking..

[roman_mir]

I agree, it is very funny.

Re:How someone can be that smart in hacking..

[elucido]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.

"I found a security hole in your systems and may help you to improve this, and your systems globally".

That doesn't work either. First interviews aren't going to be given to you just because you apply. If you know of a security hole and you tell them they probably wont believe you without proof and if you prove it then you could end up in the same situation as him.

The problem is I know a lot of people just like this guy who are unable to find jobs but who have skills. That is the source of the problem right there. The people who do the hiring are looking for people who have work experience and hacking doesn't count as experience. It doesn't matter if you're trying to be a pen-tester, they expect you to have some sort of certifications and a degree and most importantly they expect you to know someone.

Re:How someone can be that smart in hacking..

[elucido]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".

No, no, no, no, NO.

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

Apparently the geek in question didn't understand how the world operates. He's naive and also he's not from our country so he had no idea how our corporations would react.

If you're from the USA then you know a good deed never goes unpunished. Intentions don't really mean anything. What matters is not getting caught or not doing the crime at all. What matters is that you get an education AND work experience.

You cannot gain valuable experience from hacking. You can gain valuable experience from working. You can work either by starting your own company with a group of like minded hackers, or by being lucky and winning a job.

But you cannot blackmail your way to a job and if you know some elite exploit its better to keep it to yourself until you actually HAVE the job. This guy should have kept his secrets to himself until he found a job as a pentester or he should have sold his secrets to other hackers and made money that way. What he did was just naive and stupid.

Re:How someone can be that smart in hacking..

[elucido]

He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?

Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.

But you'd also know your IT dept sucks.

Re:How someone can be that smart in hacking..

[kasperd]

Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

And those companies are causing an unnecessary risk to all the reasonable companies. I think for the majority of people, the first reaction when finding a security hole is to find out how to contact the persons responsible for it in order to get it fixed. How many times will a person do that if the reaction is either being ignored or being threatened with a lawsuit? I don't think many people will keep being helpful if that gets them such threats, and I think most people will stop the first time when they get such a threat.

So some people will just start ignoring the security holes, and others will start thinking about other ways that knowledge could be used. Some of those may come up with various sorts of abuse as the other way it could be used. If reports about security holes were handled in a reasonable fashion by the majority of companies and never resulted in threats against the person who reported it, then there would have been an overwhelming chance that it would be found by an honest person and reported before it was found by somebody wishing to abuse it. But those unreasonable companies are keeping most of the honest people silent and turning the rest to think in a less honest way. They are increasing the risk to the entire industry.

I'm curious how the case would turn out in court if a security hole was found in a completely innocent way, and the person who found it decided to publish details on the security hole after the irresponsible company had tried to threaten that person to silence because they didn't want to spend resources on fixing their stuff.

Re:How someone can be that smart in hacking..

[DarkOx]

What is reasonable? I not say its entirely right from an ethical or moral stand point but look at from Corporate Securities point of view.

You have broken into their system. Its possible you were just having a look around at what you could connect to on the Internets for the luz and its possible you are nice guy trying to be helpful and tell us about a problem they might want to address. It just as possible you have made off with their entire customer database, with the intent to sell it to the highest bidder you can locate, and now afraid they might catch you, and are contacting them in hopes of throwing them off your trail.

The only really safe thing they can do is try and put you away for a long time so whatever leaked can't harm them. It might be a disproportionate and totally unnecessary response but they have NO INTEREST WHATSOEVER in what may or may not be good for you only for them.

You can hope but never really expect others who don't know you and don't have interest in you to respond with anything other than hostility when you do something they may perceive as threatening.

Its like you covering yourself in a white sheet and walking into a bar in the blackest neighborhood you can locate. While you may be perfectly innocent, its likely the other patrons won't see it that way. They might ignore you if you really lucky, demand you explain yourself possibly, but most likely just beat you senseless; which you would entirely have coming to you.

Re:How someone can be that smart in hacking..

[roman_mir]

A technical mistake is not the same thing as being a complete waste of skin.

Re:How someone can be that smart in hacking..

[Dogtanian]

He's naive and also he's not from our country so he had no idea how our corporations would react.

You're from Scotland too?

This story needs more press.

[goodmanj]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

Honestly, any janitor could tell you instantly why this plan is idiotic.

Re:This story needs more press.

[tunapez]

I am an eJanitor, you insensitive clod!

Re:This story needs more press.

[Zadaz]

Yes, it needs more press, but not for that reason.

The word "hacker" is already synonymous with "Skeevy computer criminal" in the mind of the general public â" despite the fact that's not what the hacker community means to those who actually make up the hacker community.

Call criminals who use computers criminals. Don't call them hackers. It makes hackers look bad.

Re:This story needs more press.

[DerekLyons]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation.

No, the greater damage is to so-disant 'smart people's self image. He's pretty typical of most smart people I've known... intelligence and common sense are in no way connected.

Re:This story needs more press.

[martin-boundary]

Roger Wilco, eJanitor!

Re:This story needs more press.

[martin-boundary]

soi-disant: literally "oneself saying", but it's best to translate as self proclaimed.

Re:This story needs more press.

[elucido]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

Honestly, any janitor could tell you instantly why this plan is idiotic.

Credulous is not the same as ignorant. The guy was clearly smart. He was just too credulous and perhaps suffering from aspergers syndrome.

Re:This story needs more press.

[Sifonki]

Would it really be news if all that was reported was "Criminal Commits Crime"?

For example I think no less of 88-year old men, nor think they're all murdering criminals, just because there was a headline "88-year old killed wife with ax".

Now it may be that a person thinks hacker == criminal, but then a such person would not know a hacker (at least one who was not a criminal), and so their view should not affect one. Seeking respect for a group one may associate with, among strangers you'll never meet and whose views you'll never even hear, seems rather silly.

Let me show you my back door

[wdhowellsr]

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security. During the meet and greet the head developer asked me if I had left any back doors at my previous contracts. I looked at him strange because the thought never even crossed my mind which is the difference between a hack and a professional.

After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

There is a fine line between genius and insanity but stupid is all by itself.

Re:Let me show you my back door

[Corbets]

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security.

Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

Re:Let me show you my back door

[wdhowellsr]

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Damn, now I'm hungry.

Re:Let me show you my back door

[cdrudge]

After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

I guess I could never work at Darden either. I would have to lie to get a job, or if I told the truth they already have admitted they couldn't hire me.

My past two employers I know have admin or otherwise secure pages that I can almost guarantee haven't changed their passwords. If I were asked that question, I would have to admit that technically I do have a "backdoor", but it's not MY backdoor nor was it anywhere within my control to change the credentials to it. Or I could just lie and say I don't have access, but then starting off an career with a company with a lie isn't exactly putting your best food forward either.

Re:Let me show you my back door

""Let me show you my back door"... I gotta say I almost didn't finish reading the rest of your post after this bit.

Re:Let me show you my back door

Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

Size matters. I hate to burst your bubble but were you under the impression that your small town banks employ crack info security teams or something because they're in the financial industry? Hahahahahaha.

http://www.darden.com/careers/support_center.asp
1200 people at their HQ alone, but sure, because the business is in the restaurant industry they probably all wear chef hats.

Re:Let me show you my back door

[wdhowellsr]

It's funny that you should say that because he asked me a similar question about the security failings of previous contracts and how I would overcome them. As I work with WCF often I talked about the problems with using the out of the box implementations and how encryption, handshakes and at the very least not publishing methods can reduce security breaches.

Now I wouldn't have shown him the security breaches but if you simply said that you know for a fact that many companies that you have worked for never change their passwords you would have been fine.

Re:Let me show you my back door

oh, of course, celebrity endorsement -- I am after all Slashdot's most prolific writer.

Re:Let me show you my back door

[cluedweasel]

Size matters. I hate to burst your bubble but were you under the impression that your small town banks employ crack info security teams or something because they're in the financial industry?

Worryingly enough, one of our local banks still advertises for NT4 and Exchange 5.5 admins.

Re:Let me show you my back door

[billybob_jcv]

I worked at the corporate office of a large, nationwide restaurant company. Saying you are the best tech guy at a restaurant company is like being the tallest guy in the Munchin Baskeball Association.

Re:Let me show you my back door

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Wow. You really need to experience more cuisine options from people who aren't high-school dropouts reading a corporate recipe. Life is too short to eat shit and then believe that's the best there is.

Re:Let me show you my back door

[DaveV1.0]

Here, let me help you understand:

Right, that because the discount clothing industry is the first one that comes to mind when I think of "serious about security".

Maybe you should search for articles about T.J. Maxx here on Slashdot.

Re:Let me show you my back door

[gnasher719]

My past two employers I know have admin or otherwise secure pages that I can almost guarantee haven't changed their passwords. If I were asked that question, I would have to admit that technically I do have a "backdoor", but it's not MY backdoor nor was it anywhere within my control to change the credentials to it. Or I could just lie and say I don't have access, but then starting off an career with a company with a lie isn't exactly putting your best food forward either.

That's not a backdoor. It's the front door. You had the keys to the front door, and it's a kind of key that cannot be returned, so they should have changed the locks. So you didn't create a backdoor, they just left your access to the front door intact.

Re:Let me show you my back door

[AK+Marc]

Oh, that one. Fuck you and your piece of shit company that refuses to serve said bread sticks in Alaska. If you aren't going to open a corporate store, treat Alaska like a foreign country. I've spoken to more than one person who tried to get a franchise (as they'd make a mint, so long as you added "offer not valid in HI or AK" a the end of the commercials promising specials), I've even spoken to a few that tried for HI as well.

But there are issues with supply chain and ingredients that are why franchises outside the US are allowed. But no stores in HI or AK, and no franchises there either. I'd open one in either location (or both, if I had the money) if I could buy a franchise, and I hate working food services.

Interesting story about the supply chain issues, K-Mart's most profitable store in the US was in Alaska, which was also the first one shut down when they declared bankruptcy. Why? Because bankruptcy isn't about profitable, but about cashflow, and the time to ship the product to Alaska was higher than any other store in the US (and also more expensive), so cut goes Alaska.

Re:Let me show you my back door

You have never eaten real Italian food. Check, you have never eaten real food.

Re:Let me show you my back door

[DerekLyons]

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

You really should stop watching Ratatouille and Mission Impossible back-to-back while under the influence - because you've gotten them confused. Either that, or be really, really careful because you're gullible as hell.
 
Who exactly is that recipe going to be worth millions to? No Mom & Pop restaurant has that kind of cash, and no big chain is going to pony up that kind of cash when they can send in a chef to taste the dish or order it take-out and head over to the lab. (Not that they have any real interest in duplicating another chain's dish, the rush is to have something different, unique, yet fitting in with the chain's theme and whatever the current trend is.)
 

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Sure, if by 'type' you mean "soups made of overly processed ingredients and designed for the least portion cost and to be prepared by food service staff without notable culinary training". But, that's being the smelliest person in the office - yeah, you're number one, but it's not a competition most people want to be in.
 
And no, don't get me started on the breadsticks. The few times I've not been able to avoid Olive Garden, I've found them to be utter shit. Over salted, greasy, and often undercooked and then reheated in a microwave.

Re:Let me show you my back door

[LiENUS]

My past two employers I know have admin or otherwise secure pages that I can almost guarantee haven't changed their passwords. If I were asked that question, I would have to admit that technically I do have a "backdoor", but it's not MY backdoor nor was it anywhere within my control to change the credentials to it. Or I could just lie and say I don't have access, but then starting off an career with a company with a lie isn't exactly putting your best food forward either.

That's called a front door.

Re:Let me show you my back door

[antifoidulus]

Here is their secret recipe, are you ready? You mask the fact that you use the cheapest ingredients and are unwilling to pay real chefs to make the food by loading it with calories(if you put enough calories in something it will taste good, not necessarily great mind you, but good) and if that still isn't enough you mask the fact that you processed the food to the point where it's flavor only vaguely resembles what it is supposed to be by using a massive amount of spice. There, I just gave you the "trade secrets" of almost every chain restaurant in the US, and I didn't have to hack anything, just used the most basic reverse engineering techniques, I.e. I ate there.

Re:Let me show you my back door

[gmhowell]

Boo hoo. AK is closer to Russia than it is to the real United States.

Sarah P. even said so. That's why the real US didn't elect her: we didn't want a commie in charge.

Re:Let me show you my back door

[AK+Marc]

Boo hoo. AK is closer to Russia than it is to the real United States.

They'd sell a franchise in Russia, but not in AK. It's not that they won't open a corporate store, but that they refuse to do business there, or allow anyone else to do business in their name there, HI and AK apparently being the only two places in the planet with that policy.

Re:Let me show you my back door

[wdhowellsr]

I couldn't find your email so I'm just going to post. Please send me and an email at wdhowellsr@gmail.com with all of your issues with the Olive Gardens in Alaska. I walk by the entire management department for Olive Garden every day and although I've been there only two weeks they are serious about their brands. Being just a contractor I can't promise anything but an Olive Garden without bread sticks isn't an Olive Garden.

Re:Let me show you my back door

[AK+Marc]

lol, it's not that there is an Olive Garden without breadsticks, but that Olive Garden won't open a store in AK or HI, and won't sell franchises, as they do in foreign countries (the only presumable reason why they'd not open one is that the supply chain problems with the distance, much like a foreign country, for which they do do franchises). They are so serious about their brands that they apparently refuse to open or franchise in AK or HI. Though there are rumours that there may be one going to HI.

Wrong Way... Do Not Enter

[LostCluster]

This guy got it all wrong. There is no such thing as capture the flag hacks leading to jobs. Who gave him the idea that this would work out in his favor? Tech smarts was there, but no sign of the minimal business smarts it takes to hold a job was there.

i'm trying to grasp the level of stupidity here

[circletimessquare]

"hi, i'm arnold, i stole your tv. would you like to hire me to put a lock on the bathroom window i broke into?"

i'm trying to put myself in the thinking here, and no... i just can't understand. i've reached my stupidity simulation threshold. i simply cannot understand a person this dumb

Re:i'm trying to grasp the level of stupidity here

Welcome to slashdot. Enjoy your stay.

It's a good thing he didn't pirate music

30 months? It is a good thing he didn't pirate some MP3s. Then they would really be mad at him.

So, did he release the blackmail stuff yet?

[Normal+Dan]

On one hand it would make sense for him to release it out of spite or whatever. On the other hand, they did technically hire him, so...

Re:So, did he release the blackmail stuff yet?

[AragornSonOfArathorn]

Eh? How would he release the info? Unless the Secret Service is as dumb as he is, he was probably whisked off to the "interview" as soon as he got off the plane, and then arrested. He hasn't been unsupervised since he set foot in the US.

hacking...

[jmb1990]

Hacking is alot like sex, you go in and out and hope you don't leave anything that can be traced back to. Hes done half of that joke, now hes in prison he'll probably experience the second half to. Dont drop the SOAP.

Secret service?

[HolyMackerelBatman!]

I thought the Secret Service protected diplomats and US currency. Why were they getting involved with a security breach at a hotel? Unless the documents he had were for the concierge arranging hookers for visiting politicians.

Re:Secret Service?

[Nidi62]

Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.

Wow, the movie Hackers actually got something right!

Re:Secret service?

That's their main job, but their duties were expanded after 9/11 to include various electronic crimes.

Re:Secret service?

[phoebusQ]

Computer Crime falls under US SS jurisdiction.

Title vs summary

[kakyoin01]

The title and summary seem to convey different things. "Job Seeking Hacker Gets 30 Months In Prison" sounds like a hacker was trying to get a hacking job somewhere, while the summary makes it clear that he hacked his way into getting said job. Just saying.

Nonetheless, blackmail is blackmail. Malicious hacking involving the exposure of private data to unwarranted eyes ought to be punished.

Laugh

[koan]

Would've been cheaper to hire him.

Re:Laugh

[toygeek]

That's the very first thing I thought, too!

Re:Secret service?

[betterunixthanunix]

Since the mid-80s, the Secret Service has had the authority to investigate cases of computer hacking. They became famous for bungling these cases in the early 90s:

https://en.wikipedia.org/wiki/Operation_Sundevil

Re:Secret service?

[betterunixthanunix]

https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#1984

The secret service has been involved in investigating computer crime for decades now. They are well-known for their attacks on free speech, their violations of civil rights, and their propensity for exaggerating the economic cost of hacking.

Re:Secret Service?

[betterunixthanunix]

Moreover, their portrayal of the approach the secret service takes to civil liberties was on the ball. The secret service arrested Craig Neidorf for publishing a document that had been sent to him by someone else in the magazine he edited, Phrack. They also failed to recognize that non-corporations could operate communication services during their raids on bulletin board systems. They searched the backpacks of people at 2600 meetings in the early 90s, regardless of whether those people were suspects in any investigation and without obtaining any search or arrest warrants.

I guess referring to them as the SS would not be too far from the truth...

Not a good starter...

[larys]

If you're trying to appeal to someone, the point is to show them your skills are useful and/or indispensable to their company...not that you're a loose cannon that will resort to illegal methods to get your point across. Someone had mentioned previously that his actions were arrogant, but it's not just that...he was using a brilliant skill to do something stupid and poorly-thought-out. It was a masochistic feat so dramatic that it should have a place in the record books for its sheer idiocy. That being said, doesn't his desperation in trying to land a job say something about the state of the country. As a whole, some changes need to be made or this will likely only be the first of these types of actions on the part of the unemployed. --And who could blame them? When you're grasping at nothing trying to feed your family when there are no jobs to be had or none that can even pay you enough to get by, what do you expect? The country needs to take care of its citizens. Those at the top may well be important but a country's citizens are its foundation. If their well-being is so thoroughly lacking, essentially, the very foundation of the country is in a state of rot. In all cases, no structure -- however grand -- can possibly stand without its foundation. Food for thought.

this guy should have hired a lawyer first...

[number6x]

Hi, I'm Steve B., You may know me from youtube videos of my rousing speaches at Microsoft developer conferences.

I didn't invent your android phone or any of the software on it, but I have found a flaw in the system that I can exploit. Its a flaw in the legal system but that's not important.

If you don't want me to activate this exploit, you need to pay me $30.00 for every phone you sell.

Do you see what happens?

[CxDoo]

Do you see what happens when you fuck a stranger in the ass?

Really?

[DRMShill]

Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

Let's call a horse a horse here. This man was a criminal. He deserved what he got.

Re:Really?

[Vegemeister]

No. But if my house was burgled and I then decided to replace all of my windows with Lexan, it would not be reasonable to claim the cost of the replacement (other than the single window broken in the burglary) as damages.

Re:Really?

[L4t3r4lu5]

Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

No, but if the burglar writes a note saying "You should really lock your doors" and leaves it on your dining table, you can't have 3-factor locking mechanisms, reinforced doors and frames, and security shutters installed and blame the perp for the cost. You should really just have locked your damn doors in the first place, for no (or very little) cost.

Re:Secret Service?

[slashdotresearch_mj]

Curious as to how you know this if you wouldn't mind sharing? Nosy social scientist question alert.

Re:Secret Service?

[betterunixthanunix]

Most of what I wrote is based on Operation Sundevil, which is covered pretty well in this book:

http://www.gutenberg.org/files/101/101-h/101-h.htm

There is some other information scattered around:

http://www.textfiles.com/news/2600dcr2.txt
http://www.totse2.com/totse/en/zines/cud_a/cud664.html

It is not terribly hard to find this information, if you are curious. As bad as things may have gotten in the US, we have not quite stooped to the level of China when it comes to covering up aggressive government action.

Sometimes stupid is painful.

[bryanp]

And this is one of those times.

Re:First Post!

[SteveFoerster]

No, no, no, you should have hacked in to change things so that your post would have been backdated to be first. Then we'd have hired you to get you to show us how you did it. Newbie!

I'm not a hacker but...

[stealth_finger]

...wouldn't it be easier to hack in and put your self in the employee database, set up payroll or send an email from the proper account to the payroll section to sort it and then just turn up on Monday? Or better yet not and get paid anyway.

Re:Secret Service?

[slashdotresearch_mj]

This is a lot thank you! I am very curious, but as a complete, newbie to these kinds of things, it's always difficult to know where to start. I really appreciate the links thank you again. More of a pop culture specialist in general before this, so my knowledge of Hackers has a lot more to do with Angelina Jolie and Johnny Lee Miller than it does the actual hacking. Terribly here useful I know:)

Re:Secret Service?

[slashdotresearch_mj]

*Terribly useful HERE I know. Ugh typing words in order is difficult apparently.

Paying for bars on the windows

[NevarMore]

Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs

Reminds me of Kevin Mitnick. He was convicted for stealing a manual (that could be purchased for a few hundred dollars) AND for the costs to plug all the holes he found.

The difference here is that the hacker in this case seems to be outright guilty of extortion. Why not bust him for that out of the gate?

Re:Paying for bars on the windows

[elucido]

Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs

Reminds me of Kevin Mitnick. He was convicted for stealing a manual (that could be purchased for a few hundred dollars) AND for the costs to plug all the holes he found.

The difference here is that the hacker in this case seems to be outright guilty of extortion. Why not bust him for that out of the gate?

He's definitely guilty of extortion, the question is why were so many resources invested into him?
Now he gets 30 months in prison where even more resources are going to be put into him?

And I'm not sure what message it's supposed to send. If the message is not to extort big corporations I'm sure anyone with sense knows that already. On the same token what are people supposed to do if they find bugs or potential backdoors?

This basically tells them to keep their mouth shut and don't tell anyone. It doesn't actually improve security if we dont know there are holes.

Darwin awards for lame haxors?

[Maljin+Jolt]

He deserves it.

But there is

[dutchwhizzman]

Dutch Police just held a CTF to gain interest of white hat hackers to work for them. They are growing their "high tech crime unit" and need skilled people for that. Even though the prizes weren't directly job contracts, the first ten to finish, are invited for "a visit" and a tour.

That only works if you look like Sandra Bullock

[leftie]

Dude watched too many hacker movies. You can only get away with crap like that if you look like Sandra Bullock or Anna Chapman.

How much does 30 months in jail cost us?

[elucido]

Ultimately it might have been cheaper just to give the guy a job.

Re:How much does 30 months in jail cost us?

[dkf]

Ultimately it might have been cheaper just to give the guy a job.

Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.

Re:How much does 30 months in jail cost us?

[tehcyder]

Ultimately it might have been cheaper just to give the guy a job.

I don't know why they didn't just pay a hitman to kill the stupid fucker.

Re:How much does 30 months in jail cost us?

[elucido]

Ultimately it might have been cheaper just to give the guy a job.

Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.

He screwed himself, that much is obvious. But the deeper question is if someone genuinely wants to become a pen-tester how should they go about becoming one? When there is no way into the Cyber Security industry then we cannot complain about these desperate hackers who want to find a way in.

How exactly could he have become a pen-tester in the proper way and have avoided this? I don't see how he had so many clear options. I also don't know who told him what. Someone could have mentioned to him that this is how to get noticed or recruited. He still would be an idiot for believing them, but I'm surprised he gets 30 months time for something like this as that seems to be a lot of time.

You are right they can't trust him but lets be honest you can't ever trust a social engineer regardless of which side they are on. They are social engineers. It doesn't change the fact that we need social engineers to pen-test networks.

It's the economy stupid.

[elucido]

The economy put him into a state of desperation. It's political policies which ultimately provoked him into breaking the law.
The question no one is willing to ask is why is it that some of the most skilled or talented computer geniuses are unable to find jobs?

Secondly the fact that he now has a criminal record could keep him from ever finding a job and set him back even more. So while it does act as a deterrent to these sort of hacks it deters in the exact wrong way. The next hacker wont be asking for a job but instead will simply go right after whatever is profitable. This hacker in this instance was naive and had good intentions and thats precisely why he was awarded with 30 months in prison.

Honestly he'd have got the same time if he would have hacked for money. The fact is he didn't know how to properly hack for money and he didn't have the political connections to be a pen-tester. He had the right intentions but went about it the wrong way.

Re:It's the economy stupid.

[tehcyder]

The economy put him into a state of desperation. It's political policies which ultimately provoked him into breaking the law.

Somehow, I doubt you'd use the same argument to justify the people who mugged you.

The question no one is willing to ask is why is it that some of the most skilled or talented computer geniuses are unable to find jobs?

If you're a computer genius you can probably work a till, so why not get a job in a supermarket? Seriously, if there aren't the jobs around for computer geniuses to work at being geniuses on computers, you have to accept the reality of the situation and find something else to do. Life is not designed solely around your specific wishes, talents and desires.

Re:It's the economy stupid.

[elucido]

Somehow, I doubt you'd use the same argument to justify the people who mugged you.

Mugging is not remotely similar to what happened here. This guy did a non-violent crime. I'm not justifying any crime of any sort. What I'm saying is that the political policies and in specific corrupt economic policies are going to put hundreds of thousands of people just like him into this desperate state of thinking and situations. It's only a matter of time before cyber crime begins to rise in response to the economic situation.

When people can't find jobs they find something less than constructive to do with their time. What do you expect to happen?

If you're a computer genius you can probably work a till, so why not get a job in a supermarket?

You're being as naive as the guy who thought he could blackmail his way to a job. The job at the supermarket is reserved for people who have friends who already work at the supermarket. If you're not already in with them you wont be hired. If it's a big supermarket then you wont be hired because you dont have any experience working at supermarkets because you're a computer genius. Finally the skills of a computer genius are the exact opposite of the skills required for a super market. You picked probably the worst possible example. A better example would be if this guy and 5 of his friends started their own computer run business, but you aren't going to take a person with computer skills and try to make them into something else in which they have no skill or experience.

That being said starting a business is very hard to do by yourself and if you have no friends you wont have anyone to hire. A lot of these computer geniuses don't have friends because they are computer geniuses and sometimes the skills of being solitary writing code all day are the exact opposite of the skills needed to organize a team. Nobody taught this guy leadership skills but then again most people in most industries dont have leadership skills either so he's not alone.

Seriously, if there aren't the jobs around for computer geniuses to work at being geniuses on computers, you have to accept the reality of the situation and find something else to do.

When people can't find anything else they resort to crime. Finding something else to do isn't usually an option for most people in this economy. If you're a genius at computers thats the only thing people are going to pay you to do. No one is going to pay you to mop the floor because theres someone who has been mopping the floors for 5-10 years now who has an advantage over you. No one is going to pay you to work at the supermarket because theres someone who is probably older than you who worked at the supermarket before and who has years of experience.

Let's not overlook the economic factors in this case. I think if this guy could easily have found a job this entire chain of events would have never happened. And no I don't think you can take a person who is a genius in one area and tell them to switch careers. If it were a doctor, or a pilot, or a scientist, we wouldn't tell them or expect them to go work at a supermarket for the rest of their lives after investing their lives into that. It's just as naive as what he did.

Life is not designed solely around your specific wishes, talents and desires.

I'm sure he knows that now that he's in prison. The point is he had the balls to try to change his life and got put in jail because it tried to change it in the wrong way. It doesn't mean he had bad intentions it just means the way he went about it wasn't the smartest way. If life isn't designed around your wishes, talents and desires then you're supposed to do everything you can to find a way to change that.

What he did however was brave on one hand and naive as hell on another. He probably should have set up a pen-testing company first. He probably should have built a track record with small businesses

The guy is another victim of a broken economy

[elucido]

The real question is why are so many people so desperate to find a job that they are beginning to resort to blackmail?

And how often is blackmail being used or perhaps other means like quid pro quo to decide who gets hired and fired?

In some ways what he did wasn't stupid, it was just inappropriate.

Re:The guy is another victim of a broken economy

[circletimessquare]

Ok, you're either a clever troll or an idiot yourself.

Unemployment does not excuse criminality like this.
if someone is broke, I excuse them from shoplifing from the supermarket. They need to eat. But I don t excuse them from breaking into houses, or this hacking. Unemployment is not an excuse to commit any crime you want.

  People make excuses all the time for bad behavior. Stop believing their lame excuses, unless you yourself are also stupid.

Re:The guy is another victim of a broken economy

[elucido]

Ok, you're either a clever troll or an idiot yourself.

Unemployment does not excuse criminality like this.
if someone is broke, I excuse them from shoplifing from the supermarket. They need to eat. But I don t excuse them from breaking into houses, or this hacking. Unemployment is not an excuse to commit any crime you want.

  People make excuses all the time for bad behavior. Stop believing their lame excuses, unless you yourself are also stupid.

I'm not excusing his actions. I'm saying that political policies promote criminality. When you have polices which produce high amounts of unemployment among skilled labor such as this guy then the result is many of them become criminals.

People need money to survive and that is a fact. We don't know the circumstances of his life to know how bad he needed a job nor do we know what information he was told. He could have been led to believe that this is how you get recruited into the Secret Service. There are guys like Albert Gonzalez who got recruited exactly this way. Then you also have guys like Adrian Lamo who did similar activities and they didn't receive 30 months in jail for it. The guy could have just been desperate and naive.

Re:The guy is another victim of a broken economy

[circletimessquare]

you need to eat, and you need a roof over your head. you steal from a store, you trespass to sleep away from the elements, you are excusable

anything else is criminality, and you should simply be punished

why is this so hard for you to understand?

poverty and corruption do not excuse more criminality. oh sure, they create more criminality, but only in the minds of those who already corrupt themselves

there is justifications for doing something you have to do in the face of bad rules. then there are excuses for criminals, which you seem to believe. so you are a gullible fool, or you excuse criminality, for whatever stupid reason

Aspergers Syndrome

[elucido]

It's actually fairly common among hackers.

Re:Actually, that was Reagan

[RonVNX]

Implemented in 1983. Who was president then? Oh yeah, Reagan. Nice try at revisionist history masquerading as revisionist history exposed.

Moron gets 30 months in prison

[GameboyRMH]

I remember this guy, he was a total moron. A total moron who committed a crime went to prison. Seems fair.

this guy is a retard

[davydagger]

what did he really think was going to happen. A bit arrogant to expect any sort of co-operation from a company you just BLACKMAILED. Why in hell would they want someone like this to work for them. Definition of DOING IT WRONG.

Re:Secret Service?

[tehcyder]

I guess referring to them as the SS would not be too far from the truth...

Yes, the original SS were notorious for searching people's backpacks without warrants, the dirty swine.

Re:Secret Service?

[tehcyder]

The only thing you need to know about hacking is that if you can crack the NSA's login password while receiving head, you get the job.

Visa

[NewYork]

What visa did he get to enter US?