Job Seeking Hacker Gets 30 Months In Prison

wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."

Good

[Viol8]

Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

Re:Good

[hamburger+lady]

clearly, this whole thing is obama's fault.

Re:Good

[Adriax]

I'm guessing Marriott's monetary claims are mostly "It's his fault we have to pay all this money, we wouldn't have to fix anything if he hadn't used those flaws to break in."
He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Re:Good

[hrvatska]

The guy is a citizen of Hungary. He did the illegal intrusion and attempted blackmail while in Hungary. He was arrested when he arrived in the US for a 'job interview'. Hungary's economy is more fucked up than the US economy, and they did it all on their own.

Re:Good

[phantomfive]

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this? I couldn't find anything related to it in the article. Do you have some preconceived idea of how companies should act, and then judge them without checking the evidence? That's a serious cognitive bias.

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Re:Good

[betterunixthanunix]

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Except that users are part of the system that is being attacked. As Bruce Schneier put it, only amateurs attack machines; professionals target people.

It is true that user training is hard. It is equally true that the system should be resilient to stupid users, just as it should be resilient to malicious users. Spear-phishing and trojans are just a way to get non-malicious users to behave maliciously, and the system should be designed to contain the damage that malicious users can cause. There are a variety of technical measures that can be taken to prevent malicious users from leaking information or otherwise violating the security of the system; a large company should be taking these sorts of measures.

Re:Good

[zwede]

It's "1337" hacker. Just sayin'.

And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

I guess you haven't seen the 'math' used in file sharing law suits then.

Re:Good

[phantomfive]

Oh yeah? You've discovered a way to prevent spear-phishing attacks from doing damage? Please tell.

Re:Good

[Delarth799]

Damn right! He is the president and has access to the magic wand of "make shit instantly happen" and he has yet to use it for anything to help the country out.

Re:Good

[betterunixthanunix]

I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system. The entire point of MLS systems is to ensure that users cannot leak or alter sensitive information, beyond what is necessary for their job. "Inside jobs" are a problem that has been extensively worked on, and resilience to such attacks is not completely impossible. There are cryptographic approaches to dealing with potentially malicious parties within a given system, which can ensure that security is maintained even if some of the participants are corrupted.

We really do not have to throw our hands in the air and declare spear-phishing to be some kind of ultimate attack that cannot be defended against.

Re:Good

[JamesP]

So in this case it's blackemail?

Re:Good

[EdIII]

He has a point, and so does the other poster. Marriott cannot absolve themselves of all blame here and trumping up enormous costs is kind of way to shift the expense they should have already been paying to secure their systems. A million dollars is a little over board. I'm not blaming the victim here either, just saying that it is a little bullshit to pile all those costs on to the hacker afterwards.

As far as preventing trojans being sent to employees you could look at it preventing all file transfers over IM, removing all executable attachments on email, all attachments on email that cannot be decompressed, locking out USB drives from connecting, disabling auto-play, etc.

An intercepting proxy and whitelist can also be pretty effective when combined with anti-virus and anti-malware from the workstations.

Now if you mean mitigating damage once the trojan is installed, that is where document management, behavioral analysis, systems that employ data diode techniques, and limited access per employee and workstation can help.

Sure, you could attempt privilege escalation once on the machine, but if all the attacker can get is the user credentials, and the workstation itself cannot be used to obtain suitable credentials to compromise other workstations or servers on the network, then I would call that damage mitigation.

Of course, none of this is fool proof, but you seemed to indicate that it was not possible to prevent it at all.

Re:Good

[EdIII]

Seriously?

Not allowing .exe files in emails drive you crazy? Especially when email was never truly designed for file transport in the first place?

Not allowing compressed file attachments that cannot be scanned drives you crazy?

Well tough cookies buddy. If you need to send files back and forth with a user on my network you can go through different channels, and whatever they are, you can bet that the file will be scanned and the user will not be allowed to install software. If you are trying to protect from being scanned or opened, you are already wrong to do so. The user has no basis or justification to need privacy (from the system) when exchanging information across email. Part of the data diode and behavioral analysis I mentioned.

None of what I said prevents normal file transfers needed in the course of business. Just executable files.

I hardly see how that is unreasonable.

If I wanted to go overboard and be unreasonable I would remove PDF attachments.

Re:Good

[SteveFoerster]

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this?

That's what I'd do. Why let a perfectly good crisis go to waste?

Re:Good

[Creepy]

naive or sarcasm... not sure - going with the former

1337 is leetspeak (internet slang that actually predates the internet, but that is quibbling) for leet, which is slang for elite, so it means elite hacker.

Re:Good

[Coeurderoy]

Well, mostly he was seriously stupid, he might have got a job if he would have shown the weaknesses, and offered to help them, making sure that if they didn't want him, he would just forget about it, or if they would be interested make at a latter time an intrusion test.
He should also make sure that he can explain how to pull documents out, but not actually do it.
That way he would not have to go to jail... (or at least very much lower the risk of...)

But nobody sane hires a blackmailer without immediately thinking about how to put the idiot in jail...

Re:Good

[Coeurderoy]

Not really, they probably panicked, and hired a couple of outside consultants to check their security.
And since they probably didn't have a real inside expert (or they would not need this) they also needed a senior security manager...
So all in all 3 persons with expensive rare skills hired on short notice.
for let's say 3 month.
180 days * average 1500$/day => 270 K$ + at least one senior manager and one assistant to track what their are doing...
"et voila" => 400 k$
Add cost of building, chairs, computers, etc....
 

Re:Good

[EdIII]

If you were the IT guy at my company, I would complain to the CTO until I got an exception to your restriction. I don't care about your petty concerns when they get in the way of doing my job. Neither does anyone else.

Good fucking luck. I am the CTO.

Petty? Setting aside your childish attitude, your job does not come first. The company comes first. Without the company... you don't have a job.

You are part of the problem. Instead of trying to understand the "why" of a policy you actively undermine it with a blatant and flagrant attitude mixed with ignorance, shortsightedness, and selfishness.

As the CTO, I need to protect the integrity of the company. That means making sure that there exists policies, software, and infrastructure design to protect corporate assets. Part of corporate assets is data. Customers trust us with their medical records, insurance policies, financial information... I could go on.

Am I to tell a customer that we had 1,000,000 records leaked because you wanted to transfer around executable files and bitched and moaned along with a couple of other people till you got your way? Hardly sounds reasonable. In fact, it makes me look I just was not doing my job.

Funny how that works out huh? Everything I try to do to reasonably find a balance between use of the system and security of the system is seen as some sort of fascism by people like you and you actively bitch and moan to try to undermine it. Yet.... when something goes wrong.... well that's my fault. The particulars are not relevant, such as your behavior and participation, because I was just supposed to magically create a world where you have no restrictions and everything works in perfect safety.

Now instead of acting like a child, why don't you give me an actual reason why you need to send executables and protected, nested, compressed files around in email?

This whole conversation got started with you saying it was impossible to prevent data leakage and penetration, I then offered a reasonable response, at which point you said you would try to undermine it to your fullest extent. How much sense does that make?

Re:Good

[EdIII]

And yes, my docs are confidential and none of you IT monkeys should be able to read them ...

There is your first problem. Already there is no room for reasonable cooperation without mutual respect and understanding.

IT should be a 'business enabler'

WRONG, WRONG, AND WRONG.

I am not just "IT". I am the CTO.

Enabling you to do your job is only one part of my job, and not even the most important. I must prioritize my responsibilities. In order to keep the company safe and sound I have to reasonably find a balance between the use of a system and the security of a system. That is first and foremost. Figuring out how to make your life easier comes in second.

Do you really think there is a danger? Hackers targeting your company would simply send the latest 0-day, which your anti-virus wouldn't catch anyway.

Yes, Yes I do. Absolutely. Hackers would not just "send the latest 0-day". They will try social engineering, dropping flash drives in the parking lot, probing of Internet facing assets, email phishing attacks, etc.

How can their 0-day get through if all email attachments are locked down to document file types only, and those are inspected and have certain functionality removed?

I don't care about little Hitlers in IT that talk about staff as 'The user has no basis or justification to' ... WTF!

With respect, I get paid to decide the basis and justification for your actions.

Anything the user needs for business you should provide!

Wrong. Anything that the business needs, I need to find a reasonable solution that the user can work with while satisfying the primary needs for the business. Which is that reasonable balance between use and security I spoke of earlier. It's not Burger King, it's not what you want when you want it.

but instead of 'being reasonable' and blocking everything you should provide a solution to enable that user in secure file-sharing with people if there is a business need

I completely agree. Which is why I completely block email, especially on inbound, but have other means of secure document sharing between you and corporate clients. Which is important to note, I don't view the customers as your customers, but the company's customers.

In your case, which is not unusual, email is not the best and most secure method. A secured website that allows you to share very specific data with customers is best. We have vendors and service providers that have very strong data policies as well. They would never ever send a PDF via email. Secured PDFs are downloaded via a web portal with multiple user account credentials that I get to control via another management portal. I can then review all of it as part of my job.

I understand your need. My job is not fill your need the way you want. Why? Simply put, you ain't the CTO buddy. I am the CTO. When something goes wrong, it is my ass on the line, not specifically yours. If it is bad enough, like a huge data breach, your livelihood is affected along with countless others. That's a responsibility I would have to live with.

So that's why I carefully consider your needs. What is it you are trying to do? How can I make that the easiest way possible for you? How do I make it secure and satisfy our data security policies and the vendors? Multiple vendors? How do I make your life easier and more efficient?

At the end of day, believe or not, I exist to make your lives easier so you can be more productive, while also protecting the company to the best of my ability. It's not to be a dick and make your life hell for "funsies".

And yes, my docs are confidential and none of you IT monkeys should be able to read them ...

I'm going to touch on this twice beca

Re:Good

[EdIII]

With your attitude, you're right. You would not be working for my company.

Very simply that is because I am a very fair and reasonable CTO. When users (which includes you) get out of line and have no justifications for their actions that create liability for the company, when I provide efficient and workable alternatives, they get disciplinary action all the way up to being fired.

The reason why is that I am well respected by the people in my company from top to the bottom. I have always worked well with people to find solutions without endangering the company, or creating a hostile work environment between IT and the users.

You would not fit into our company. You cannot even give me:

1) A good reason why you need to send that type of data in email.
2) A cogent description of your needs for me to find a solution.

How can I begin to help when you refuse? You have no respect for my job, my responsibilities, or a willingness to participate in problem solving or conflict resolution.

You are the weakest link. Good bye.

Re:Good

[L4t3r4lu5]

If this post could have a soundtrack, it would be "Hero" by the Foo Fighters.

You can be my boss.

Re:Good

[tehcyder]

I don't see why Blackmail should be illegal. In this case he hacked their system so that is a crime. But the blackmail itself is just a negotiation.

Always good to get input from the world of finance.

Re:Good

[EdIII]

And it's people like you who spend so much goddamn time worrying about little "issues", that if given the power to do so by the company management, you'd drag the entire business down from accomplishing its actual goals all in the name of preventing these "issues."

And it's people like you who don't want to worry about any issues that even remotely have the perception of slowing you down until it costs the company HUGE. I really don't know who you deal with, but the attempt to protect company data is not a little "issue".

And when you introduce bureaucracy into every goddamn file copy operation, and require justification and paperwork for every stupid special situation that comes up, what kind of parasitic overhead does this introduce to the business as a whole?

That's insane. Where did you get that from my posts?

You describe a situation where I am like those aliens from Hitchhikers Guide to the Galaxy where you have to sign endless forms for every single possible action.

I never even alluded to that. You don't need to send exe's in file attachments or receive them. I have a different solution for you, that works all the time, and you don't have to ask every time to use it.

In other words, I.T. technicians play all the same political bullshit games that every other group does, while of course, usually also being the ones who cry loudest about what whatever those assholes over in H.R., management, etc are doing. (The victim mentality is popular here, due to the overabundance of beta-male types.) Your attitude is: "If you are kind to me and can eloquently explain your 'need', then I MAY be so kind as to grant you your humble request.....OR if you don't treat me with the respect I feel I *deserve*, I will make your life hell." This petty clannish behavior does nothing more than make you an obstacle, not a solution finder or problem solver. How does it feel to be directly dragging down the company bottom line?

No. My attitude is that mutual respect, cooperation, and communication are the foundation in which we can all solve our problems, get work done, and have a less stressful life.

You may it sound like I am a tyrant, when I am not. I am very approachable, patient, and when we are done talking I aim to leave you informed with a better understanding of the problem and the belief that I am going to provide you a tool to do what you want better than you though possible when we started.

It's hilarious just how much you have misjudged me.

I.T. is a liability, NOT an asset; always remember that. The real assets are a) the knowledgeable and skilled people directly involved in the company's main business, b) the capital i.e. the computer systems you are hired to maintain. Well, the computer is only valuable as long as it's facilitating the operator in accomplishing his job. Who cares how virus-free or clean and well maintained the computer is, if it adds 30% onto the company's labor overhead due to the silly restrictions and arbitrary bullshit the I.T. department has dreamed up? How big of a problem is a virus infestation compared to developers quitting in disgust due to your unwarranted and heavy handed intrusion upon their dignity and job description?

Why have some people made this as hard as peace in the Middle East?

IT is not a liability. We are a crucial asset.

Your position and argument is laughable at best. How big of a problem could an infestation be? Seriously!!?!?

There are practically no viruses out there anymore, but malware, trojans, etc.. It's funny how you think you are the only professionals in the company worth anything as if we could be replaced by Geek Squad.

As we speak, there are organized groups out there actively targeting the top businesses in the US. What would a breach cost your company? What would the loss of a huge number of customer records cost you? Trademark secrets? Des

Re:Good

[EdIII]

there's a CEO (with an MBA of course) that loves to override my decisions when the whiny users complain that they "can't get their work done"

I don't get an override exactly, but when the company is unable to put certain policies in place due to financial constrictions or otherwise I just write a letter. Part of the well written contract, and that is best asset that anybody in IT can have. A very well defined relationship with the company is essential.

Some CTO's and IT people get too emotionally involved and treat the network and corporate assets like it is their personal property to be defended at all costs. I see it as a job, I do it to the best of my ability, give the most options and information to those needing to make decisions, and that's all there really is to it.

In the letter I just state my position, explain what is going on, what I believe the consequences could be, and ask them to sign it. I have had people ask me why, and even get a little upset, but I have just explained that it so in case something happens we can remember it and that I am not liable. I make it clear that I take orders from them, like any good soldier, but I am making sure that they are fully informed and the letter serves as record that I was not negligent by staying silent.

I had to learn the hard way early on that the costs of staying silent, or making it personal in any way, shape or form, was a massive mistake. Just be professional about it.

The most famous one is where I advised a client to get offsite backup and a secondary NAS RAID for real time backup of changed files. It was turned down. I had them sign the letter. About a year later the Enterprise RAID crapped with a busted drive and the headers were overwritten. Ended up costing about 90x the backup fees in immediate replacement and data retrieval costs and a couple thousand times more in lost productivity across the entire company.

I was the consult that they had on retainer to prevent it.... and I showed them the letter when they were going beserk. At that point it was kind of hard to be angry with me and I ended up spending the next 5 weeks getting their company back up and online.

Guess how fast they bought the backup solutions I recommended previously? :)

As a CTO now though, I rarely get into such a situation. With my experience, people skills, and management skills I have been fairly successful at explaining why my proposal is in the best interests for the company. It also helps to have options and solutions instead of just "no we can't do that".

The best answer is, "I am not sure how to do that, but let me think about it and find the best solution for you".

Geez what a moron

[Weaselmancer]

I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

Think outside the box, man.

Re:Geez what a moron

[Weaselmancer]

Actually I was thinking something similar. In a large enough company communication becomes a real problem. Departments don't really communicate much. If you were to study your target a while and figure out who everyone's superiors are and the like, all it would take is a well-crafted email from some higher-up that says "hey hire this guy" and the odds are the underling wouldn't go back to their boss and say "are you sure?" - they'd just start the paperwork. Large companies are dysfunctional that way. They kind of have to be. The more people in the company the less practical being well informed is.

Re:Geez what a moron

[snowgirl]

He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.

You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.

Except no one induced him into breaking the law. The very first contact that he had with Marriot contained proof that he had already committed a crime.

Entrapment only works when the originating idea for the crime came from a police officer, or an agent thereof. (If a cop tells a confidential informant to get a gang to rob a specific store, then that would be entrapment as well.)

Re:Geez what a moron

[snowgirl]

For what it's worth, entrapment usually involves not only originating the idea, but also use of coercion(force, blackmail etc) to get someone to commit a crime. Otherwise those pointless drug and prostitution busts wouldn't be possible, and the police could save a lot of taxpayer money by not busting people who aren't criminals :P

I'm sorry.. but where is the inducement to commit the crime with drug and prostitution busts? The police are allowed to present opportunity to commit the crime, but they cannot give the idea to the person.

Leaving a $100 bill on the ground is ok, but telling the person about the $100 and telling them to take it is inducement. While one could say that "usually" entrapment involves coercion, it's simply the easiest way to prove entrapment, not necessarily the most common.

The difference with drug and prostitution here is again, presenting opportunity, rather than inducing behavior. Placing an undercover officer dressed like a hooker on the streets is not inducing behavior. Johns are soliciting the hookers just because they look like hookers, not because a police officer told them, "hey, let's go get some hookers!" As well, police placing stings for prostitutes are answering adverts, and so they are not inducing any behavior of the hooker, as the hooker is already soliciting prostitution.

As for drugs, drug dealers regularly deal in business, and if a cop patrons that drug dealer, then the drug dealer was already doing business, and the cop isn't inducing any behavior. This is unlike the case where an undercover cop asks someone "hey, do you think you could score me some of drug XY?" If the person is not already known to be engaging in drug sales, then the officer is inducing the person into committing a crime. Note the subtle difference between "hey, can you do something unusual and get me some coke?" and "hey, you're selling coke, let me buy some from you."

Cost them $1Million

[Bradmont]

So how much of that $1 million in salaries was spent repairing the security holes, which they should have done anyway?

Re:Secret Service?

[PessimysticRaven]

Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.

How someone can be that smart in hacking..

[hcs_$reboot]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".

Re:How someone can be that smart in hacking..

[artor3]

You haven't met many computer nerds, have you?

Re:How someone can be that smart in hacking..

[Dogtanian]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

No, no, no, no, NO.

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

Re:How someone can be that smart in hacking..

[X.25]

What makes you think he was smart in hacking?

Re:How someone can be that smart in hacking..

[roman_mir]

He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?

Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.

Re:How someone can be that smart in hacking..

[ranpel]

Someone can have skills and lack the maturity and wisdom to wield them easily enough. It's more of a willingness to engage in a clearly criminal endeavor with those skills that is relevant. He could just as easily have delivered his findings, suggest they shore up, wish them luck and maybe hint that he's looking for a new gig and if they find themselves in need of someone that can shore up then to feel free to drop a message on this anonymous drop box. Gaining access to information is one thing but using that information quite another. The option this guy chose not only exposed himself rather awkwardly but is one quite deserving of a good stint in jail.

Re:How someone can be that smart in hacking..

[rtfa-troll]

I don't think they have any moral or legal basis for being upset with that.

Technically you are right. This is why they have better lawyers than you. To ensure you don't "get away on a technicality", like for example being innocent. Basically, when you are risking a jail term based on a misunderstanding it's just not worth it.

Re:How someone can be that smart in hacking..

[Loosifur]

No moral or legal basis for being upset, huh?

"Hi, I noticed you'd left your front door unbolted, and your big-screen television is clearly visible from the street. Also, just to check, I climbed over your back fence and tried the back door, which you left unlocked. When I got inside and heard your dog barking I was a little worried, but it turns out he's really friendly. I've taken the liberty of writing up a list of suggestions for you to make your house more secure; it's taped on the front of your fridge. Incidentally, I just happen to sell alarm systems, if you're interested..."

Re:How someone can be that smart in hacking..

[nibbles2004]

sorry didn't see the "L" , i totally got the wrong impression about the type of interview you conduct, my apologies

This story needs more press.

[goodmanj]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

Honestly, any janitor could tell you instantly why this plan is idiotic.

Re:This story needs more press.

[tunapez]

I am an eJanitor, you insensitive clod!

Re:This story needs more press.

[Zadaz]

Yes, it needs more press, but not for that reason.

The word "hacker" is already synonymous with "Skeevy computer criminal" in the mind of the general public â" despite the fact that's not what the hacker community means to those who actually make up the hacker community.

Call criminals who use computers criminals. Don't call them hackers. It makes hackers look bad.

Re:This story needs more press.

[DerekLyons]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation.

No, the greater damage is to so-disant 'smart people's self image. He's pretty typical of most smart people I've known... intelligence and common sense are in no way connected.

Re:This story needs more press.

[martin-boundary]

soi-disant: literally "oneself saying", but it's best to translate as self proclaimed.

Let me show you my back door

[wdhowellsr]

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security. During the meet and greet the head developer asked me if I had left any back doors at my previous contracts. I looked at him strange because the thought never even crossed my mind which is the difference between a hack and a professional.

After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

There is a fine line between genius and insanity but stupid is all by itself.

Re:Let me show you my back door

[Corbets]

I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security.

Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

Re:Let me show you my back door

[wdhowellsr]

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Damn, now I'm hungry.

Re:Let me show you my back door

[AK+Marc]

Oh, that one. Fuck you and your piece of shit company that refuses to serve said bread sticks in Alaska. If you aren't going to open a corporate store, treat Alaska like a foreign country. I've spoken to more than one person who tried to get a franchise (as they'd make a mint, so long as you added "offer not valid in HI or AK" a the end of the commercials promising specials), I've even spoken to a few that tried for HI as well.

But there are issues with supply chain and ingredients that are why franchises outside the US are allowed. But no stores in HI or AK, and no franchises there either. I'd open one in either location (or both, if I had the money) if I could buy a franchise, and I hate working food services.

Interesting story about the supply chain issues, K-Mart's most profitable store in the US was in Alaska, which was also the first one shut down when they declared bankruptcy. Why? Because bankruptcy isn't about profitable, but about cashflow, and the time to ship the product to Alaska was higher than any other store in the US (and also more expensive), so cut goes Alaska.

Re:Let me show you my back door

[DerekLyons]

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

You really should stop watching Ratatouille and Mission Impossible back-to-back while under the influence - because you've gotten them confused. Either that, or be really, really careful because you're gullible as hell.
 
Who exactly is that recipe going to be worth millions to? No Mom & Pop restaurant has that kind of cash, and no big chain is going to pony up that kind of cash when they can send in a chef to taste the dish or order it take-out and head over to the lab. (Not that they have any real interest in duplicating another chain's dish, the rush is to have something different, unique, yet fitting in with the chain's theme and whatever the current trend is.)
 

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Sure, if by 'type' you mean "soups made of overly processed ingredients and designed for the least portion cost and to be prepared by food service staff without notable culinary training". But, that's being the smelliest person in the office - yeah, you're number one, but it's not a competition most people want to be in.
 
And no, don't get me started on the breadsticks. The few times I've not been able to avoid Olive Garden, I've found them to be utter shit. Over salted, greasy, and often undercooked and then reheated in a microwave.

i'm trying to grasp the level of stupidity here

[circletimessquare]

"hi, i'm arnold, i stole your tv. would you like to hire me to put a lock on the bathroom window i broke into?"

i'm trying to put myself in the thinking here, and no... i just can't understand. i've reached my stupidity simulation threshold. i simply cannot understand a person this dumb

It's a good thing he didn't pirate music

30 months? It is a good thing he didn't pirate some MP3s. Then they would really be mad at him.

Title vs summary

[kakyoin01]

The title and summary seem to convey different things. "Job Seeking Hacker Gets 30 Months In Prison" sounds like a hacker was trying to get a hacking job somewhere, while the summary makes it clear that he hacked his way into getting said job. Just saying.

Nonetheless, blackmail is blackmail. Malicious hacking involving the exposure of private data to unwarranted eyes ought to be punished.

Re:$1 mil? Seriously?

[Score+Whore]

Why do you think the damages are made up?

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do. Much more than just applying a security patch. You've got to figure out what happened and which systems were affected. Which means that even if you have a situation like this where the attacker tells you how they got in, you don't know if they are lying. So you have to do a security survey of every single system on your network to make sure there are no back doors, root kits, or altered data. Just reviewing could readily cost you hundreds to thousands of dollars per system. You may be facing multiple nuke-n-pave situations on your servers (may cost you $5,000 - $10,000/system.) Which means you will be losing data or will have to recreate data. If you have a centralized reservation system they may have to take that down in which case you are idling thousands of workers worldwide as well as losing business during the downtime. That's probably measured in thousands of dollars per minute in costs and losses. You've got to bring in your legal team and executive management so they can determine if non-IT related actions that need to be taken (offer your customers identity theft protection?) Who knows how much that is, but it could easily be north of $100,000. Probably you'll be bringing in security experts to review your policies, practices and implementation. A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees. Those consultants will be working with your IT staff who will not be doing their normal work, so that's another $5,000 - $10,000/week.

$400,000 - $1,000,000 is an easy number for an IT organization to reach in a large company. A business the size of Marriott may well have a central IT staff numbering between 750 - 1000 people. If they have a particularly efficient team and are on the low end of staffing (750) and have good control of salary ($60,000/yr), they have annual staff costs over $56,000,000. Diverting 10% of those means $108,000/week.

Re:Secret Service?

[betterunixthanunix]

Moreover, their portrayal of the approach the secret service takes to civil liberties was on the ball. The secret service arrested Craig Neidorf for publishing a document that had been sent to him by someone else in the magazine he edited, Phrack. They also failed to recognize that non-corporations could operate communication services during their raids on bulletin board systems. They searched the backpacks of people at 2600 meetings in the early 90s, regardless of whether those people were suspects in any investigation and without obtaining any search or arrest warrants.

I guess referring to them as the SS would not be too far from the truth...

this guy should have hired a lawyer first...

[number6x]

Hi, I'm Steve B., You may know me from youtube videos of my rousing speaches at Microsoft developer conferences.

I didn't invent your android phone or any of the software on it, but I have found a flaw in the system that I can exploit. Its a flaw in the legal system but that's not important.

If you don't want me to activate this exploit, you need to pay me $30.00 for every phone you sell.

Re:$1 mil? Seriously?

[ScentCone]

I'm so tired of seeing these ridiculous and obviously made-up damages

Did you even bother to read the summary, let alone the article? They had a lot of work to do in interacting with the feds in advance of busting this guy in person (he was cracking/extorting from Hungary). This involved many employees, corporate lawyers, etc. You tie up those sorts of man-hours, including the time to gather and preserve an unknown until you're done pile of forensic information from a huge IT footprint at a company that size ... I'm surprised the cost wasn't higher.

What I'm tired of are people who are so vitriolically anti-business in their mindset that they won't even do the mental work of thinking something like this through, lest it take some of the fund out of Complaining About The Man.

Do you see what happens?

[CxDoo]

Do you see what happens when you fuck a stranger in the ass?

Really?

[DRMShill]

Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

Let's call a horse a horse here. This man was a criminal. He deserved what he got.

Re:Really?

[Vegemeister]

No. But if my house was burgled and I then decided to replace all of my windows with Lexan, it would not be reasonable to claim the cost of the replacement (other than the single window broken in the burglary) as damages.

Re:$1 mil? Seriously?

[Seraphim1982]

Except the hacker didn't create the holes in the network,

How do you know that?

More specially, how do you that once he had access the hacker didn't introduce new vulnerabilities into the system?

Re:Secret Service?

[betterunixthanunix]

Most of what I wrote is based on Operation Sundevil, which is covered pretty well in this book:

http://www.gutenberg.org/files/101/101-h/101-h.htm

There is some other information scattered around:

http://www.textfiles.com/news/2600dcr2.txt
http://www.totse2.com/totse/en/zines/cud_a/cud664.html

It is not terribly hard to find this information, if you are curious. As bad as things may have gotten in the US, we have not quite stooped to the level of China when it comes to covering up aggressive government action.

I'm not a hacker but...

[stealth_finger]

...wouldn't it be easier to hack in and put your self in the employee database, set up payroll or send an email from the proper account to the payroll section to sort it and then just turn up on Monday? Or better yet not and get paid anyway.

Re:$1 mil? Seriously?

[Shoten]

A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees.

Actually, you came in way low on that. I've been one of those consultants, and you end up doing WAY more than a 40 hour week when cleaning up a major incident. The first engagement I did, we billed 100 hours each in the first 5 days, and indeed we were billed at $250/hr...for a grand total of an even $100,000 for just the first week. That was a decade ago; costs are higher now. This also didn't include travel or expenses, or any opportunity costs of delayed projects (there were many). We ended up having to go over the entire environment with a fine-toothed comb, discerning what may or may not have been owned. Anything in doubt got nuked and totally rebuilt (not recovered from backup) just like you said. Fortunately, they had good backups of their databases, so recovery of that data went just fine...but databases are the one thing that is least likely to be properly recovered from backup media, owing to the MUCH greater complexity of doing those backups right. I don't even know where to begin on determining the cost, if it turns out you lose a database instance as a result.

Re:$1 mil? Seriously?

[Score+Whore]

I certainly never said they didn't include applying security patches and closing holes. I said that it's more than that. As soon as someone is wandering around your network you don't know what systems have been compromised. He emailed an executable to an employee. The employee ran the executable. The program installs itself on the employee's machine and provides a mechanism for the intruder to stage additional attacks on your network. Maybe he installed a key logger which gives him the employee's credentials which are then used to access a system the employee is authorized to use. From there the intruder uses a not publicly known local privilege escalation to install kernel modules which roll out into a root kit on a database server. This allows him to collect credentials from anyone logging into the database or the system hosting the database. Any ssh-agents running? Well since he's root he can use any of those to log into other systems. And so on and so on. Along the way the intruder also modifies some documents, updates a few databases and installs lots of back doors to ensure future access. Everything has to be verified and cleaned up. And none of it is necessarily a failing of the IT organization.

Don't think of it as a car, think of it as a jogger who is mugged in the park and shoved onto a broken stick ending up impaled through the stomach. You don't just pull the stick out and put a band-aid on it. You have to go in there and see if any part of the stick broke off inside the jogger. You have to see if there are any internal injuries that need fixing up.

Darwin awards for lame haxors?

[Maljin+Jolt]

He deserves it.

Re:How much does 30 months in jail cost us?

[dkf]

Ultimately it might have been cheaper just to give the guy a job.

Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.

Re:It's the economy stupid.

[tehcyder]

The economy put him into a state of desperation. It's political policies which ultimately provoked him into breaking the law.

Somehow, I doubt you'd use the same argument to justify the people who mugged you.

The question no one is willing to ask is why is it that some of the most skilled or talented computer geniuses are unable to find jobs?

If you're a computer genius you can probably work a till, so why not get a job in a supermarket? Seriously, if there aren't the jobs around for computer geniuses to work at being geniuses on computers, you have to accept the reality of the situation and find something else to do. Life is not designed solely around your specific wishes, talents and desires.

Re:How much does 30 months in jail cost us?

[elucido]

Ultimately it might have been cheaper just to give the guy a job.

Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.

He screwed himself, that much is obvious. But the deeper question is if someone genuinely wants to become a pen-tester how should they go about becoming one? When there is no way into the Cyber Security industry then we cannot complain about these desperate hackers who want to find a way in.

How exactly could he have become a pen-tester in the proper way and have avoided this? I don't see how he had so many clear options. I also don't know who told him what. Someone could have mentioned to him that this is how to get noticed or recruited. He still would be an idiot for believing them, but I'm surprised he gets 30 months time for something like this as that seems to be a lot of time.

You are right they can't trust him but lets be honest you can't ever trust a social engineer regardless of which side they are on. They are social engineers. It doesn't change the fact that we need social engineers to pen-test networks.