Slashdot Mirror
UK Student Jailed For Facebook Hack Despite 'Ethical Hacking' Defense
Diamonddavej writes "The BBC reports that software development student Glenn Mangham, a 26-year-old from the UK, was jailed 17 February 2012 for eight months for computer misuse, after he discovered serious Facebook security vulnerabilities. Hacking from his bedroom, Mangham gained access to three of Facebook's servers and was able to download to an external hard drive the social network's 'invaluable' intellectual property (source code). Mangham's defense lawyer, Mr. Ventham, pointed out that Mangham is an 'ethical hacker' and runs a tax registered security company. The court heard Mangham previously breached Yahoo's security, compiled a vulnerability report and passed on to Yahoo. He was paid '$7000 for this achievement,' and claims he was merely trying to repeat the same routine with Facebook. But in passing sentence, Judge Alistair McCreath said despite the fact he did not intend to pass on the information gathered, his actions were not harmless and had 'real consequences and very serious potential consequences' for Facebook. The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"
This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.
So Zuckerberg had to go to his wallet instead of pulling change from his pants pocket, maybe the hacker should have been less ethical and just sold the code.
"If any question why we died, Tell them because our fathers lied."
The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"
So, they spent money securing unsecured servers?
Can we use the cost of having to install locks and security systems in homes to deal with theft to increase the punishment of the thieves?
He broke in through the window, now my house needs $xxx for a security system which protects windows as well, and its all his fault
Sounds like Facebook spent $200,000 fixing their security holes that he found. Security through obscurity is not security. In light of his 'tax-registered security company' status, and past efforts with Yahoo, I think the judge in this case made the wrong decision.
In the case of companies like Yahoo, you can do this. But in the case of Facebook, it's better to sell any uncovered flaws to interested parties other than Facebook or to simply release the information anonymously to the public.
These "damages" are the lawyer's fees associated with making claims against the "criminal" and the programmers needed to correct the vulnerability... (which are probably the same programmers whose code was vulnerable in the first place.)
Facebook, you just set the tone for how security researchers will reveal your vulnerabilities in the future. You just made a very uncomfortable bed for yourself to lie in.
He also did not cause any real harm. I guess how far to the left or right one leans determines whether or not the line should be drawn at "causing harm" or "had no business doing it."
Palm trees and 8
Who says he doesn't understand the issue? What this kid did was illegal and wrong, regardless of his "ethical" motivations for doing it. If you suspect that there's a security vulnerability somewhere, then you can notify the owner of the systems in question about it. If they feel inclined, they might ask you to do some penetration testing for them. If you just go ahead and do it without permission, though, you're illegally accessing someone else's systems without their consent, and by all means you should be convicted and sentenced for it. If I forget to lock my door on my way out of my house one day and come home to find an "ethical" thief in my home waiting to educate me on the importance of locking my doors, you can bet that I'll be calling the police.
...but a breach into any company is a break-in-and-entering if you haven't been assigned to do so for testing the security vulnerabilities by the company itself.
It's kind of like catching a thief without any goods, but inside of your home. Uhm...I'm just testing your security system, now you know you have a weak system, thank you - I'll mail you the bill.
What this world is coming to - is for you and me to decide.
It is inexcusable to let people pass judgement in matters they don't comprehend.
I think the judges understand the law quite clearly. Unauthorized access is against the law. Many people have tried the "ethical hacker" defense and it almost always fails.
It is inexcusable to let people pass judgement in matters they don't comprehend.
I'm pretty sure that the 20th Century Judges fully comprehend[1] the 20th Century laws that are the basis these types of cases.
[1] For the average judge. I know there are outliers in either direction.
I am Slashdot. Are you Slashdot as well?
I call bullshit. He "runs a tax registered security company," which means his motivation was largely if not entirely monetary. Hardly ethical.
ooo, that's got to hurt.
That is, doing a security audit, implementing tests and fixing bugs? If you have poorly tested code, and you notice it because someone is trying to get in through the back door, you should not try to charge them for your own faults.
Hopefully, you would have spent that money anyway.
If you hadn't, then good thing someone came in before you had also to face more serious consequences (as in a public exploit or distributed attack).
42.
Considering that most of the judge from the 21st century are, at most, 12, and not even lawyers, let alone judges, yet kinda makes this tough.
Chas - The one, the only.
THANK GOD!!!
Claiming he caused $200,000 in damages is absurd, what is the actual damage? Fixing vulnerabilities that were there in the first place?
I always think it's funny that when hackers get busted and the company has to spend a ton of cash on securing their servers/software they claim it's somehow the hacker that caused the damages. They had to be secure in the first place.
Explain how reporting a vulnerability to a company causes damages. Maybe it was illegal, but it is certainly not damaging. In your thief example, you could get the guy jailed for breaking and entering, but you couldn't get him to pay you for the stuff he didn't take.
So you're walking through the business district of a city and just jiggling door knobs to see if anyone left anything unlocked.
Why? Because you're a "white hat".
That's the FIRST issue that you have to get through to the judge.
Once you find an open door, you go inside and take some important stuff out. So that you can prove to the company that you were inside.
That's the SECOND issue you have to get through to the judge.
Then, you call the company and tell them that door X is unlocked and you can prove it because you have property Y.
The company (being unenlightened and still thinking in physical world terms) calls the cops and you are arrested. Even though you intended to give property Y back to the company.
It makes sense that way.
So, do NOT freelance. If you do NOT have a signed contract with the company you CAN be prosecuted. You have to put in the EXTRA EFFORT to distinguish your actions from the actions of the bad guys. A signed contract does that.
The judge followed the law. That is what he is OBLIGATED to do.
When we get to the point of allowing ANY LAME excuse as a reason to violate ANY law we will have lost everything the rule of law offers to society.
I can see the excuses from the witness stand:
Why yes, officer, I did shoot you, I was performing a public service by testing your bullet proof vest. You should get a better one, yours is all bloody anyway.
Yes, Mr. Banker, I did test your vault door last night, as a public service and to guarantee my money was safe, but sadly I had to withdraw my funds (and the funds of other concerned citizens) after the vault door proved ineffective against 5 pounds of C4. Sorry about the rest of your building. Its all for the best you know.
Its perfectly obvious that he was trying to break in without authorization, and he would have had to be trying for a long time. No way he gets it right the first try.
And even if he found it by accident (yeah right) he should have written a bug report or an email complaining that his perfectly valid use of facebook accidentally discovered a flaw. You don't steal the silver and the jewelry just to point out to your neighbor that he failed to lock the front door when he went out of town.
Sig Battery depleted. Reverting to safe mode.
From the article:
"Judge McCreath told him
'This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled.'"
I think we can pretty clearly see where the judge's opinion lies.
You don't hack a bank across state lines from your house, you'll get nailed by the FBI.
But in all seriousness, really? Has this guy not read the news ever? Throwing out common sense, ahh nevermind.
The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'
Mr. Patel? Is that Mr. Synthesizer Patel? I guess he discovered music wasn't paying the bills.
#DeleteChrome
Also as to the judge's understanding:
"'You and others who attempt to hack really must understand how serious this is, the creation of that risk the extent of that risk and the cost of putting things right.' "
As others have said - the risk was there whether or not the kid hacked in. He didn't create the risk.
"The judge followed the law. That is what he is OBLIGATED to do."
Which was his first mistake. A jury is NOT obligated to follow the law and a Jury can find someone not guilty in spite of the law if they find a law unjust.
Problem is most judges bullshit the jury and tell them they have to follow what the law says. in reality the do not.
Do not look at laser with remaining good eye.
Shouldn't we be jailing the Facebook people for not securing our data properly ??????
You must have missed the part where he downloaded their (trade secret) source code, and could have (may have, for all we know) done whatever he wanted with it.
What makes you think this UK Judge was presiding over a Jury Trial?
Sig Battery depleted. Reverting to safe mode.
1. "Judges from the 20th century" is an expression, it means judges who don't comprehend modern technologies and values.
2. Even if taken literally, a judge from the 21st century would be someone who was appointed a judge in this century, of which there are many.
3. Considering your epic failure at intelligence, I'd say you're a complete waste of oxygen.
Considering that most of the judge from the 21st century are, at most, 12, and not even lawyers, let alone judges, yet kinda makes this tough.
I salute you sir; nicely done. Although the disturbing thought did occur to me that perhaps the GP was in fact calling for the reinstatement of nineteenth century judges to adjudicate these newfangled matters.
In the Netherlands, damages are only that what you have to spend to put the original situation back. If that means reinstalling 3 servers from scratch, I doubt you'd be looking at 200K. However, if you need to do forensics to actually establish that it was just the 3 servers and you need an external company to do that because privacy regulations from the government mandate that, 200K sounds plausible.
If you were never planning on releasing or selling any of the vulnerabilities you found. If you were willing to give them to the person/business you hacked in to, without any compensation, you'd be called an ethical hacker. Mind you, that doesn't make it less illegal to do the hacking. You just won't be guilty of other crimes.
As a business, it makes no sense to have an ethical hacker prosecuted, since they are providing a service for you that would normally cost you a very substantial amount of money. However, not paying people will not help getting people to be "ethical" with you. Getting them prosecuted will not help either, they will just hide their tracks better and simply sell anything they find to the highest bidder, or put it out in the open for anyone to abuse. Groups of people with "poor impulse control" might take offense from a judgement like this and take their frustration out on the company that decided to get the hacker prosecuted.
I was promised a flying car. Where is my flying car?
This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.
While that may be true, that doesn't appear to be the judge's rational for convicting the kid.
It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.
26 isn't really a "kid", is it. But true, they should have granted him more benefit of the doubt of what his intentions were. But still, one can not simply go hacking stuff and say you're "pen testing". Penetration testing has procedures that need to be followed to avoid getting into shit like this guy.
Perhaps in the judge's point of view, if nobody ever hacked, there would not be a risk like this. So, people hacking stuff creates said risk. So... people who hack anything must be punished for the existence of this risk, no matter what they hacked or why they hacked.
The risk was when he stole the data, not when he broke in.
Hes a Brit you twit.
Good-bye
We like to think of our friends across the pond as being progressive. Sadly, this assumption becomes more and more invalid with each passing day.
Saying "I'm an ethical hacker" when you get caught, doesn't mean you don't do time.
It means you are an idiot.
Alex
Yeah, except you say that, except you wouldn't get one of your hypothetical 'ethical' thieves. Apart from maybe if it was a close friend or something that you knew and trusted very well.
This world will progress when we start judging on motive instead of some false sense of superiority.
Why OpalCalc is the best Windows calc
Wait, isn't what you just said pretty much a definition of a mind crime? It was all in his head, after all (or equivalent to being in his head). So now when we know too much we're supposed to go to jail?! Just because he was not entitled to knowing something should not make it illegal, IMHO such laws are entirely unconscionable. Now don't get me wrong, I do understand that there are secrets of various nature (military, industrial, etc), but the punishment shouldn't be for knowing them, but for illegal disclosure.
A successful API design takes a mixture of software design and pedagogy.
In 2005, Chris Putnam had created a Facebook worm, eventually the worm got traced back to him and Facebook hired him.
Facebook has also previously hired Geohot, of the iphone/sony hack fame.
... if they discover what they believe might be a vulnerability in somebody else's software, perhaps not deliberately trying to do so, what do they do? I mean, the only thing that would actually qualify as proof of a real vulnerability is if they downloaded something they weren't supposed to, which might require actually trying to do, but at the same time it would be illegal to attempt to do so. What is a person really supposed to do?
File under 'M' for 'Manic ranting'
So it's okay to hack a small business but not a large international one? The legality of an offence depends on the amount of capital the plaintiff has? The rich now have more rights than the poor?
If I forget to lock my door on my way out of my house one day and come home to find an "ethical" thief in my home waiting to educate me on the importance of locking my doors, you can bet that I'll be calling the police.
There's the right, there's the wrong, there's the lawful and there's the unlawful/illegal. Right and lawful aren't the same, as aren't wrong and unlawful. They should be, but they aren't. That said, there are people who tend to operate more along the right-wrong axis of the ethical plane, and those who tend to operate more along the lawful-unlawful one (and I thank D&D for the clear way in which they express this insight). From your described hypothetical reaction it's clear you're of the later persuasion (lawful-neutral perhaps?), as are, quite evidently, lawyers, judges, most CEOs etc. Hackers, however, operate mostly on the former, as would be the case with your ethical "chaotic-good" thief. And, as in the game, there's no resolution in sight for this real world clash of worldviews, the sad thing being that, whenever two "goods" battle trying to figure out which one is the "best", they both weaken, and the actual villains advance.
Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
Considering that most of the judge from the 21st century are, at most, 12, and not even lawyers, let alone judges, yet kinda makes this tough.
The corollary to this, of course, is that 20th Century judges have had 12 years to adjust their intellectual stance to accommodate 21st Century circumstances. GP's point stands.
Crumb's Corollary: Never bring a knife to a bun fight.
So yeah, downloading an external-drives worth of information did not seem suspicious at all. For me, I am all for find vulnerabilities and letting the company know. But when you end up downloading all that information, it just seems a bit odd. Than again, I am not a super class SSS hacker so my feeble mind probably cannot comprehend the reasoning behind doing so,
I'm pretty sure that most 12 year olds understand computers better than judges.
Mangham's defense lawyer, Mr. Ventham, pointed out that Mangham is an 'ethical hacker' and runs a tax registered security company.
Doesn't sound so ethical to me.
He's running a business. That means he ought to abide by the rules we expect to apply to businesses. In this case, obtain prior consent, agree on charges/fees/rewards up-front, and do not copy what isn't yours to copy.
(A lot of businesses don't abide by these rules, but that's why we get all pissed at them for being unethical.)
It doesn't look like this "student/business owner" bothered with any of that, and got in trouble for it. Not really much of a story there.
Why Facebook isn't being lambasted for their shoddy system is another matter. Their breach of ethics for failing to design a reasonably secure system is arguably more significant than this unethical 'ethical hacker'.
We don't let banks get away with designing bank vaults made of 3/8" drywall over 2x2 studs. We expect banks to put forth a level of effort securing the valuables in their care proportional to the value of what's being protected. If they do a shoddy job and fake it, and get robbed, we'll punish the robbers, sure... and then ensure that heads roll at the bank.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
And yet, even if I accepted this as true, burglars -- even serial burglars -- are not sentenced based on potential deaths
And neither was this guy. He was sentenced for what he did, the judge was just giving him the traditional 'your lucky you didn't kill someone' lecture when passing sentence.
Car analogy; It's the same as a judge lecturing a drunk driver and telling him that he's lucky he's not on manslaughter charges. The drunk isn't being convicted or sentenced for potential manslaughter, he's being convicted and sentenced for DUI.
I've been in my fair share of court rooms and there's one thing Judges and Magistrates all seem to enjoy doing most, asserting their dominance over the courtroom by lecturing people like small children. This feels great when they are attacking the other guy's lawyer, not so much if they attack you.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
"Alison Saunders, from the Crown Prosecution Service, described the case as "the most extensive and flagrant incidence of social media hacking to be brought before British courts"."
So News Corps phone hacking scandal paled in comparison? Oh I know what you're going to say News Corp isn't a social media site, then my answer is "It isn't news either"
I think the real issue here isn't the hack, I think it's that Goldman Sachs has plans for Facebooks IPO and wants to set an example for the shareholders to see.
The hackers real crime was his terrible timing.
"If any question why we died, Tell them because our fathers lied."
If only Harvard had prosecuted Zuckerberg when he hacked Kirkland House's online mailing lists to spam users with links to his Facemash service, Facebook might have never existed and this may have never happened at all.
Why would a judge adjust their intellectual stance for something outside of their expertise (technology, as opposed to legal doctrine)?
Could they be MORE savvy about it? Maybe. But most of them are of an age where they didn't grow up with this stuff, and indeed, have spent the majority of their lifetimes predating this technology in widespread use. By this point, picking up more than bare rudiments is VERY difficult for these people.
Unfortunately, getting people into these professions with a "born into it" familiarity is going to take quite a while. And by that point, most of the damage will have been done.
Chas - The one, the only.
THANK GOD!!!
This is me not arguing.
Chas - The one, the only.
THANK GOD!!!
Exactly what are those costs for? Shoring up holes they should have shored up anyway? How is that the students fault at all? How is that a consequence of the students actions? If anything FB should be fucking thankful to him, and apologetic to its users for having that hole in the first place.
On the one hand, Mangham definitely didn't have prior authorization. His actions were illegal, regardless of his intentions.
On the other hand, Facebook's long-term security has been dramatically weakened. Now, anybody who finds a vuln in Facebook isn't going to report it for fear of doing jail time.
Sounds like a fuck-up for everyone involved.
Or you know you follow Facebook's procedure for their bug-bounty program: https://www.facebook.com/whitehat/bounty/ Paying special attention to the following section:
Exclusions The following bugs aren't eligible for a bounty (and we don't recommend testing for these): Security bugs in third-party applications (e.g., http://apps.facebook.com/%5Bapp_name%5D) Security bugs in third-party websites that integrate with Facebook Security bugs in Facebook's corporate infrastructure Denial of Service Vulnerabilities Spam or Social Engineering techniques
If you want to test any of those, you do what practically any book on "ethical hacking" ever states and you get prior authorization.
Sentencing Mangham, Judge Alistair McCreath said his actions could have been "utterly disastrous" for Facebook ... and had "real consequences and very serious potential consequences"...
I wonder if the judge is aware that his assessment of Mangham's actions, as quoted, is also an accurate assessment of the security flaw that Mangham exploited, that existed before he even touched a Facebook server. I see no mention of the potential loss to Facebook had the security flaw been exploited to do real harm. There is no question that this would have made $200,000 look like a small amount.
It is my opinion that the court completely failed to see Mangham's actions in perspective. Theft of IP is a serious matter. However, the judge
acknowledged that Mangham had never intended to pass on any of the information he had gathered, nor did he intend to make any money from it
Furthermore, no actual damage was done. The sentence was all about risk. The judge said:
"The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."
But if the sentence was all about risk, why did the judge not consider the enormous reduction in risk that resulted from Mangham's actions? Was the "creation of that risk" was all a small price to pay for closing what is obviously a colossal security hole - a much bigger risk?
The bewilderingly long prison sentence leaves me wondering if there is more to this than we can see. For example, we all know that social media is a key tool used by intelligence gathering agencies. What, or should I say whose, intellectual property did Mangham really see? Also, if people become concerned about the security of social media, they may stop using it. The more evil and clever Mangham is made to look, the less disturbing the Facebook security flaw appears.
Fuck the corporations if you find a vulnerability, hide your track and just let it out into the wild.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
In 2005, Chris Putnam had created a Facebook worm, eventually the worm got traced back to him and Facebook hired him.
Facebook has also previously hired Geohot, of the iphone/sony hack fame.
You cannot prove that Facebook hired Chris Putnam because he created the worm and broke the law. You cannot prove that Facebook hired Geohot and Geohot didn't actually break the law.
The situation with Geohot was political so it's very likely he got hired for political reasons not because of what exploits he did. Facebook probably only hired him to look good and look friendly towards the hacker community.
Breaking the law isn't how you get hired and if you think so then you're a sucker. Breaking the law is how you get turned into a Adrian Lamo and no one wants to be him.
If I walk into a bank and tell the manager, all the flaws in their security , he might get anoyed but you havent broken any 'known laws' (who reads all 13000 pages)
I bet $199,000 of that loss to facebook was hiring a lawyer.
Liberty freedom are no1, not dicks in suits.
He could have reported it but he didn't just report it he exploited it. He could have just written a technical paper.
http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990
Note the links at the bottom to the precise wording of the relevant legislation.
He's got 8 months to learn all about a different kind of back door probing!
Just because it CAN be done, doesn't mean it should!
The bewilderingly long prison sentence leaves me wondering if there is more to this than we can see
Not to mention that for most hackers, even 8 HOURS would very likely lead to being brutally victimized.
At least if Mr. Megaupload.com gets convicted and sentenced, he should be safe (300+ lbs, a lot of muscle!).
Just because it CAN be done, doesn't mean it should!
Why was he trying to crack Facebook's security? Was he contracted through another party to do so, was he invited to do so? Or was this just some random "I'm a good person who like to find security issues on someone's website and tell them" thing? Why Facebook?
I am John Hurt.
Sorry but whatever his intentions he must have been living under a rock to think he could do this repeatedly and not run across someone that would press charges regardless of his good intentions (real or not). And how could he not know that a court would rule against him? It's not like he is the first to try this. But..
Does anybody else think that when anything is connected to the internet it should be entirely the problem of the person who connected it if something happens? Ok, let me explain what I mean. You have a computer. You write code that tells it to respond to sequences of 1s and 0s (high and low voltages) in various ways. Or.. you pay someone else for the code. Either way you put this thing there. You put the code in that makes it respond to someone else's 1s and 0s. Then you plug it in to this really big public network. You connected it to a huge mess of wires, fiber optic cables and radio links which you do not own. You do not control it. And you know that billions of other people can send their own sequences of 1s and 0s to your computer across this network using the connection that you put in place.
Now somehow when someone sends a sequence of 1s and 0s that you don't like they are legally culpable? Somehow this is equivalent to vandalism or trespassing, etc...? Even when done by someone that has never been within 1000s of miles of your actual physical property? Somehow when they receive the 1s and 0s that your computer sends them it's theft?
Am I the only person to think the world has gone bat shit insane?
And yet in this country you can get a community or suspended sentence for violent assault :(
Why do we kill the messenger? This is crazy. This guy deserves a thank you, a medal and a high paying job offer. To be guilty of a criminal act, there must be two elements present, the Actus reus and the Mens rea (see http://en.wikipedia.org/wiki/Mens_rea). 'actus non facit reum nisi mens sit rea, which means "the act does not make a person guilty unless the mind is also guilty".' Sorry, this guy definitely did not have the mens rea. Why do we kill the messenger? What is wrong with us? Before you choose a side to fight, forget about who's wrong or right If you like your neck, you best as heck start rooting for the winner This brave new world is knocking at your door, and you better let it in The constitution's evolution never made a contribution to the revolutionary man And it's a crime To speak your mind And it's a crime... Don't say a word, cuz if you're heard That blade is gonna fall Wrong Side of the Revolution - Josh Woodward http://www.joshwoodward.com/song/WrongSideoftheRevolution
This geek has done facebook a favor but exposing the loopholes in their system, now facebook has an opportunity of making their system more secure, and that is how communities of developers can help make the internet more secure. Facebook's/Courts chest thumping isn't good for anyone because next time someone comes across a hole, facebook will have to eat it's pride
White hat people (and gray hat like this one looks like) go around Facebook in wide circle.
Facebook is left to its obviously non-competent, happylawyery self and, of course, to black hats.
Good thing I never put anything remotely important on their servers.
Also possible - Facebook pleads for this guy, now when he is sentenced, to get maximum positive press.
http://opencm3.net, http://www.nongnu.org/gm2/
Welcome to the Corporate States of America! Our jurisdiction is worldwide and we have storm troopers and psychophants all over the universe! Property rights, "intellectual" or not, trump human rights by miles.
What makes you think this UK Judge was presiding over a Jury Trial?
It was at Crown court, so would normally be a jury trial. however, as he pleaded guilty, it's kind of moot.
In general, the answer to that question is as close as the technologically illiterate fuckhead any given judge will see in his or her bathroom mirror.
Tech Public Policy stuff
I find it funny that people can even consider this an offense that requires pineal action. Issues of intelectual property notwithstanding (i disregard the notion of IP as a justifiably stable reference point for the issues at hand) this shows that vulnerabilities exist. This shows that an unauthorized third party can and did gain access to data that was supposively secure. Claiming that the man somehow cost the company money is a stupid argument, those holes existed, if you as a company want to retain trust or secrets you were going to plug them anyway, once brought to your attention. You, as a company decided to hook into an open and untrusted network, and allows communication to your information systems from that open and untrusted networks. These things are going to happen, no mater how much you prosecute offenders of archaic spacial relation laws. As a company that exists beyond a strict spacial plane, you must be savvy as to these underlying facts. If there is a hole, it will be exploited, and as the number of internet connected devices increases, so do the chances of those holes being exploited and the likelihood of a successful breach. You can't stop the curiosity of the human mind nor its ingenuity, and you should not seek to. It is simply not logistically possible to have the number of security professionals needed to have a 100% breach proof system. It is, however, possible to cultivate the huge amount of raw tallent ever steadily accumulating with those connected devices. It is not, however, possible to retain the benefit of benevolent pro-bono 'security consultants' if you demand all of them pay you money while you demonize them. You will never be able to keep your security up to snuff if your knee-jerk response is to punish curiosity. You need to be flexible. You need to be creative. You need to be curious. You need to want to improve your system in ways nor previously explored. In short, to survive, Facebook needs to learn that in being the largest information 'thief' on the internet means that it is necessary to take input form the benevolent 'thieves' pounding on their security 24/7. .... IMHO, of course.
"The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."
Yes, my thoughts exactly! The judge's statement makes this ripe for appeal it would seem. The hacker did not create the risk and the need to put it right wasn't caused by the hacker.
However, if a bank builds a vault and a criminal brings a charge large enough to penetrate the vault, he's still committing a crime, even if the bank should have known that someone could theoretically come with a bunker-buster. Trespassing is trespassing. Stealing is stealing.
Fixing the huge gaping security loophole they created in the first place, which put everyone's privacy and data at risk ?
FB should have intervened on this guys behalf, he did them a HUGE favor.
But its really his poor judgement concerning the type of company and personalities involved in FB that got him into trouble. You can't expect ethical outcomes when dealing with people who's entire business model is based on unethical attitudes about the public using it's services.
Explain how reporting a vulnerability to a company causes damages.
He's already broken in to your system without your permission or knowledge and downloaded your source code, you're meant to just trust him when he says that he didn't do anything else while he was in there?
You have to spend time and money on working out exactly what he did to make sure that there are no nasty surprises waiting for you.
It's official. Most of you are morons.
It's none of our business, and certainly doesn't justify unapproved penetration testing.
To have a right to do a thing is not at all the same as to be right in doing it
When you plead guilty to a crime in the UK, what you are actually doing is acknowledging all of the prosecutions evidence to be true even though parts may not be factual. Sadly this is the way the British legal system works and one is encouraged to "Plead Guilty" for a third off the sentence in order to save court time.
This has a negative impact whereby some people pleading not guilty, go through a trial and then get slammed unfairly. I do not want to rant on about miscarriages of justice but even the Attorneys General Office turn a blind eye of what is deemed "within the public's best interest"
This young man was lucky with 8 months, he will be out of prison on an electronic tag after serving around 3 months. It is a great career move though as he will be hired... Lets just hope not by bankers!
All cows eat grass!