Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Student Jailed For Facebook Hack Despite 'Ethical Hacking' Defense

Posted by Soulskill on from the judge-didn't-buy-it dept.

Diamonddavej writes "The BBC reports that software development student Glenn Mangham, a 26-year-old from the UK, was jailed 17 February 2012 for eight months for computer misuse, after he discovered serious Facebook security vulnerabilities. Hacking from his bedroom, Mangham gained access to three of Facebook's servers and was able to download to an external hard drive the social network's 'invaluable' intellectual property (source code). Mangham's defense lawyer, Mr. Ventham, pointed out that Mangham is an 'ethical hacker' and runs a tax registered security company. The court heard Mangham previously breached Yahoo's security, compiled a vulnerability report and passed on to Yahoo. He was paid '$7000 for this achievement,' and claims he was merely trying to repeat the same routine with Facebook. But in passing sentence, Judge Alistair McCreath said despite the fact he did not intend to pass on the information gathered, his actions were not harmless and had 'real consequences and very serious potential consequences' for Facebook. The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"

10 of 356 comments (clear)

  1. Uhh by The+MAZZTer · · Score: 5, Insightful

    This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

    1. Re:Uhh by Jah-Wren+Ryel · · Score: 5, Insightful

      This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

      While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

      It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.

      --
      When information is power, privacy is freedom.
    2. Re:Uhh by rgbrenner · · Score: 5, Insightful

      The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

      Your welcome.

      I would like my reward now.

    3. Re:Uhh by russotto · · Score: 5, Insightful

      The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

      Your welcome.

      I would like my reward now.

      OK, we'll sentence you based on the potential damage you might have done -- to wit, you could have accidentally burned the entire house down while you were there, and the fire could have spread to the entire neighborhood and killed a bunch of people.

      Sentence the man for what he did: breaking into the computers. Not based on crap like "Potentially what you did could have been utterly disastrous to Facebook"

    4. Re:Uhh by rohan972 · · Score: 5, Insightful

      Sentence the man for what he did: breaking into the computers. Not based on crap like "Potentially what you did could have been utterly disastrous to Facebook"

      Creating a hazard can be illegal, eg: you can be booked for reckless driving even if no other cars are around at the time. Leaving aside the question of whether it was he or Facebook that created the hazard, or what proportion of culpability should be shared, the sentence is based not on what he did, but who he did it to (from the first link in the summary) :

      "You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance,"

      So to answer rgbrenner's "lock on your bedroom window is crap", argument, the judge's response is "You broke the bedroom lock on a rich man's house, it's not like you broke into the house of normal people".

      You don't have to be sympathetic to this guy to find this court judgement reprehensible.

      --
      http://marriedmansexlife.com/
  2. Let this be a lesson to all by erroneus · · Score: 5, Insightful

    In the case of companies like Yahoo, you can do this. But in the case of Facebook, it's better to sell any uncovered flaws to interested parties other than Facebook or to simply release the information anonymously to the public.

    These "damages" are the lawyer's fees associated with making claims against the "criminal" and the programmers needed to correct the vulnerability... (which are probably the same programmers whose code was vulnerable in the first place.)

    Facebook, you just set the tone for how security researchers will reveal your vulnerabilities in the future. You just made a very uncomfortable bed for yourself to lie in.

  3. Re:Judges from the 20th century have to go by bieber · · Score: 5, Insightful

    Who says he doesn't understand the issue? What this kid did was illegal and wrong, regardless of his "ethical" motivations for doing it. If you suspect that there's a security vulnerability somewhere, then you can notify the owner of the systems in question about it. If they feel inclined, they might ask you to do some penetration testing for them. If you just go ahead and do it without permission, though, you're illegally accessing someone else's systems without their consent, and by all means you should be convicted and sentenced for it. If I forget to lock my door on my way out of my house one day and come home to find an "ethical" thief in my home waiting to educate me on the importance of locking my doors, you can bet that I'll be calling the police.

  4. Sugarcoat it all you want... by MindPrison · · Score: 5, Insightful

    ...but a breach into any company is a break-in-and-entering if you haven't been assigned to do so for testing the security vulnerabilities by the company itself.

    It's kind of like catching a thief without any goods, but inside of your home. Uhm...I'm just testing your security system, now you know you have a weak system, thank you - I'll mail you the bill.

    --
    What this world is coming to - is for you and me to decide.
  5. Poor Yahoo by Dr.+Evil · · Score: 5, Funny

    "You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said.

    ooo, that's got to hurt.

  6. Re:"Damage" by spire3661 · · Score: 5, Insightful

    Causing a full security review after a known penetration costs REAL WORLD MONEY. You have to pay people for the expense of figuring out what happened. It is interesting that you disregard this aspect of the problem entirely. He had no business being there, flat out. There is no inherent right to crack other people's property. I find nothing wrong in the law saying 'thou shalt not penetrate others network without explicit permission or authority.' This person had neither.

    --
    Good-bye