Prison Time For Manager Who Hacked Ex-Employer's FTP Server, Email Account

Catalin Cimpanu, writing for BleepingComputer: Jason Needham, 45, of Arlington, Tennessee was sentenced last week to 18 months in prison and two years of supervised release for hacking his former company's FTP server and the email account of one of his former colleagues. Needham did all the hacking after he left his former employer, Allen & Hoshall (A&H), a design and engineering firm for which he worked until 2013. Needham left to create his own company named HNA Engineering together with a business partner. HNA is also a design and engineering firm. According to court documents obtained by Bleeping Computer, between May 2014 and March 2016, Needham hacked into the email account of one of his former co-workers. From this account, the FBI says Needham took sensitive business information, company fee structures, marketing plans, project proposals, and lists of credentials for A&H's FTP server. A&H rotated its FTP credentials every six months, but Needham acquired new logins from his former colleague's email account.

Hacking?

[Nutria]

Or "using a password you picked up while still at the firm"?

Re:Hacking?

I can read the password on that stick note and type it into a box. Woohoo! I'm a hacker!

Re:Hacking?

[SCVonSteroids]

This definition of "hacking" has always bugged the shit out of me.
The act of hacking is a beautiful thing. Figuring out someone's password and proclaiming you "hacked" them is fucking disgraceful.

Re:Hacking?

No, not hacking.

Industrial espionage. Spying on the competition, and stealing their secrets.

Re:Hacking?

[mjwx]

Or "using a password you picked up while still at the firm"?

This, the headline tries to infer that he was imprisoned for hacking, the summary says he was imprisoned for corporate espionage, whether he did that by electonic means or walking out the front door with a bunch of paper files under his arm does not matter.

Re:Hacking?

[Shimbo]

He was imprisoned for unauthorized access to a computer under the CFAA. Commonly, that's hacking.

bleepingcomputer tells it like it is totes hax!

"Using access credentials that you shouldn't have had, after you left" equals "hacking" now.

Right. That word really doesn't mean squat any longer. Thus we have:

Anything can be hacking and anyone can be a hacker, as the prosecutor likes it.

May you live in Shakespearean times, good sir.

Re:bleepingcomputer tells it like it is totes hax!

[unrtst]

If you can get past that misuse of language ("hacking" = using a password someone gave you before you quit), that company was also sending our FTP passwords to its users via unencrypted email. Whoever authorized that should be fired, and possibly sued in relation to this breach.

Re:bleepingcomputer tells it like it is totes hax!

This is how people use the word hacking in 2010s. It's not the 80s anymore when hacking solely meant soldering parts on a circuit board. Deal with it and move on.

Re:bleepingcomputer tells it like it is totes hax!

[bws111]

Only the 'journalist' who wrote TFA used the word hacking. The actual court documents use the words 'accessed a computer without authorization'.

Re:bleepingcomputer tells it like it is totes hax!

"Using access credentials that you shouldn't have had, after you left" equals "hacking" now.

Right. That word really doesn't mean squat any longer. Thus we have:

Anything can be hacking and anyone can be a hacker, as the prosecutor likes it.

May you live in Shakespearean times, good sir.

Oh, that's nothing. In Australia, sexual assault is being redefined as 'inappropriate staring' or 'inappropriate invitations to a date' or anything that makes a woman feel uncomfortable or offended. Jokes included. Online included. Oh, and 50% of all woman have been sexually assaulted on university campuses last year. Link with survey questions. According to this survey, it is safer to send your female children to Zimbabwe (where there's only a 1 in 5 chance she'll be assaulted) than to the uni in NSW.

Shakespearean machinations, indeed

Amateur. You grab all of that before you leave.

[SensitiveMale]

Have to plan ahead.

Re:Amateur. You grab all of that before you leave.

[Nutria]

The kind of stuff he wanted gets stale very fast. That's why he had to keep "hacking".

Re:Amateur. You grab all of that before you leave.

[Billly+Gates]

Have to plan ahead.

And use a service account or root if it is unix naming it after something sounding technical and legit.

Too Old

This must be fake news because 45 is too old for hacking. Old man was framed. Find the real hackers.

Re:Loser.

Talent will always make more money than educated skill.

Remove all your access

[Major_Disorder]

before you leave.
I am fanatical about it. As you are training your replacement remove all your access. Last thing I do is change my password to something like "N[Sf+JbQ*"X5ReXL54DwUp5>%&{lU3`yP^9T>Bumh~N"L"N9CB,Fu58", with me having no record of it. Then have my replacement disable my account. (Since most places I have worked we used Jira, accounts are really difficult to delete.)
This insures that I am never even tempted to see if I have access, and if some ID10T reactivates my account in the future, the chance of someone hacking it is basically NIL.
I do the same thing with password on every account I ever disable.

Re:Remove all your access

[Major_Disorder]

I am working for a living, and making good money.
Thanks for your concern.

News for Nerds

[VorpalRodent]

So just because the article contains the word "hacking" (regardless of how aptly it was used), this is now News for Nerds / Stuff that Matters?

Unless there are some mitigating factors here to discuss, it looks like this is a very open and shut case of "Idiot knowingly accessed a system without authorization and stole his previous company's data to use in direct competition."

In other news, everyone's local police forces arrested a number of people for various offenses which they allegedly committed.

Re:News for Nerds

[Quirkz]

"Idiot ... stole his previous company's data

Technically it's not theft, it's copyright infringement.That's much worse.

(Actually, I'm guessing there's some other term for accessing corporate secrets. Just couldn't resist the knee-jerk Slashdot correction.)

English Language Usage Tip

"Using access credentials that you shouldn't have had, after you left" equals "hacking" now.

Right. That word really doesn't mean squat any longer. Thus we have:

Anything can be hacking and anyone can be a hacker, as the prosecutor likes it.

May you live in Shakespearean times, good sir.

English language usage tip:
hacker = someone who uses a computer against its owner's usage policy
hacking = any action someone takes to use a computer against its owner's usage policy

The sense of "hacker" as describing a person with great computer skills is now an archaic usage.

Re:English Language Usage Tip

"Using access credentials that you shouldn't have had, after you left" equals "hacking" now.

Right. That word really doesn't mean squat any longer. Thus we have:

Anything can be hacking and anyone can be a hacker, as the prosecutor likes it.

May you live in Shakespearean times, good sir.

English language usage tip:
hacker = someone who uses a computer against its owner's usage policy
hacking = any action someone takes to use a computer against its owner's usage policy

That would imply that you cannot possibly "hack" anything you own. But seeing the actual usage patterns, your definition really means that individual ownership is now an archaic usage as well.

The sense of "hacker" as describing a person with great computer skills is now an archaic usage.

All hail the newspeak, doubleplusextrabetter than the oldspeak.

Re:Amateur. You grab all of that before you leave.

toor

Re:Loser.

Education is a scam to give false hope to the poor. You're either rich or you're not.

Oh, Lordy, FTP needs to just die already

[93+Escort+Wagon]

Guy shouldn't have accessed it without permission... although going into a former colleague's email seems like a bigger deal to me. He deserves whatever he gets.

But, man, if they're running an FTP server in this day and age, this is likely not their only issue.

Re:Oh, Lordy, FTP needs to just die already

Yes they should use rsync instead.

Re:Oh, Lordy, FTP needs to just die already

[Antique+Geekmeister]

Given the lack of understanding of most reporters, it might have been an SFTP server, or even a Kerberized FTPS server. I'd suggest not over-interpreting a casual reference in a news report as proof of incompetence on one party's part.

Re:Oh, Lordy, FTP needs to just die already

[schleimkeim]

We run a Windows 2000 FTP server. It's even connected to the internet and regularly used by customers. Yes, you read that right. Windows 2000. I'm amazed that this thing is still running and not halted to a grind by thousands of trojans and virii.

In the words of Nelson Muntz

Ha Ha!

Use S-FTP and Kerberize FTP.

[Zombie+Ryushu]

FTP supports TLS and Kerberos. Why was it not a requirement that to use FTP, you need a Kerberos Ticket from the KDC?

18 months for being naughty?

[mars-nl]

Did he cause any damage except make a company feel bad the hard way for having bad security policy?

Re:Amateur. You grab all of that before you leave.

[mapkinase]

Somewhere TV producers started applauding in unison.

Re:Amateur. You grab all of that before you leave.

[mjwx]

Have to plan ahead.

You'd think so...

I do support for clients in the finance sector. You'd be surprised how many people think that if they move these files a few months in advance, they wont get caught. Hell, I'm surprised how many of them still use email to do it. Finance company == log fucking everything.