... if they discover what they believe might be a vulnerability in somebody else's software, perhaps not deliberately trying to do so, what do they do? I mean, the only thing that would actually qualify as proof of a real vulnerability is if they downloaded something they weren't supposed to, which might require actually trying to do, but at the same time it would be illegal to attempt to do so. What is a person really supposed to do?
Write about it in your blog or send an email to Facebook. Many security blogs and sites put out details of vulnerabilities in such a way that they aren't legally responsible.
In 2005, Chris Putnam had created a Facebook worm, eventually the worm got traced back to him and Facebook hired him. Facebook has also previously hired Geohot, of the iphone/sony hack fame.
You cannot prove that Facebook hired Chris Putnam because he created the worm and broke the law. You cannot prove that Facebook hired Geohot and Geohot didn't actually break the law.
The situation with Geohot was political so it's very likely he got hired for political reasons not because of what exploits he did. Facebook probably only hired him to look good and look friendly towards the hacker community.
Breaking the law isn't how you get hired and if you think so then you're a sucker. Breaking the law is how you get turned into a Adrian Lamo and no one wants to be him.
I'm sympathetic to that argument. Post-intrusion followup, investigation, rootkit removal (read -- bare metal installation after hdd imaging), these are all legitimate expenses incurred even in the case of a white hat.
Fixing the problem they found is not. Conducting an audit to look for similar problems is not.
I wonder if the interrogation folks will turn this idea on its head, and develop ways to implant pain into subjects' brains. As is, "we are not going to physically harm you, but you will think and feel as if we had!" And it leaves behind no physical evidence of abuse.
This would be very ugly.
Thats a concern. This is why all this neuroscience stuff should be studied carefully. Knowing how the brain works is nice but it also is dangerous if the people who know dont respect your brain.
In that case Slashdot should have chosen a better title. Either way the concept of trying to erase pain at the source doesn't necessarily solve the problem. The pain exists as part of an alert system, if the limb is removed then it might make sense to change the alert system but why not use hypnotherapy for something like that?
I think the medical community over relies on pills. Pills aren't the only type of treatment that exists and unless pills are the most effective treatment then why push them?
"I can't tell you how much I hope they manage to find a non-opiate way to handle chronic pain"
Try medical cannabis. Major post-operative neuropathic pain after getting a fair bit of my skeleton replaced. Worked just as well as Oxy 40mg.
There's research going on regarding sea slug toxins. I'm really interested in that, because if I could be pain-free without needing to resort to smoking/vaping/eating cannabis, I'm down for it.
The problem with these pills is some of them can permanently alter brain chemistry. It's not a good idea to chemically alter the brain in this way unless you know for certain it wont be permanent. Cannabis isn't permanent, and all the new drugs being created should have their side effects known. Some people should never ever use oxys or any pain pills because they have the genes of an addict, for these people there should be different classes of drugs that are non-addictive. The problem is when these new pills get made the side effects aren't fully considered and some of them turn out to be addictive as hell and life altering.
I can't tell you how much I hope they manage to find a non-opiate way to handle chronic pain. I'm not on them any more, but they are a bitch even when they make life bearable. But there is a difference between physical and emotional pain. I know it's a fact that one can lead to the other (I've experienced it) but normally they have different causes/initiators. And if you can nip one in the bud fast enough, it will stop the spill over effect to the other.
I had a really pinched nerve in my back before (L5/S1) caused by a ruptured disk. Really bad... could barely walk, and not more than a few paces without assistance (and sometimes lying down in just the right position was the only way I could be). Incredible pain, permanent nerve damage, partial paralysis of some muscles in the leg (most of which has come back), and incredible pain where even a mostly nonreligious person like myself would sometimes be reduced to praying for it to stop. Lasted about 9 or 10 months till surgery fixed it about 70%. Yay.
I would have loved something like this if it meant I wouldn't have had to deal with opiates like 80mg Oxycontin to make life livable. And most especially so that I wouldn't have had to endure the physical and emotional effects when weening myself off that shit after the surgery took away almost all the pain (my doc was totally surprised when I told him I was off the shit several months after the surgery... without his help). I think getting off opiates messes you up almost as long as the injury. People don't get it: once you've had that harsh shit in your system for more than a few months, and at high doses (2 or 3 80s a day... and no it didn't stop all the pain but managed it), just getting it out of your system is the start. It tickles that part of the brain so long and so hard that you literally have a hole in your psyche that doesn't fill in for months and months and months and.... You know something is missing. And then there is the recovering from the emotional turmoil that the pain caused. Put the two together and it took at least a year or so to find an even keel for me. And I know I can be an irritable and maybe:) and irritating fuck at the best of times... but I was a champion then.
I didn't like being on it because it makes you dull. But unlike what many think, it doesn't totally incapacitate you and you can function. Anyway... I hope like hell they find something to help people with chronic pain that works and is more benign than what is out there now. I don't like having to take acetaminophen or NSAIDs every day. I could probably argue for low dose oxys from my doc, but I don't fucking want those... period. Here's to the folks at McGill!
How do we know this stuff is any better or safer than the opiates? Opiates suck but at least we know they work, we don't know if this works and we don't know what side effects it could have.
"You know that pain and guilt can't be taken away with a wave of a magic wand. They're the things we carry with us, the things that make us who we are. If we lose them, we lose ourselves. I don't want my pain taken away! I need my pain!"
It depends on the amount of pain. Pain should definitely be managed, lessened, dulled, but to remove it completely can remove whatever lessons that pain was supposed to teach. Too much pain is bad, but no pain at all causes problems in itself and can be bad.
Chronic pain is a problem but I don't think the way they are going about it is the solution to it.
Trying to mess with the chemistry of the brain can have consequences which may be worse than the chronic pain they are trying to treat. PTSD is a problem, pain is a problem, but trying to erase the memories of it is not the solution.
It's such a waste of money to give these guys a salary when they are billionaires. If I were them I would lower my salary to $1 or I would give myself the salary of my lowest level employee as a gesture.
Ultimately it might have been cheaper just to give the guy a job.
Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.
He screwed himself, that much is obvious. But the deeper question is if someone genuinely wants to become a pen-tester how should they go about becoming one? When there is no way into the Cyber Security industry then we cannot complain about these desperate hackers who want to find a way in.
How exactly could he have become a pen-tester in the proper way and have avoided this? I don't see how he had so many clear options. I also don't know who told him what. Someone could have mentioned to him that this is how to get noticed or recruited. He still would be an idiot for believing them, but I'm surprised he gets 30 months time for something like this as that seems to be a lot of time.
You are right they can't trust him but lets be honest you can't ever trust a social engineer regardless of which side they are on. They are social engineers. It doesn't change the fact that we need social engineers to pen-test networks.
Somehow, I doubt you'd use the same argument to justify the people who mugged you.
Mugging is not remotely similar to what happened here. This guy did a non-violent crime. I'm not justifying any crime of any sort. What I'm saying is that the political policies and in specific corrupt economic policies are going to put hundreds of thousands of people just like him into this desperate state of thinking and situations. It's only a matter of time before cyber crime begins to rise in response to the economic situation.
When people can't find jobs they find something less than constructive to do with their time. What do you expect to happen?
If you're a computer genius you can probably work a till, so why not get a job in a supermarket?
You're being as naive as the guy who thought he could blackmail his way to a job. The job at the supermarket is reserved for people who have friends who already work at the supermarket. If you're not already in with them you wont be hired. If it's a big supermarket then you wont be hired because you dont have any experience working at supermarkets because you're a computer genius. Finally the skills of a computer genius are the exact opposite of the skills required for a super market. You picked probably the worst possible example. A better example would be if this guy and 5 of his friends started their own computer run business, but you aren't going to take a person with computer skills and try to make them into something else in which they have no skill or experience.
That being said starting a business is very hard to do by yourself and if you have no friends you wont have anyone to hire. A lot of these computer geniuses don't have friends because they are computer geniuses and sometimes the skills of being solitary writing code all day are the exact opposite of the skills needed to organize a team. Nobody taught this guy leadership skills but then again most people in most industries dont have leadership skills either so he's not alone.
Seriously, if there aren't the jobs around for computer geniuses to work at being geniuses on computers, you have to accept the reality of the situation and find something else to do.
When people can't find anything else they resort to crime. Finding something else to do isn't usually an option for most people in this economy. If you're a genius at computers thats the only thing people are going to pay you to do. No one is going to pay you to mop the floor because theres someone who has been mopping the floors for 5-10 years now who has an advantage over you. No one is going to pay you to work at the supermarket because theres someone who is probably older than you who worked at the supermarket before and who has years of experience.
Let's not overlook the economic factors in this case. I think if this guy could easily have found a job this entire chain of events would have never happened. And no I don't think you can take a person who is a genius in one area and tell them to switch careers. If it were a doctor, or a pilot, or a scientist, we wouldn't tell them or expect them to go work at a supermarket for the rest of their lives after investing their lives into that. It's just as naive as what he did.
Life is not designed solely around your specific wishes, talents and desires.
I'm sure he knows that now that he's in prison. The point is he had the balls to try to change his life and got put in jail because it tried to change it in the wrong way. It doesn't mean he had bad intentions it just means the way he went about it wasn't the smartest way. If life isn't designed around your wishes, talents and desires then you're supposed to do everything you can to find a way to change that.
What he did however was brave on one hand and naive as hell on another. He probably should have set up a pen-testing company first. He probably should have built a track record with small businesses
Ok, you're either a clever troll or an idiot yourself.
Unemployment does not excuse criminality like this. if someone is broke, I excuse them from shoplifing from the supermarket. They need to eat. But I don t excuse them from breaking into houses, or this hacking. Unemployment is not an excuse to commit any crime you want.
People make excuses all the time for bad behavior. Stop believing their lame excuses, unless you yourself are also stupid.
I'm not excusing his actions. I'm saying that political policies promote criminality. When you have polices which produce high amounts of unemployment among skilled labor such as this guy then the result is many of them become criminals.
People need money to survive and that is a fact. We don't know the circumstances of his life to know how bad he needed a job nor do we know what information he was told. He could have been led to believe that this is how you get recruited into the Secret Service. There are guys like Albert Gonzalez who got recruited exactly this way. Then you also have guys like Adrian Lamo who did similar activities and they didn't receive 30 months in jail for it. The guy could have just been desperate and naive.
He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.
You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.
It never happens quite like that. First they never say what these people are being recruited for do they? So even if this guy was naive and thought he would get recruited by the Secret Service or some other group there was no guarantee.
Also these "recruits" are typically given the worst jobs and then tossed away like trash when they arent useful. Look at Albert Gonzalez as an example.
Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs
Reminds me of Kevin Mitnick. He was convicted for stealing a manual (that could be purchased for a few hundred dollars) AND for the costs to plug all the holes he found.
The difference here is that the hacker in this case seems to be outright guilty of extortion. Why not bust him for that out of the gate?
He's definitely guilty of extortion, the question is why were so many resources invested into him? Now he gets 30 months in prison where even more resources are going to be put into him?
And I'm not sure what message it's supposed to send. If the message is not to extort big corporations I'm sure anyone with sense knows that already. On the same token what are people supposed to do if they find bugs or potential backdoors?
This basically tells them to keep their mouth shut and don't tell anyone. It doesn't actually improve security if we dont know there are holes.
The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.
Honestly, any janitor could tell you instantly why this plan is idiotic.
Credulous is not the same as ignorant. The guy was clearly smart. He was just too credulous and perhaps suffering from aspergers syndrome.
He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?
Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.
..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".
No, no, no, no, NO.
You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.
Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.
You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.
This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.
Apparently the geek in question didn't understand how the world operates. He's naive and also he's not from our country so he had no idea how our corporations would react.
If you're from the USA then you know a good deed never goes unpunished. Intentions don't really mean anything. What matters is not getting caught or not doing the crime at all. What matters is that you get an education AND work experience.
You cannot gain valuable experience from hacking. You can gain valuable experience from working. You can work either by starting your own company with a group of like minded hackers, or by being lucky and winning a job.
But you cannot blackmail your way to a job and if you know some elite exploit its better to keep it to yourself until you actually HAVE the job. This guy should have kept his secrets to himself until he found a job as a pentester or he should have sold his secrets to other hackers and made money that way. What he did was just naive and stupid.
Slashdot Mirror
They probably should spend some money curing cancer but it wont cost 50 billion or even 1 billion.
Maybe it's time to abolish the minimum wage in America and deflate the US economy so that we can compete with China.
He could have reported it but he didn't just report it he exploited it. He could have just written a technical paper.
... if they discover what they believe might be a vulnerability in somebody else's software, perhaps not deliberately trying to do so, what do they do? I mean, the only thing that would actually qualify as proof of a real vulnerability is if they downloaded something they weren't supposed to, which might require actually trying to do, but at the same time it would be illegal to attempt to do so. What is a person really supposed to do?
Write about it in your blog or send an email to Facebook. Many security blogs and sites put out details of vulnerabilities in such a way that they aren't legally responsible.
In 2005, Chris Putnam had created a Facebook worm, eventually the worm got traced back to him and Facebook hired him.
Facebook has also previously hired Geohot, of the iphone/sony hack fame.
You cannot prove that Facebook hired Chris Putnam because he created the worm and broke the law. You cannot prove that Facebook hired Geohot and Geohot didn't actually break the law.
The situation with Geohot was political so it's very likely he got hired for political reasons not because of what exploits he did. Facebook probably only hired him to look good and look friendly towards the hacker community.
Breaking the law isn't how you get hired and if you think so then you're a sucker. Breaking the law is how you get turned into a Adrian Lamo and no one wants to be him.
I'm sympathetic to that argument. Post-intrusion followup, investigation, rootkit removal (read -- bare metal installation after hdd imaging), these are all legitimate expenses incurred even in the case of a white hat.
Fixing the problem they found is not. Conducting an audit to look for similar problems is not.
Related: How's that related to this? https://www.facebook.com/whitehat/ Did he not follow the procedures?
That guy isn't/wasn't a white hat. He broke the law without a signed agreement. Breaking the law to support a corporation is not ethical.
I wonder if the interrogation folks will turn this idea on its head, and develop ways to implant pain into subjects' brains. As is, "we are not going to physically harm you, but you will think and feel as if we had!" And it leaves behind no physical evidence of abuse.
This would be very ugly.
Thats a concern. This is why all this neuroscience stuff should be studied carefully. Knowing how the brain works is nice but it also is dangerous if the people who know dont respect your brain.
In that case Slashdot should have chosen a better title. Either way the concept of trying to erase pain at the source doesn't necessarily solve the problem. The pain exists as part of an alert system, if the limb is removed then it might make sense to change the alert system but why not use hypnotherapy for something like that?
I think the medical community over relies on pills. Pills aren't the only type of treatment that exists and unless pills are the most effective treatment then why push them?
"I can't tell you how much I hope they manage to find a non-opiate way to handle chronic pain"
Try medical cannabis. Major post-operative neuropathic pain after getting a fair bit of my skeleton replaced. Worked just as well as Oxy 40mg.
There's research going on regarding sea slug toxins. I'm really interested in that, because if I could be pain-free without needing to resort to smoking/vaping/eating cannabis, I'm down for it.
The problem with these pills is some of them can permanently alter brain chemistry. It's not a good idea to chemically alter the brain in this way unless you know for certain it wont be permanent. Cannabis isn't permanent, and all the new drugs being created should have their side effects known. Some people should never ever use oxys or any pain pills because they have the genes of an addict, for these people there should be different classes of drugs that are non-addictive. The problem is when these new pills get made the side effects aren't fully considered and some of them turn out to be addictive as hell and life altering.
I can't tell you how much I hope they manage to find a non-opiate way to handle chronic pain. I'm not on them any more, but they are a bitch even when they make life bearable. But there is a difference between physical and emotional pain. I know it's a fact that one can lead to the other (I've experienced it) but normally they have different causes/initiators. And if you can nip one in the bud fast enough, it will stop the spill over effect to the other.
I had a really pinched nerve in my back before (L5/S1) caused by a ruptured disk. Really bad... could barely walk, and not more than a few paces without assistance (and sometimes lying down in just the right position was the only way I could be). Incredible pain, permanent nerve damage, partial paralysis of some muscles in the leg (most of which has come back), and incredible pain where even a mostly nonreligious person like myself would sometimes be reduced to praying for it to stop. Lasted about 9 or 10 months till surgery fixed it about 70%. Yay.
I would have loved something like this if it meant I wouldn't have had to deal with opiates like 80mg Oxycontin to make life livable. And most especially so that I wouldn't have had to endure the physical and emotional effects when weening myself off that shit after the surgery took away almost all the pain (my doc was totally surprised when I told him I was off the shit several months after the surgery... without his help). I think getting off opiates messes you up almost as long as the injury. People don't get it: once you've had that harsh shit in your system for more than a few months, and at high doses (2 or 3 80s a day... and no it didn't stop all the pain but managed it), just getting it out of your system is the start. It tickles that part of the brain so long and so hard that you literally have a hole in your psyche that doesn't fill in for months and months and months and .... You know something is missing. And then there is the recovering from the emotional turmoil that the pain caused. Put the two together and it took at least a year or so to find an even keel for me. And I know I can be an irritable and maybe :) and irritating fuck at the best of times... but I was a champion then.
I didn't like being on it because it makes you dull. But unlike what many think, it doesn't totally incapacitate you and you can function. Anyway... I hope like hell they find something to help people with chronic pain that works and is more benign than what is out there now. I don't like having to take acetaminophen or NSAIDs every day. I could probably argue for low dose oxys from my doc, but I don't fucking want those... period. Here's to the folks at McGill!
How do we know this stuff is any better or safer than the opiates? Opiates suck but at least we know they work, we don't know if this works and we don't know what side effects it could have.
"You know that pain and guilt can't be taken away with a wave of a magic wand. They're the things we carry with us, the things that make us who we are. If we lose them, we lose ourselves. I don't want my pain taken away! I need my pain!"
It depends on the amount of pain. Pain should definitely be managed, lessened, dulled, but to remove it completely can remove whatever lessons that pain was supposed to teach. Too much pain is bad, but no pain at all causes problems in itself and can be bad.
Chronic pain is a problem but I don't think the way they are going about it is the solution to it.
Trying to mess with the chemistry of the brain can have consequences which may be worse than the chronic pain they are trying to treat. PTSD is a problem, pain is a problem, but trying to erase the memories of it is not the solution.
If memories can be erased what better threat than to threaten to wipe someones memories?
I think the idea is shortsighted and will have unintended consequences.
And I'm sure the military and governments have interesting plans for this.
It's such a waste of money to give these guys a salary when they are billionaires. If I were them I would lower my salary to $1 or I would give myself the salary of my lowest level employee as a gesture.
Ultimately it might have been cheaper just to give the guy a job.
Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.
He screwed himself, that much is obvious. But the deeper question is if someone genuinely wants to become a pen-tester how should they go about becoming one? When there is no way into the Cyber Security industry then we cannot complain about these desperate hackers who want to find a way in.
How exactly could he have become a pen-tester in the proper way and have avoided this? I don't see how he had so many clear options. I also don't know who told him what. Someone could have mentioned to him that this is how to get noticed or recruited. He still would be an idiot for believing them, but I'm surprised he gets 30 months time for something like this as that seems to be a lot of time.
You are right they can't trust him but lets be honest you can't ever trust a social engineer regardless of which side they are on. They are social engineers. It doesn't change the fact that we need social engineers to pen-test networks.
Somehow, I doubt you'd use the same argument to justify the people who mugged you.
Mugging is not remotely similar to what happened here. This guy did a non-violent crime. I'm not justifying any crime of any sort. What I'm saying is that the political policies and in specific corrupt economic policies are going to put hundreds of thousands of people just like him into this desperate state of thinking and situations. It's only a matter of time before cyber crime begins to rise in response to the economic situation.
When people can't find jobs they find something less than constructive to do with their time. What do you expect to happen?
If you're a computer genius you can probably work a till, so why not get a job in a supermarket?
You're being as naive as the guy who thought he could blackmail his way to a job. The job at the supermarket is reserved for people who have friends who already work at the supermarket. If you're not already in with them you wont be hired. If it's a big supermarket then you wont be hired because you dont have any experience working at supermarkets because you're a computer genius. Finally the skills of a computer genius are the exact opposite of the skills required for a super market. You picked probably the worst possible example. A better example would be if this guy and 5 of his friends started their own computer run business, but you aren't going to take a person with computer skills and try to make them into something else in which they have no skill or experience.
That being said starting a business is very hard to do by yourself and if you have no friends you wont have anyone to hire. A lot of these computer geniuses don't have friends because they are computer geniuses and sometimes the skills of being solitary writing code all day are the exact opposite of the skills needed to organize a team. Nobody taught this guy leadership skills but then again most people in most industries dont have leadership skills either so he's not alone.
Seriously, if there aren't the jobs around for computer geniuses to work at being geniuses on computers, you have to accept the reality of the situation and find something else to do.
When people can't find anything else they resort to crime. Finding something else to do isn't usually an option for most people in this economy. If you're a genius at computers thats the only thing people are going to pay you to do. No one is going to pay you to mop the floor because theres someone who has been mopping the floors for 5-10 years now who has an advantage over you. No one is going to pay you to work at the supermarket because theres someone who is probably older than you who worked at the supermarket before and who has years of experience.
Let's not overlook the economic factors in this case. I think if this guy could easily have found a job this entire chain of events would have never happened. And no I don't think you can take a person who is a genius in one area and tell them to switch careers. If it were a doctor, or a pilot, or a scientist, we wouldn't tell them or expect them to go work at a supermarket for the rest of their lives after investing their lives into that. It's just as naive as what he did.
Life is not designed solely around your specific wishes, talents and desires.
I'm sure he knows that now that he's in prison. The point is he had the balls to try to change his life and got put in jail because it tried to change it in the wrong way. It doesn't mean he had bad intentions it just means the way he went about it wasn't the smartest way. If life isn't designed around your wishes, talents and desires then you're supposed to do everything you can to find a way to change that.
What he did however was brave on one hand and naive as hell on another. He probably should have set up a pen-testing company first. He probably should have built a track record with small businesses
Ok, you're either a clever troll or an idiot yourself.
Unemployment does not excuse criminality like this.
if someone is broke, I excuse them from shoplifing from the supermarket. They need to eat. But I don t excuse them from breaking into houses, or this hacking. Unemployment is not an excuse to commit any crime you want.
People make excuses all the time for bad behavior. Stop believing their lame excuses, unless you yourself are also stupid.
I'm not excusing his actions. I'm saying that political policies promote criminality. When you have polices which produce high amounts of unemployment among skilled labor such as this guy then the result is many of them become criminals.
People need money to survive and that is a fact. We don't know the circumstances of his life to know how bad he needed a job nor do we know what information he was told. He could have been led to believe that this is how you get recruited into the Secret Service. There are guys like Albert Gonzalez who got recruited exactly this way. Then you also have guys like Adrian Lamo who did similar activities and they didn't receive 30 months in jail for it. The guy could have just been desperate and naive.
He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.
You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.
It never happens quite like that. First they never say what these people are being recruited for do they?
So even if this guy was naive and thought he would get recruited by the Secret Service or some other group there was no guarantee.
Also these "recruits" are typically given the worst jobs and then tossed away like trash when they arent useful. Look at Albert Gonzalez as an example.
Why would anyone want to be him?
It's actually fairly common among hackers.
Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs
Reminds me of Kevin Mitnick. He was convicted for stealing a manual (that could be purchased for a few hundred dollars) AND for the costs to plug all the holes he found.
The difference here is that the hacker in this case seems to be outright guilty of extortion. Why not bust him for that out of the gate?
He's definitely guilty of extortion, the question is why were so many resources invested into him?
Now he gets 30 months in prison where even more resources are going to be put into him?
And I'm not sure what message it's supposed to send. If the message is not to extort big corporations I'm sure anyone with sense knows that already. On the same token what are people supposed to do if they find bugs or potential backdoors?
This basically tells them to keep their mouth shut and don't tell anyone. It doesn't actually improve security if we dont know there are holes.
The real question is why are so many people so desperate to find a job that they are beginning to resort to blackmail?
And how often is blackmail being used or perhaps other means like quid pro quo to decide who gets hired and fired?
In some ways what he did wasn't stupid, it was just inappropriate.
The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.
Honestly, any janitor could tell you instantly why this plan is idiotic.
Credulous is not the same as ignorant. The guy was clearly smart. He was just too credulous and perhaps suffering from aspergers syndrome.
He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?
Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.
But you'd also know your IT dept sucks.
..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".
No, no, no, no, NO.
You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.
Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.
You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.
This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.
Apparently the geek in question didn't understand how the world operates. He's naive and also he's not from our country so he had no idea how our corporations would react.
If you're from the USA then you know a good deed never goes unpunished. Intentions don't really mean anything. What matters is not getting caught or not doing the crime at all. What matters is that you get an education AND work experience.
You cannot gain valuable experience from hacking. You can gain valuable experience from working. You can work either by starting your own company with a group of like minded hackers, or by being lucky and winning a job.
But you cannot blackmail your way to a job and if you know some elite exploit its better to keep it to yourself until you actually HAVE the job. This guy should have kept his secrets to himself until he found a job as a pentester or he should have sold his secrets to other hackers and made money that way. What he did was just naive and stupid.