Brit student locked up for Facebook source code hack A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook. Glenn Mangham, 26, previously pleaded guilty to hacking into the social networking site between April and May last year. The incident created a flap at Facebook amid fears that hackers were attempting to …
I beleive that the correct method has always been NEVER to hack a network that you aren't being paid to do penetration testing on, with signed paperwork attesting that from their network manager.
Unless your willing to do some jail time if and when entire teams of people just as good or better than you are decide to track you down and pass your info to the police.
"How many police in the world are able to track someone who is borrowing someone elses wireless internet service?"
We know of at least one company that built a huge wifi database that included MAC and physical address correlations, even if they did get slapped down for it (Google, I'm looking at you). It's not a big stretch to see police using such information in high profile cases.
-d
No. You don't give criminals a job just because they broke the law. In fact, it's a reason not to give them a job. The very fact a person has illegally hacked a computer shows that they are not suitable for working in IT because it demonstrates a lack of integrity and moral fibre. It also demonstrates that you can't trust them, a not insubstantial point when working in any non sandboxed position of trust in operations, security, or any job where you work with sensitive material.
Secondly, giving criminals jobs because they are criminals is stupid. It's encouraging people to break the law for their own gain. Not only is it stupid for that reason, but it would be disadvantageous and insulting to the law abiding (and more competent) people to hire a incompetent "hacker" who firstly broke the law and secondly got caught doing it.
Oh really? What about Frank Abagnale Jr then?
I know of one person who was given a choice of being charged or working as a security consultant. He's now a very respected member of the security world and gives many lectures and talks on the subject of network security. He did it because "he could" and because he had nothing better to do. There wasn't any malicious intent and he's one of the most trustworthy people I know.
As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.
>>As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.
Hiring someone who was once a criminal is one thing. Hiring a current criminal is another.
Setting a thief to catch a thief is more common than you know. I was going to provide anecdotal evidence of my local police using a guy with a B&E conviction as an official locksmith, but decided against it because it's just anecdotal. Then, with perfect timing, this appeared:
http://www.bbc.co.uk/news/uk-england-leeds-17075027
For those who can't be bothered clicking, West Yorkshire Police employ an ex-burglar as a consultant on crime prevention tactics.
>>Facebook would do well to employ this guy instead of prosecuting him. He clearly knows better than any of their current security team what needs to be tightened up.
That their security team not only detected his intrusion but tracked him back to his bedroom suggests they're not exactly useless.
I'm not trying to question the outcome of this trial (his attempts to cover his tracks was always going to go down badly in a court of law) BUT... have a look at these words of Judge McCreath quoted on the BBC site:
"The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."
Doesn't this suggest that Judge McCreath doesn't know what he is talking about? The security flaw existed before Mangham found it and it is the responsibility of Facebook to put it right regardless of if it has been exploited or not. If Mr Manghams actions cost Facebook anything, it'll be the legal costs they incurred in order to shoot the messenger. Facebook surely have all liability for the consequences of any insecurities in their own system?
Whilst I agree that the flaw in facebook's security is their problem, this is not the correct way to bring it to their attention.
For instance, you go to bed at night, and you forget to shut your back door.
1) Your neighbour wakes you up by calling your phone or ringing the doorbell, you get up, thank them and shut and lock the door.
2) Someone else enters your house, takes photos of you and your family asleep and later emails them to you with a note saying "by the way, you forgot to lock your door"
Clearly 1 is legal and 2 is not. This gentleman's actions, whilst (probably) good intentioned are more like 2 than they are like 1.
IMO.
Ah, I see what you're saying here. Yes indeed the cost of putting the security flaw right should fall on facebook, however, there is the cost of the investigation by various agencies plus any time facebook had to spend on it. None of which would apply had the individual contacted Facebook immediately saying "here is a flaw in your security, it would allow access to source code if I wanted it, I used this flaw at (list of dates / times) in order to confirm this."
Still not really legal, but would at least give him significantly more mileage in his "I was going to tell them, honest" defence.
Also, as has been said by others, definitely NOT the way to get someone to want to give you a job.
"however, there is the cost of the investigation by various agencies"
Very good point. I hadn't considered that.
Yes, obviously he absolutely should have let them know of the vulnerability immediately, especially considering he went on to use the "I was going to tell them, honest" defence.
At least he didn't (by which I mean that I haven't read) dump the code into pastebin or make it easily and readily available in some other way. If he'd of done that, the judge would be absolutely correct in that he created new risk. We don't know how he did store the source code so the judge may still be correct in this point.
I'll just shut up now then :)
Well, I'll have the last word (as if!). The way you tell them depends on how willing they are to listen. I'm sure it still happens that of these various online businesses in which security is critical, there are plenty who ignore you, ignore your report, until you force them to take notice in one imaginative way or other. Unlike the dodos who get taken by email scams and you suspect anyone that stupid won't learn any other way, said businesses who just ignore security are - whether legally, or only morally - themselves committing a crime. You know, like the various government departments who just repeatedly spunk our private data into the public domain and, because the taxpayer gets penalized for it, never learn. I certainly won't assume Facebook is blameless any more than I do that this guy was acting benevolently.
"Clearly 1 is legal and 2 is not."
Except 2 is not necessarily illegal of itself. There might be a case for 'protection of privacy' in your example but that's debatable and we can take that out of the equation if you replace the analogy with someone sitting in your unlocked car taking their photos of its equipment and then emailing them to you.
The up-votes suggest a lot of people think it would be illegal. Being greatly shocked by what has transpired doesn't necessarily make for a crime.
You mean an unlocked door isn't an open invitation? 'snot exactly "breaking and entering" now, is it if the door's already open? And while it might be trespass, that's "only" a civil offence... (I think)
So what are you views on open wifi? If that's not an open invitation (quite literally, it is being broadcast after all) then I don't know what is. I suspect that some individuals may still try the house analogy though.
No, of course an unlocked door isn't an open invitation. An Open invitation is where there's a bloody great sign saying "please come in". The only way an open wifi would be an open invitation would be if it said so in the damn network name.
Some of you people really badly need to go to ethics classes...
I was trying to highlight fallacy of comparing break in and entering/burglary/trespass against anything in the digital realm - the two just don't correlate and the overly simplistic analogies are quite misleading. Though I do believe the above discussion was really to do with poacher-turned-gamekeeper scenarios and how effective they can be. In this case, I'm not sure that applies for the very simple reason HE GOT CAUGHT! That rules you out of "cyber mastermind" in my book and so you certainly shouldn't be offered jobs, leaniency (you know what you were doing) etc. Give the hypothetical job to a cracker with a clean record because that means either he's A) trustworthy or B) really good. You won't see it coming in either case...
In Britain there are two laws that cover this general area, the Computer Misuse Act which concerns the access and use of machines without permission but there's also the Data Protection Act which addresses companies' responsibility to look after their collected data, i.e. personal information about US and how they're accountable; register with the ICO and report any breaches (Sadly they don't seem to have any teeth and IMO there should be associated penalties, see the ICO's own FAQ http://goo.gl/M5I6X). Nevertheless, Facebook should treat their user information with the utmost respect. Sure, in this case no data was actually taken but next time they might not be so lucky. The next infraction might be not be so well intentioned, consequently they should take advice from where ever they can get it (unpaid - see first paragraph) or else face charges of negligence/incompetence (now if that isn't illeagal, it should be).
Just putting up a sign saying "do not enter" is not security, systems actually do have to be, well... secure. To the point of openly challenging the white hats to take their best shot. Only then can the general public be confident that their details are being looked after properly.
Go on. Flame me.
Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure. Of course in almost all cases a greater level of security is required, but ultimately you almost certainly can't keep a bad guy with sufficient resources* out, so its a question of achieving an appropriate balance. Anyone who believes in absolute security is rather charmingly naive.
-----------------------
*
"You and whose army?"
"My army. This one, with the guns, and tanks, and helicopters, and missiles, and nuclear submarines"
"Oh, that army. In that case I can't stop you from gaining physical access to the server."
This post has been deleted by its author
"Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure."
Yes, it proves that a line has been crossed, that you've knowingly done something that you shouldn't have.
No, its irresponsible if you're holding sensitive information on behalf of someone else and rely on people's good will not to cross a line, especially once you've told them it's there.
Isn't relying on the legal position to follow up an attack a case of "shutting the stable door after the horse has bolted"? The damage has already been done and that data is now in the wild regardless as to whether the perpetrator is banged up or not. I'd rather it wasn't leaked in the first place.
It has nothing to do with privacy. Just entering a building without reasonable cause is a crime.
In all the countries I have lived, there are laws against breaking and entry, these being separate crimes.
Defined approximately as follows:
"Breaking" means gaining access to a building via any use of force, even the slightest amount. If a door is open but ajar and the door is pushed wider open, then that is considered use of force and constitutes "breaking".
"Entering" means entering without reasonable cause.
I'm pretty sure UK uses these definitions too.
Entering a building and taking pictures of people while they sleep would certainly fail the "reasonable cause" test.
Yes indeed. But this is merely the latest example of cluster fuckwittery between an Internet company and an ignorant, lazy judicial system. Once again the contestant with the deepest pocket wins all.
Really Facebook deserves to have its shitty source spread about for all to see. (Assuming of course they didn't just cobble the whole thing out of open source projects in the first place and the only secret bit is some Perl script.)
This post has been deleted by its author
Indeed, and no one has asked why Facebook are so determined to hide their code. There's little doubt that Facebook trample privacy, could it be the beast has more to hide? I bet if the judge wanted a proper investigation into this affair it would have been blocked.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
