Feeds

back to article Brit student locked up for Facebook source code hack

A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook. Glenn Mangham, 26, previously pleaded guilty to hacking into the social networking site between April and May last year. The incident created a flap at Facebook amid fears that hackers were attempting to …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

While that would be their normal tactic, the FBI haven't heard of The Face Book because they're all still using MySpace

2
0
Holmes

Hmm...

Without getting into the black, grey or white hat issue...

It's nice to see somebody accused of hacking a US computer system, from the UK, tried and sentenced in the UK.

23
0
Anonymous Coward

CPS

I see the CPS had no trouble pursuing this "villain", meanwhile, how's the case against Phorm + BT going? Oh, there isn't one?

10
0
Anonymous Coward

To those supporting him...

...can you let me know your address?

I'l come round with a sledge hammer, put in a window and nick your telly. No doubt you won't phone the police as I'm only highlighting a weakness in your security.

3
7
. 3

Bad metaphor

that is. Are you a policeman?

4
2
Anonymous Coward

Re: To those supporting him...

Facebook is a bit more exposed of a target than your private home. It's vulnerable to anyone with an internet connection and holds a lot of sensitive data, not just yours. It's more like you have been asked to store important details of a few billion people and you leave it in plain sight ... behind a window.

3
2
Anonymous Coward

Re: To those supporting him...

That'll be fun!

You won't _believe_ the reception you'll get.

5
0
Anonymous Coward

Re: Re: To those supporting him...

Yes, but no.

Yes on your point about it being more than just an individuals data.

No, on your point about it being more at risk. Facebook isn't vulnerable to anyone with an internet connection, Facebook is vulnerable to anyone with an internet connection and the skills to breach network security.

A window of your house is vulnerable to anyone able to walk up to it (or even roll up to it in a wheel chair, I'm all for equal opportunities burglary) and open or smash it.

I think we can agree that smashing glass is a somewhat simpler skill set than cracking network security.

0
0
Silver badge
Trollface

Re: To those supporting him...

Hmmm. I live on the second floor. And good luck finding the stairwell. Most couriers can't!

0
0
g e
Silver badge

"extract the software blueprints"

Well, there's no way anyone would want the UI 'blueprints' for sure...

1
1

Re: "extract the software blueprints"

But I think you'll agree.. they Are blue

0
0
Anonymous Coward

I don't understand all this anger towards the guy. Better he exposes a lax security policy than someone who is truly dangerous. In my view Facebook should be fined for the lax policy! If companies are to be trusted with my data then they should be actively encouraging this kind of behaviour with bounties on success. This way round only the true criminals will have the data and the systems remain insecure hiding behind legal defence instead of a proper one. AC for obvious reasons.

6
4
Anonymous Coward

So...

Are you offering to pay people to break in to your house then?

2
4
Silver badge
Unhappy

Great British Justice?

Given that:-

The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."

8 months in the slammer seems a bit extreme seeing that I regularly read reports in the local rag of muggers getting community service and probation, even for repeat offences.

It seems that crimes committed against "big business" by the little people is viewed by the courts as much more serious than crimes committed against the little people by big business.

Undergraduate hacks Fartbook. That's serious. Have some jail time.

BT Hacks 1000's of customers (Phorm). Nothing to see here. Move along.

Joe blogs fiddles his income tax for a few £hundred. That's serious. Have some jail time.

Vodafone fiddles its tax bill to the tune of £6 billion? We'll forget about that, shall we?

19
3
Silver badge

Re: Great British Justice?

You mess with Facebook's data - 8 months jail.

Facebook messes with everybody's data - tough luck.

7
0
Holmes

Re: Great British Justice?

"The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."

On that particular point, I seem to recall the claim that there was "no criminal intent" being considered sufficient to excuse BT and Phorm Directors from any and all responsibility to obtain authorisation before covert interception, copyright theft, computer misuse, and fraud.

Yet the BT/Webwise affair caused economic harm to the businesses affected (by industrial espionage) and privacy harm to the individuals (by unauthorised surveillance and disclosure to a 3rd party).

So one rule for Ian Livingston, and another rule for Mangham?

1
0
Megaphone

Re: Great British Justice?

It often seems to me that the legal system - at least at the lower courts type level - comes down rather harder on people who've had a reasonable background, education and the like than it does on some hapless little scrote who's never even been exposed to the concept of right, let alone had the opportunity to consider the philosophical differences between right and wrong.

I'm not entirely sure that's wrong...

0
1
Silver badge
Happy

Security and No Deportation

Given the amount of data FB has given away or leaked it is hard to imagine they even employ security, other than on toilet cubicles.

What I find interesting is "reported to the FBI, which passed the case over to the British police" which is what they should have done with all cases involving crime committed on British soil even if targeting any other country.

France does it best - Our Citizens, Our Courts.

4
0
Anonymous Coward

Re: Security and No Deportation

Hard to believe FB have anything worth stealing that hasn't already been published!

1
0
Silver badge
Facepalm

Re: Security and No Deportation

Yawn @ your poorly-veiled reference to McKinnon. Big difference - McKinnon hacked US military servers (with malicious intent), whereas Mangham hacked a social-networking site (with stupid inent). If Mangham had been dumb enough to try this recruitment stunt on US military servers he'd very likely have soon been sharing a plane across the Atlantic with McKinnon.

".....France does it best - Our Citizens, Our Courts." Glad you mentioned it, JaitcH, as neither McKinnon or Mangham are Fwench, so you can go join the Fwench in minding their own business.

0
1
Anonymous Coward

is it just me

or is there something inherently bizarre about the idea of "hacking" something described as "social media" ?

0
0
Anonymous Coward

Re: is it just me

"Sharing is the new default, mlud".

0
0

Irony

How much time did Facebook's founder serve for hacking into a private network at Harvard and harvesting student IDs for his new social network?

4
0
Stop

McKinnon precedent?

Surely he should be extradited after 10 years of appeals and whatnot to potentially suffer decades in the fed pen...

Or maybe the example is being set as precedent for yet further appealings by the McKinnon camp...

0
2
Anonymous Coward

Re: McKinnon precedent?

No, it just shows that Gary McKinnon would have been let out after only a few months if he hadn't listened to all those legal advisors with political motives.

As is, he's been strung along in a nightmare for 10 years. For him, it should have been over and done with years ago.

2
1
Bronze badge
WTF?

Punishment

I do think that the punishment for these 'crimes' is too harsh. Well harsh is the wrong word. I think the punishment is wrong. Bring back the stocks, sit him in the town to be humiliated by the locals, this is both cheaper, and aids rehabilitation.

1
2
Bronze badge
Stop

Re: Punishment

Only if we get to takes pictures of it and put them up on Facebook!

1
0
Silver badge
Alert

Re: Punishment

I read that as "humilitatd by the lolcats".

Too... much... internet...!

0
0
Ru
Meh

"grave incident of social media hacking"

I'm not quite sure why this was labelled as 'media hacking', though to be honest I'm not even sure I know what that means (Alan Sokal style, perhaps?). More importantly, to label this as a 'grave incident' is particularly egregious, given that the guilty party does not seem to have attempted to access user information, payment mechanisms or even tried to sell the source code he stole.

To call this 'grave' isn't quite as daft as confusing burglary with tresspass, but it is close. It is a shame that the legal profession can't resist hyperbole either.

Still, 8 months inside will do him good; seems like a fairly minor sentence and with any luck it'll send a message to others like him.

2
1

I think the law stands on hacking where it does because if it wasn't this punitive, it'd be open season on people (at least in the West) breaking into systems and causing untold damage. It's the same as tax evasion; if the punitive aspects was less severe, more people would be inclined to try, and that could result in a huge loss for the government and the repercussions of that would hit the honest taxpayer.

Most systems on the web just aren't secure, and never will be, because of the layers of complexiity that get built on top and between them, and the pace at which web development now occurs. And, unfortunately, the barrier to entry to break into these systems is pretty low for even a mediocre developer. With those risks in mind, I think a jail term is quite appropriate...

0
0

"In sentencing, Judge Alistair McCreath told Mangham his actions were anything but far from harmless"

That's a relief! I thought there'd been some harm.

2
0
Pirate

This guy's not the problem.....

IP is. It's been mentioned recently around the relaunch of IPv6. Internet Protocol was never EVER designed to be used in the way that it is and the very fact that you CAN spoof an IP address or MAC address and use these methods to hack into a system proves that greater security is needed all over the internet.

I personally feel that the guy deserved to be punished for the crime he committed but the allusions above to it being analogous to house breaking are utterly ridiculous. But as another person mentioned above, he is likely to get a tap on the shoulder at some point to come and 'consult' for some security firm. If the guy could hack into Facebook, which we all know isn't a case of just guessing someone's password, then he is likely to be highly skilled and have a deep understanding of how the underlying technology of the internet works. Unlike some of you.

3
4
Anonymous Coward

Re: This guy's not the problem.....

You can spoof an IP address, sure, but good luck "hacking" with that. Since you're totally disregarding the concept of, oh, I don't know, how TCP and UDP work. Additionally, Mac addresses have really nothing to do with IP.

Additionally, I don't believe he deserves to be punished. Better he exploits and fixes a hole than someone with malicious intentions does. It's funny, how safe and secure people think they are if they "punish the hackers", the guys who usually turn themselves in and/or admit everything.

Protip: It's the mercenaries in the employ of organised crime that you need to be worried about.

2
0
Vic
Silver badge

Re: This guy's not the problem.....

> Internet Protocol was never EVER designed to be used in the way that it is

Errr - yes it was. It was designed to be used in *exactly* the way it currently is.

> you CAN spoof an IP address

You can, with a little bit of effort. What do you think that gains you? Hint: how are you going to get any replies with a spoofed IP address?

> or MAC address

And MAC addresses propagate over the Internet, do they?

There are many *real* reasons for poor security on the Internet. We really don't need you making any up.

Thanks muchly.

Vic.

3
0

Re: Re: This guy's not the problem.....

Errr - yes it was. It was designed to be used in *exactly* the way it currently is.

Errr, no it wasn't. When the first IP standards were set nobody thought for a second that we would have an internet connection on a watch and this is why IP creaked and cracked, hence IPv6. If IP was designed for it's current use case then why is IPv6 needed??

No, MAC addresses don't propagate over the internet, I was just pointing out that people who know what they're doing can change just about anything in a computing environment. I'm not a network engineer, just a Windows one so I don't profess to know everything there is to know about TCP/UDP except for what they stand for. I'm just saying that the very fact you are ABLE to do these things shows that the infrastructure isn't fit for purpose.

0
0
Vic
Silver badge

Re: Re: Re: This guy's not the problem.....

> this is why IP creaked and cracked

*IP* has done no such thing.

IPv4 has run out of addresses. Not because it's being used differently than was envisaged at design time - just that it has become more widespread than is supported by that version. But the IP header deliberately has a version number for exactly this reason - so that it can be replaced as the system grows.

> If IP was designed for it's current use case then why is IPv6 needed??

IPv4 is IP. IPv6 is IP. IPv6 is needed because IPv4 doesn't hold enough addresses. But both are IP, and neither has anything to do with the intrusion for which you claimed them to be responsible earlier in the thread.

> I'm not a network engineer,

We'd never have guessed...

> I'm just saying that the very fact you are ABLE to do these things shows

> that the infrastructure isn't fit for purpose.

And I'm saying that your saying that shows how little you know in this field. Really - IP and MAC spoofing have almost nothing[1] whatsoever to do with network intrusion.

Vic.

[1] I've qualified this because some of these games can be useful on a LAN; I frequently use ARP-spoofing attacks to debug network issues without having to make a physical intercept. But once you're on the WAN, they're irrelevant.

1
0

Question is - will Facebook try to extradite him to the U.S?

0
0
Anonymous Coward

Too Bad

Phuck around, go to prison.

0
2
IT Angle

Didn't Facebook ask for this?

Pretty sure about a year ago there was a request from Facebook for users to find flaws in their system and report them, to them, for a cash prize.

0
0
JDX
Gold badge

Re: Didn't Facebook ask for this?

Maybe, but the <u>report them</u> part is kind of important.

1
0
Anonymous Coward

Denial is not a river in Egypt

http://www.msnbc.msn.com/id/46453605/ns/technology_and_science-security/

0
0
Anonymous Coward

8 Months?? For this?!?

FFS What a fuss over f*ck all... so what if someone hacked FB? Is it like the Pentagon now? The wrong people already have your information if you're on Facebook ;)

You can beat someone half to death and get less. Priorities? I see....

2
1
Anonymous Coward

Re: 8 Months?? For this?!?

The message should be clear. If you're a dumbarse hacker, you will go to jail.

1
2

Would this really have got this far had it not been a big business involved? Sentencing seems extreme; jail time for suspected hack with no malicious intent.

In other news, the UK lets suspected terrorists out to walk the streets because we cannot jail or deport them! Our government cannot bang up criminals yet big business do just fine.

CC

2
0
Anonymous Coward

Law of unintended consequences

Putting him in prison was the single most fuckwittedly stupid thing the court could do. That way it is guaranteed that he comes to the attention of criminal gangs that will be able to put his skills to serious gain. And unless he particularly likes hospital visits for him and his family then the only thing he'll be arguing is the size of his share.

0
0
Silver badge
FAIL

Re: Law of unintended consequences

"Putting him in prison was the single most fuckwittedly stupid thing the court could do....." Yes, because punishing crims is just wrong.... If you can't do the time, don't do the crime. Part of the justice system is prevention, and locking up one skiddie will probably deter quite a few more from following his stupid example. Letting them off with a few strong words would not.

".....That way it is guaranteed that he comes to the attention of criminal gangs....." Yes, but his parole terms (after much less than the 8 months) will also include lovely terms about not mixing with known criminals, and he will be on the Coppers' watch list. Any naughtiness and he'll be straight back inside. That's if he doesn't end up as an informant, which is what a lot of the convicted hackers end up as (http://www.theregister.co.uk/2011/06/07/hacker_snitches/).

0
1
Anonymous Coward

Re: Re: Law of unintended consequences

Of the 8 months, he'll serve 4 (possibly a bit less.) Then only 4 months on parole. Once the 8 months is up his sentence is fully served and he can consort with whomever he likes. For a criminal gang on the scent of multi-millions this is hardly a long-term project.

0
0
Anonymous Coward

Boo Hoo

Not very brilliant to hack unless you need some place with free room and board for the next 8 months or more.

0
1
This topic is closed for new posts.