back to article Freed Facebook hack Brit vents fury at $200k cleanup claim

A UK man jailed for hacking into Facebook has vowed to rebuild his life – and his reputation – after winning an appeal against his sentence. Glen Steven Mangham, 26, from Acomb, near York, was jailed for eight months in February after he pleaded guilty to infiltrating the website's internal network between April and May last …

COMMENTS

This topic is closed for new posts.
  1. Thomas 18
    Go

    Hes lucky he wasn't extradited

    I hear the Americans do that.

    1. jonathan1

      Re: Hes lucky he wasn't extradited

      My guess is it that FB being a private company doesn't warrant extradition but hacking the military does in the case of Gary McKinnon. White Collar crime vs "terrorism"/Embarrassing the U.S State...

      Would of been better for him to turn his skills to fixing bugs in Chrome, they pay you for that...

      1. DAN*tastik

        Re: Hes lucky he wasn't extradited

        "Would of been better for him" => "Would have been better for him".

        Thank you.

        1. Kubla Cant
          Headmaster

          Re: Hes lucky he wasn't extradited

          "Re: Hes lucky..." => "Re: He's lucky..."

          Sometimes I wonder why we bother.

          1. Thomas 18
            Trollface

            Re:Re: Hes lucky he wasn't extradited

            Really wed rather you didnt

          2. DAN*tastik
            Headmaster

            @ Kubla Cant

            I missed that! If I could, I would down vote myself.

            Maybe this is all happening because their ( or is it they're? or there? ) teachers didn't bother themselves, and somehow we are helping. Someone, somewhere.

            Had I done something like that when I was learning English, I'd still be trying to get out of secondary school. Or whatever it's called over here in the UK, I honestly never spent too long trying to understand how education works.

        2. jonathan1
          Facepalm

          Re: He's lucky he wasn't extradited

          Ah I did notice the grammatical error after posting it...I do forget that commentards post at their own risk here.

          To all of El Reg, I humbly apologise for the error and will now go and sit in the corner.

          On the brightside, if I only got down voted due to poor grammar I can live with that.

          1. DAN*tastik
            Alert

            Re: He's lucky he wasn't extradited

            If somebody down voted you because of bad grammar, he or she would need to go out more maybe?

            However, since there are people down vote others' ( <- i hope I got that right myself this time! ) comments just because they say they own a phone and it works fine, I wouldn't worry too much about those who did :)

  2. Version 1.0 Silver badge

    Cleanup costs

    Cleanup costs are almost always exaggerated - you can't prosecute someone successfully if you have to admit that they gained access due to a dumb coding error or stupid server permission that took all of ten minutes to fix ...

    So you add in the costs of the backups, the maintenance, the fact that the backup restore didn't work so you had to rebuild the server, and the costs to review your code to "check" that other security issues had not been uncovered ... and then you call in the security consultant and charge that cost to them too .... and finally send the bill to the insurance company. If you've padded it enough then you may even make money! Getting hacked can be a profit center.

    1. DrXym

      Re: Cleanup costs

      If it took 5 or 6 Facebook employess a few months to wade through the mess figuring out how far the hacker got, what systems were compromised, what files they took, of what commercial value they were, fixing the hole, reimaging the system plus all the preparation for trial then I can see how they came to a figure of £200,000. That's a remarkably low figure really. It would be more dubious if they said a million or something else.

      I don't feel sympathy for the guy really. Facebook has a bug bounty program. I'm sure they would be cool with people abiding the terms of that rather than just breaking in, mooching around for a while and then claiming after the fact when they're caught that their intentions were purely altruistic.

      1. The Man Who Fell To Earth Silver badge
        Boffin

        Re: Cleanup costs

        I agree. $200k amounts to about 8-10 man-months of work (counting salary, fringe, overhead, and G&A) at a typical Silicon Valley company. And the "work" is mostly trying to figure out what he actually did, not "repairing damage". It's a surprise the number is that low.

      2. Heff
        Meh

        Re: Cleanup costs

        the bug bounty system on FB is no more than a PR stunt to infer that they're serious about soliciting outside fixes, If you have the power or nous to seriously embarass, or the work that you'd have to do exceeds their terrible payment sums* they arent interested, which just leaves the door open for large-scale, clever blackhat hacks. Im not terribly sympathetic to the guy either, but he's very pragmatic about what happened by all accounts, and regardless of the attitude Im glad, as we all should be, that he's not on a flight to the US right now to be another subject of their for-profit incarceration machine.

        *might be better now, they were frankly laughable when they were implemented

        TL:DR : Glad he's not stateside, glad taxpayers arent paying for a pointlessly long jail time, Kudos to the guy for being pragmatic and mature about the outcome.

        1. DrXym

          Re: Cleanup costs

          "the bug bounty system on FB is no more than a PR stunt to infer that they're serious about soliciting outside fixes, "

          It's funny how the website for that "PR stunt" provides a long list of people who have collected on their claims, presumably by acting within the guidelines laid down by Facebook.

          It even states on that site that if you act in an ethical manner, disclosing the bug to Facebook and giving them reasonable time to fix it they will not seek prosecution. Clearly whatever this guy was doing fell WAY outside of that remit.

      3. Anonymous Coward
        Anonymous Coward

        Re: Cleanup costs

        I can see how costs can easily hit that mark, with auditors, code review and so on.

        However, most of those costs are cost incurred because FB made mistakes and should have been incurred anyway in the normal security process.

        Real costs are things like, "what did he make unavailable that we *want to change back* and did we lose any income because of it." How much does it cost us to revert what he changed, not what he might have changed. If someone breaks into your house, you can't claim he cost you the price of a new security system, or that you had to hire someone to look through all your CDs to work out if he had ripped any while he was there.

        I do have to chuckle though, FB complaining that someone was looking at things they wanted to keep private...

        Its irony, b*^%$%

        1. Field Marshal Von Krakenfart
          FAIL

          Re: Cleanup costs

          $300 to investigate, $199,700 to do the work they should have done in the first place to secure their systems.

  3. Anonymous Coward
    Anonymous Coward

    No more holidays in the Land of the Free for him then. Not in this life, at least. Unless he happens to try and test some other US-based defenses.

    See, there is a merit to running a business in the US. Particularly, if the evil-doers, in their millions, reside in the UK ;)

    1. Steve Evans

      "Land of the free"....

      It hasn't been that for many many years.

      1. Anonymous Coward
        Anonymous Coward

        "Land of the Fee" more like

        Lettuce

  4. GeorgeTuk
    Facepalm

    Looking him up on web...

    ...when trying to employ him (yes we all do it) is going to have these rants on top of the original crime. Any thought of rebuilding his reputation is gone.

    He should have just apologised, said he was going to rebuild his life and left it at that.

    1. Steve Evans

      Re: Looking him up on web...

      Or just change his name by deed poll. Change it to something common like "John Smith", or "Steve Evans" is great for stopping nosy google searches.

    2. Mexflyboy
      Facepalm

      Re: Looking him up on web...

      I agree, the guy's an idiot: he should have made soothing statements to keep Facebook off his back, and to help keep his employment prospects open. Instead, his latest responses don't really show him as being sorry/as having learned anything, instead he ends up looking like a dumb brat. (I shouldn't be surprised: in Uni I was surrounded by what seem to be his type: technically brilliant, but with the common sense/social skills of a dead badger!)

    3. Anonymous Coward
      Anonymous Coward

      Re: Looking him up on web...

      See I have a problem with looking people up on the web for hiring reasons. My name for instance is more than a little common and the one time I gave a shit about checking to see what came up in my area I found out I was wanted for a bunch warrant on a DWI charge.

      The problem with that is it wasnt me. It was another person with the same name who lived in the same area as me who apparently also got his kicks off with assault and battery on women, burglary, grand theft etc etc.

      The best part of this is that I knew about all this when I had to pay a speeding ticket and the judge brought all that up at the time. Im standing there with my lawyer about as dumbfounded as you can get. Comments back and forth were these: Lawyer: "What didnt you tell me?" Me: "All this for a speeding ticket?"

      It took the court about 15 minutes to figure out it wasnt me and another person. To top it all off the same lawyer calls me up about 4 months later saying there is a bench warrant for my arrest on a DWI charge. I hadnt been pulled over let alone been in that area for atleast 6 months at that point.

      So yeah, why look stuff up on someone online if the possibilities of a false positive or wrong person/right name can lead to you suddenly being a no hire for things you havent done.

      1. Matt Bryant Silver badge
        Unhappy

        Re: Looking him up on web...

        "....So yeah, why look stuff up on someone online....." Unfortunately, the winged-monkeys in HR actually think looking for details of candidates online is a good recruitment process, probably because Facebook is about as technical as they can manage.

  5. Anonymous Coward
    Anonymous Coward

    Funny isn't it ...

    When *I* had to claim against the bellend who rear-ended me, I had to produce every single receipt, and was told that I couldn't claim for the extra time spent using public transport, while the car was repaired.

    One law ...

    1. Steve Foster

      Re: Funny isn't it ...

      Odd, when I was rear-ended late last year, the other side paid for a hire car (comparable to boot) for the time my car was off the road. No quibbles.

    2. Anonymous Coward
      Anonymous Coward

      Re: Funny isn't it ...

      By the sounds of what you said the law was on your side. You should have got yourself a decent solicitor. You may still have a case if you feel it's worth your while pursuing.

  6. Anonymous Coward
    Stop

    He was still guilty.

    A reduction in sentance doesn't suddenly make him squeaky clean.

    Why can't "hackers" get it into there thick heads..."I was doing it to highlight weaknesses"

    Yup just like the buglar broke into your house to prove you need better doors and locks;

    The car thief that showed that your car needs a better immobiliser;

    The mugger that shows you should have learned self defence.

    There are right and wrong ways to do security testing, this was not the right way.

    1. Ru
      Meh

      Re: He was still guilty.

      Your comparison with muggers and car thieves is rather daft. I don't recall hearing of any martial arts instructors assaulting strangers in the street and then offering to sell them lessons in order to prevent it happening again, which is the closest analogy to the sort of activities this guy was engaging in.

      Sure, he broken the law and will be punished appropriately. But you'll note there's that word 'appropriately' there. He did not engage in theft, fraud or extortion, and should not be punished as if he had.

      1. Pete 2 Silver badge

        Re: He was still guilty.

        > He did not engage in theft, fraud or extortion

        It's a fair bet that if he had - or if FB had thought he had, he'd been in an american prison camp by now, and not just for a few months.

      2. Anonymous Coward
        Anonymous Coward

        Re: He was still guilty.

        > He did not engage in theft, fraud or extortion, and should not be punished as if he had.

        He stole the source code for the site and did not disclose it until police were knocking at his door (which was then when he chose to delete it)

        Frankly I disagree that the man did not want to gain anything.

        He certainly wanted to gain a job out of it and use it to that end, or was hoping that facebook would be like yahoo and financially reward him for it.

        He hacked the network without permission (something a true white hat doesn't do and is also against the law) and also didn't inform facebook of the hack or vulnerability at all until his arrest three weeks later.

        Holding onto the source code for weeks without disclosing the bug is what caused facebook to be so agressive in court.

        Ultimately the lesson here is: its ok to be a white hat as long as you have permission to do your testing.

        1. Ru
          Meh

          Re: "I disagree that the man did not want to gain anything"

          Read, comprehend, post, please. I did not say that he did not want to gain anything. I did not say he was innocent, I did not say that he had not broken the law, and I did not say that he did not deserve to be punished.

          "He stole the source code for the site"

          He *copied* the source code for the site, with the intention of using it to point out security flaws. There is no indication he intended to sell it or distribute it, or threaten to do so in order to extort money from Facebook.

          "Holding onto the source code for weeks without disclosing the bug is what caused facebook to be so agressive in court."

          No, they were justifiably upset because he backdoored them. The fact he sat on the code for so long indicates that he was in no rush to do anything with it, good or bad; this implies a certain amount of laziness or simply a casual attitude, not someone out for money or fame at any cost.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Stolen"?

            As far as anyone can tell, nothing was stolen.

            Stealing necessitates the intention to permanently deprive the owner of his property.

            It seems that numerous agencies and individuals need reminding of when this term is applicable. (MAFIAA etc, I'm looking at you)

            1. DrXym

              Re: "Stolen"?

              "Stealing necessitates the intention to permanently deprive the owner of his property."

              He was done under the computer misuse act which covers the offence of obtaining data without authorisation.

              Perhaps some cases of lifting data could constitute theft, larceny, obtaining services by deception etc. For example. if I copied your customer database and put it up on the web then I've essentially deprived you of any value the original might have had.

              1. This post has been deleted by its author

              2. Matt Bryant Silver badge
                Boffin

                Re: Re: "Stolen"?

                Here's a funny thought - since Mangham's seen the Facebook code, he has seen the FB "secret sauce", and could therefore be unhireable by any software company. Why? Well, any company that did hire him runs the risk of FB suing them to look at any code developed with Mangham's input to make sure he hasn't reproduced that "secret sauce". There doesn't have to actually be any infringement, FB just has to send the legal beagles round to any future employer and the majority of them will roll over at the sight of the FB lawyer posse. Any that chose to go to court could be looking at a very expensive jaunt, whether they are innocent or not. In essence, if FB really want to, they can make this guy leave the software industry. Mangham should just shutup, apologise long and hard, and hope FB forgets about him.

          2. Anonymous Coward
            Anonymous Coward

            Re: "I disagree that the man did not want to gain anything"

            We should not preclude that having a copy of this source code and not doing anything with it for 3 weeks proves his good intent.

            When it comes to the source code that is Facebook's business it is worth a lot of money to a lot of people (scammers, identity theives, etc) and facebook for their part had no idea what he was going to do with it as he didn't contact them to report the vulnerability that let him into their site before he was arrested.

            Let me sit with a hard drive full of stolen *ahem* "copied" credit card data liberated from someone's database and then plead my intentions were honourable because I was looking for vulnerabilities at the time, I am sure in such a case nobody would be moved by making speeches of my 'good intentions'.

            The sentance may well have been disproportionate in the original case but the guy chose to take the risk, got burned and now has a criminal record because of it.

            1. Ru
              Facepalm

              Re: "I disagree that the man did not want to gain anything"

              I'd put my grammar nazi hat on, but I'll let the use of "preclude" slide for now.

              One might download a copy of some code in order to study it for further vulnerabilities. One cannot do that with a list of credit card numbers; they are readily useable for fraud but have no other particular use outside of purchases by their legitimate owner. That doesn't preclude (note usage) a 'good intentions' defence however... given the whole 'innocent until proven guilty' thing, so long as you don't have a whole load of searches from your IP address for things like 'selling credit card numbers' or 'credit card fraud for dummies' you might well find that you are merely punished for computer misuse.

              "The sentance may well have been disproportionate in the original case but the guy chose to take the risk, got burned and now has a criminal record because of it."

              Sentance, you say? Are you the OP? Any, I'm not disputing that he committed a crime and I don't object to him being punished for it. Presumably the number of downvotes suggests that the there are a handful of commentards who cannot read or comprehend this, despite me saying it 3 times so far.

              Original sentence (note spelling) was a bit harsh. We agree on that. New sentence a bit more sensible. We agree on that. In fact, it doesn't matter even if we disagreed, because the Judge clearly feels the same way as I do about the issue. What Mr. Mangham could have done with the code, and how Facebook felt about the whole issue is quite irrelevant.

      3. Matt Bryant Silver badge
        Facepalm

        Re: He was still guilty.

        "....I don't recall hearing of any martial arts instructors assaulting strangers in the street and then offering to sell them lessons...." Stupid comparison. Martial arts instructors have to be licensed, have insurance, and be able to explain the law regarding their art, otherwise they don't get to teach, not legally anyway. This numpty obviously was too stupid top know the law, and definately didn't bother following it.

        "....But you'll note there's that word 'appropriately' there...." LOL! I always laugh at that one when haxor wannabes sprout it. They always say "it was a victimless crime, no-one got hurt", but they're usually the same type that think bankers should be hung.

    2. Blitterbug
      Headmaster

      Re: He was still guilty.

      "sentence"

      "their" thick heads

      "burglar"

    3. Anonymous Coward
      Anonymous Coward

      Re: He was still guilty.

      I find it quite incredible his evidence hasn't been used to take Facebook to the cleaners. We have laws for protecting sensitive data and FB store an awful lot of it on us Brits. If some undergraduate berk can penetrate their network over a couple of months, they might as well have admitted they've been wide open for every Tom, Dick and Vladimir.

      Personally I'd enjoy seeing their asses hauled over the coals.

      1. R. Williams
        Meh

        Re: He was still guilty.

        FYI, if you read the article in its entirety, you will see they stated that no personal data was compromised, just the source code.

  7. Anonymous Coward
    Anonymous Coward

    "The lopsided-extradition treaty is doing a marvellous job at ensuring British citizens are whisked off to cloud-cuckoo land to be buried in some desert for a few years."

    The Yanks think it is a perfectly viable treaty. Now if he had gone after Iranian nuclear fuel enrichment facilities then that's a different story.

    1. The Man Who Fell To Earth Silver badge
      FAIL

      Huh?

      "...ensuring British citizens are whisked off to cloud-cuckoo land to be buried in some desert for a few years..."

      I'm not aware of any British hackers who have been successfully extradited to the US. McKinnon, for example, is still in Britain. Seems if anything, the "lopsided-extradition treaty" is lopsided towards the citizen being extradited, as it should be.

      1. jonathanb Silver badge

        Re: Huh?

        The Natwest Three were. Not hackers, but they were extradited to America to face charges of defrauding Natwest Bank while working for them in London. They sold some shares to the bank which later turned out to be worthless having decided that it was probably a good idea to get rid of them before the price collapsed. The only American link in this alleged offence was that the shares were in a company called Enron.

        I'm guessing selling the shares to the bank means logging in to their Natwest Stockbroker account and clicking the sell button. Certainly, the English Department of Public Prosecution thought there was no case to answer.

      2. Thomas 4

        Re: Huh?

        Well that's okay then, if no-one's actually been extradited. Gary McKinnon has been having a nice, relaxing easy life arranging his schedule around, lawyers, more lawyers and staring bankruptcy in the face to fight an extradition charge.

        1. Matt Bryant Silver badge
          FAIL

          Re: Re: Huh?

          "....Gary McKinnon has been having a nice, relaxing easy life...." Which raises two points - firstly, the positive discouragement of other skiddies to go messing with military systems; and secondly, the thought that if he was so sure of his innocence, Gary could just save himself a load of time, money and stress by just getting on a plane to the States....

  8. Anonymous Coward
    Anonymous Coward

    Still guilty

    and $200k is chump change for a forensic investigation.

    This is about 3 people for three weeks doing a forensic gig at somewhere that charges decent rates. He should start getting quotes and see if he could get it cheaper. Thats before FB factor in the cost of providing staff to support the forensics, imaging software, disks etc etc etc.

    Probably just ruined his chances of getting a job in the security community. Mainly because he's obviously a whiny idiot.

  9. mark 63 Silver badge

    modest

    £200,000?

    seems like one of the more modest "Hacking damages" figures

    age 26? parents house? figures

  10. Atonnis

    Stupid git...

    ...got what he deserved.

    You don't hack into an individual or company's private data, source code or whatever. That's the spirit behind the law and you have to be an asshat to think that you're exempted because you claim you did it for benevolent purposes.

    He was either:

    a) Trying to impress his little asshat friends

    b) Deluding himself with the age-old story of how 'good hackers get £100K jobs as security experts'

    c) So twisted up in his own twisted spiral of sadness that he actually believed that it was his position and authority to crack someone else's software just to show them their mistakes - which also makes him an arrogant asshat.

  11. jason 7

    I'm impressed...

    ...not a mention of Aspergers or autism anywhere.

  12. The Jase

    "The undergraduate claimed throughout that his actions were motivated by a desire to help Facebook improve its security"

    Don't they all... after they are caught

  13. Jeff 11
    Thumb Down

    Hacking into a website without the owner's prior consent is not a benevolent activity, in any way shape or form. Had this ended with Facebook thanking him instead of reporting this to the FBI, his reputation, career and bank balance stood to benefit from *directly breaking criminal law* - in at least one country, possibly both the UK and US.

    The way to approach this problem isn't to hack first and ask questions later, it's to first obtain a formal agreement with the remote system's owners. If they won't give you one, too bad. They don't have to agree to expose themselves to any number of side effects of you trying to worm your way into their systems just to further your f***ing career.

    And $200k for a systems audit seems very very cheap to me given the extent of their infrastructure. Facebook ultimately have to thoroughly inspect this and any interconnected systems that trust the system he broke into.

  14. koolholio
    Go

    To be honest, He might have made Facebook fix their broken code!

    Whilst Facebook adds flashy features that most developers get a headache every month by being forced against their will to update their code... Facebook never seem to fix the broken portions of code... trying to 'run before you can walk' comes to mind with the Facebook platform.

    Whatever happened to Quality Control and Testing? Or would that deduct too much, or not fit in with a business continuity plan, from Mr Zuckerburg's giganticly generous income and outstanding leadership?

    1. Magnus_Pym

      Damages

      Given Facebook salaries. $200,000 dollars may have been calculated from the time Zuckerburg had to take off from his usual duties to shout "Sue him, Bitch".

  15. Instinct46
    Happy

    Instinct46

    Facebook are lucky. I mean look at the odds and the skills required to hack a highly public site... I mean I know its easy depending on their security, but the fact remains this guy did it on his own and he did it with out vandalism.

  16. pompurin

    Of course not using a proxy or TOR when hacking is the real WTF.

    Essentially a professional hacker with the right tools should never get caught.

    1. Anonymous Coward
      Anonymous Coward

      Always have to laugh.

      "use a proxy"

      Yup, take it you know who owns it and is looking at the logs".

      just becuase they say it's anon, don't make it so....

  17. This post has been deleted by its author

  18. bpfh
    Devil

    @pompurin - I agree

    @pompurin

    So the guy is a security expert - but:

    - Does not get admin approval of act - or anyone else's approval for that matter

    - Holds onto source code until collar felt

    - Does not know how much a post-intrusion analysis can cost and what it entails

    - Did not realise that a big company can get nasty after an intrusion

    - Never went with anon's rule of wanting to get your behind behind a proxy

    - Worried that he may have torn up his chosen carreer path

    +1 for Darwin. One security idiot less in the world

  19. chris lively
    FAIL

    Sounds like what we call an "entitled brat".

    Sorry kids, you don't get to break into people's stuff and not pay the price of admission. The price here is that his chosen career is no longer available. Yes, doing stupid crap is a fineable offense punishable by screwing over the rest of your life. At this point he is unemployable as a security researcher because he has proven a distinct lack of morals; which is absolutely required for such sensitive positions.

    Oh, and $200k is nothing. Sounds like FB was trying to go easy on him.

  20. pcsupport

    Do the crime, do the time.

    Nuff said.

  21. Anonymous Coward
    WTF?

    Off topic

    First time I've voted in this here forum. What a horrible experience, voting takes you to a new page then you have to follow a link back. El reg should read up on some usability design!

    1. LinkOfHyrule
      Paris Hilton

      Re: Off topic

      We should ask this hacker bloke to hack into El Reg's source code for us and he can change it so we can vote on the same page!

      Paris, 'cus she's an expert in penetration testing.

  22. Anonymous Coward
    Anonymous Coward

    lopsided extradition?

    Remember that in this lopsided arrangement the US have NEVER blocked an extradition request from us. We have done the opposite, several times. Lopsided?

    1. Matt Bryant Silver badge
      Facepalm

      Re: lopsided extradition?

      Whilst I salute your attempt to educate, you have made the mistake of assuming that the sheeple either want to look up facts before making a judgement, or that they would let said facts get in the way of their frothing. The sheeple are happy to be led around just as long as they are told they're in the trendy herd.

    2. Magnus_Pym
      Facepalm

      Re: lopsided extradition?

      That could be because the British requests have to be accompanied by EVIDENCE therefore less likely to be spurious.

This topic is closed for new posts.

Other stories you might like