back to article Brit student locked up for Facebook source code hack

A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook. Glenn Mangham, 26, previously pleaded guilty to hacking into the social networking site between April and May last year. The incident created a flap at Facebook amid fears that hackers were attempting to …

COMMENTS

This topic is closed for new posts.
  1. Bumpy Cat
    FAIL

    Proxies

    People never learn ... proxy several times or don't try at all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Proxies

      I believe that the correct method has always been NEVER to hack from home...

      1. Peter2 Silver badge

        Re: Re: Proxies

        I beleive that the correct method has always been NEVER to hack a network that you aren't being paid to do penetration testing on, with signed paperwork attesting that from their network manager.

        Unless your willing to do some jail time if and when entire teams of people just as good or better than you are decide to track you down and pass your info to the police.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: Re: Proxies

          How many police in the world are able to track someone who is borrowing someone elses wireless internet service?

          1. Daniel 4

            Re: Re: Re: Re: Proxies

            "How many police in the world are able to track someone who is borrowing someone elses wireless internet service?"

            We know of at least one company that built a huge wifi database that included MAC and physical address correlations, even if they did get slapped down for it (Google, I'm looking at you). It's not a big stretch to see police using such information in high profile cases.

            -d

      2. Anonymous Coward
        Anonymous Coward

        Re: Re: Proxies

        Hack from someone Else's wireless connection. Works for me.

    2. Anonymous Coward
      Anonymous Coward

      Re: Proxies

      He should have been behind at least 7 proxies.

    3. Anonymous Coward
      Anonymous Coward

      Re: Proxies

      Proxy as many times as you like, I bet every single one has logs about who is connecting and from where. Unless its in a country relatively unfriendly to the US they will give them up when the Feds come knocking.

      1. Wize

        Re: Re: Proxies

        Or, better still, don't use your own connection at all.

        So many unlocked wifi points out there to choose from.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: Re: Proxies

          So many unlocked wifi points out there to choose from.

          Don't forget to spoof your mac address

    4. Lockwood

      Re: Proxies

      "People never learn ... proxy several times or don't try at all."

      And make InterNIC your first hop?

  2. Andrew Moore
    Thumb Down

    Really?!?!?

    "software blueprints"????

    Surely you mean"source code".

    1. dotdavid
      Thumb Up

      Re: Really?!?!?

      Unless Facebook keep their source code on blueprints? That would be awesome.

      Hopefully in a bunker tastefully lit with concealed blue lighting. Oh, and some of those laser beam tripwires. And a tank full of sharks.

    2. Anonymous Coward
      Anonymous Coward

      Re: Really?!?!?

      I suspect "software blueprints" really means process flowcharts, specification documentation etc.

      You may have the sourcecode, but it it's going to take a hell of a lot more work to interpret it, without the documentation that says how it hangs together and why.

      1. Anonymous Coward
        Happy

        Re: Re: Really?!?!?

        Actually if Facebook is like every other software company, what they have is sparse documentation that vaguely says how it was intended to hang together before they started coding it.

  3. Anonymous Coward
    Anonymous Coward

    Someone give this guy a job, $200,000 on the case, what a waste of money. The MET are useless when it comes to cyber crime and digital forensics, take it from someone who has experience with them.

    1. Peter2 Silver badge
      Thumb Down

      No. You don't give criminals a job just because they broke the law. In fact, it's a reason not to give them a job. The very fact a person has illegally hacked a computer shows that they are not suitable for working in IT because it demonstrates a lack of integrity and moral fibre. It also demonstrates that you can't trust them, a not insubstantial point when working in any non sandboxed position of trust in operations, security, or any job where you work with sensitive material.

      Secondly, giving criminals jobs because they are criminals is stupid. It's encouraging people to break the law for their own gain. Not only is it stupid for that reason, but it would be disadvantageous and insulting to the law abiding (and more competent) people to hire a incompetent "hacker" who firstly broke the law and secondly got caught doing it.

      1. Arkasha

        @Peter2

        Oh really? What about Frank Abagnale Jr then?

        I know of one person who was given a choice of being charged or working as a security consultant. He's now a very respected member of the security world and gives many lectures and talks on the subject of network security. He did it because "he could" and because he had nothing better to do. There wasn't any malicious intent and he's one of the most trustworthy people I know.

        As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.

        1. Alfred

          Known crims working for me? No thanks.

          The majority of criminals who work somewhere do not use their expertise to prevent crime - if they use it, they use it to carry out crime. Far more people help themselves from the till than turn in their workmates for doing so.

        2. JDX Gold badge

          Re: @Peter2

          >>As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.

          Hiring someone who was once a criminal is one thing. Hiring a current criminal is another.

      2. Jedit
        FAIL

        "You don't give criminals a job just because they broke the law"

        Setting a thief to catch a thief is more common than you know. I was going to provide anecdotal evidence of my local police using a guy with a B&E conviction as an official locksmith, but decided against it because it's just anecdotal. Then, with perfect timing, this appeared:

        http://www.bbc.co.uk/news/uk-england-leeds-17075027

        For those who can't be bothered clicking, West Yorkshire Police employ an ex-burglar as a consultant on crime prevention tactics.

        1. Anonymous Coward
          Anonymous Coward

          Re: "You don't give criminals a job just because they broke the law"

          I strongly suspect he had done his time and had a spent conviction - this is rather different to employing someone who is known to have committed crimes and not been convicted, or who has not spent their conviction.

        2. Jan 0
          Thumb Up

          @Jedit

          Thank you. You are a true gentleman. The first poster I've seen (anywhere/anywhen) to actually summarise what their link is pointing at.

  4. Anonymous Coward
    Anonymous Coward

    Pfft

    Should just release their crappy code now seeing as they were such pricks about it. Surely if he wasn't above board and wanted "money or who knows what could happen" we'd have heard about it.

  5. Joseph Haig

    Facebook would do well to employ this guy instead of prosecuting him. He clearly knows better than any of their current security team what needs to be tightened up.

    1. JDX Gold badge

      >>Facebook would do well to employ this guy instead of prosecuting him. He clearly knows better than any of their current security team what needs to be tightened up.

      That their security team not only detected his intrusion but tracked him back to his bedroom suggests they're not exactly useless.

      1. Anonymous Coward
        Anonymous Coward

        Indeed

        The fact that a target as big as Facebook isn't lying in a big heap of 0wned code is probably something of a testiment to their I should imagine daily and un-ending work.

  6. Ottman001
    WTF?

    I'm not trying to question the outcome of this trial (his attempts to cover his tracks was always going to go down badly in a court of law) BUT... have a look at these words of Judge McCreath quoted on the BBC site:

    "The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."

    Doesn't this suggest that Judge McCreath doesn't know what he is talking about? The security flaw existed before Mangham found it and it is the responsibility of Facebook to put it right regardless of if it has been exploited or not. If Mr Manghams actions cost Facebook anything, it'll be the legal costs they incurred in order to shoot the messenger. Facebook surely have all liability for the consequences of any insecurities in their own system?

    1. Anonymous Coward
      Anonymous Coward

      I sort of agree, but...

      Whilst I agree that the flaw in facebook's security is their problem, this is not the correct way to bring it to their attention.

      For instance, you go to bed at night, and you forget to shut your back door.

      1) Your neighbour wakes you up by calling your phone or ringing the doorbell, you get up, thank them and shut and lock the door.

      2) Someone else enters your house, takes photos of you and your family asleep and later emails them to you with a note saying "by the way, you forgot to lock your door"

      Clearly 1 is legal and 2 is not. This gentleman's actions, whilst (probably) good intentioned are more like 2 than they are like 1.

      IMO.

      1. Mystic Megabyte Silver badge
        Unhappy

        Re: I sort of agree, but...

        It's too late, the law has been subverted so that if I even take a photograph of your open back door I will be done for copyright theft. No puns intended.

        Facebook have joined my ever increasing list of companies that I will have nothing to do with.

      2. Ottman001

        Re: I sort of agree, but...

        I agree.

        As I said, I'm not questioning the outcome of the trial because 1) I'm not exactly legally qualified 2) I don't believe that I know all of the facts about the case.

        I merely take exception to the judge justifying the sentence with a load of made up nonsense.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: I sort of agree, but... (from original AC)

          Ah, I see what you're saying here. Yes indeed the cost of putting the security flaw right should fall on facebook, however, there is the cost of the investigation by various agencies plus any time facebook had to spend on it. None of which would apply had the individual contacted Facebook immediately saying "here is a flaw in your security, it would allow access to source code if I wanted it, I used this flaw at (list of dates / times) in order to confirm this."

          Still not really legal, but would at least give him significantly more mileage in his "I was going to tell them, honest" defence.

          Also, as has been said by others, definitely NOT the way to get someone to want to give you a job.

          1. Ottman001

            Re: Re: Re: I sort of agree, but... (from original AC)

            "however, there is the cost of the investigation by various agencies"

            Very good point. I hadn't considered that.

            Yes, obviously he absolutely should have let them know of the vulnerability immediately, especially considering he went on to use the "I was going to tell them, honest" defence.

            At least he didn't (by which I mean that I haven't read) dump the code into pastebin or make it easily and readily available in some other way. If he'd of done that, the judge would be absolutely correct in that he created new risk. We don't know how he did store the source code so the judge may still be correct in this point.

            I'll just shut up now then :)

            1. Anonymous Coward
              Anonymous Coward

              Re: Re: Re: Re: I sort of agree, but... (from original AC)

              Well, I'll have the last word (as if!). The way you tell them depends on how willing they are to listen. I'm sure it still happens that of these various online businesses in which security is critical, there are plenty who ignore you, ignore your report, until you force them to take notice in one imaginative way or other. Unlike the dodos who get taken by email scams and you suspect anyone that stupid won't learn any other way, said businesses who just ignore security are - whether legally, or only morally - themselves committing a crime. You know, like the various government departments who just repeatedly spunk our private data into the public domain and, because the taxpayer gets penalized for it, never learn. I certainly won't assume Facebook is blameless any more than I do that this guy was acting benevolently.

      3. Jason Bloomberg Silver badge
        Headmaster

        Re: I sort of agree, but...

        "Clearly 1 is legal and 2 is not."

        Except 2 is not necessarily illegal of itself. There might be a case for 'protection of privacy' in your example but that's debatable and we can take that out of the equation if you replace the analogy with someone sitting in your unlocked car taking their photos of its equipment and then emailing them to you.

        The up-votes suggest a lot of people think it would be illegal. Being greatly shocked by what has transpired doesn't necessarily make for a crime.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: I sort of agree, but... @Jason

          If it is not illegal to wander around someone else's house without permission regardless of whether the door was left open / unlocked, then it bloody well should be!

          1. Anonymous Coward
            Anonymous Coward

            Re: Re: Re: I sort of agree, but... @Jason

            You mean an unlocked door isn't an open invitation? 'snot exactly "breaking and entering" now, is it if the door's already open? And while it might be trespass, that's "only" a civil offence... (I think)

            So what are you views on open wifi? If that's not an open invitation (quite literally, it is being broadcast after all) then I don't know what is. I suspect that some individuals may still try the house analogy though.

            1. JimC Silver badge

              Re: Re: Re: Re: I sort of agree, but... @Jason

              No, of course an unlocked door isn't an open invitation. An Open invitation is where there's a bloody great sign saying "please come in". The only way an open wifi would be an open invitation would be if it said so in the damn network name.

              Some of you people really badly need to go to ethics classes...

              1. APA
                Mushroom

                Re: Re: Re: Re: Re: I sort of agree, but... @Jason

                I was trying to highlight fallacy of comparing break in and entering/burglary/trespass against anything in the digital realm - the two just don't correlate and the overly simplistic analogies are quite misleading. Though I do believe the above discussion was really to do with poacher-turned-gamekeeper scenarios and how effective they can be. In this case, I'm not sure that applies for the very simple reason HE GOT CAUGHT! That rules you out of "cyber mastermind" in my book and so you certainly shouldn't be offered jobs, leaniency (you know what you were doing) etc. Give the hypothetical job to a cracker with a clean record because that means either he's A) trustworthy or B) really good. You won't see it coming in either case...

                In Britain there are two laws that cover this general area, the Computer Misuse Act which concerns the access and use of machines without permission but there's also the Data Protection Act which addresses companies' responsibility to look after their collected data, i.e. personal information about US and how they're accountable; register with the ICO and report any breaches (Sadly they don't seem to have any teeth and IMO there should be associated penalties, see the ICO's own FAQ http://goo.gl/M5I6X). Nevertheless, Facebook should treat their user information with the utmost respect. Sure, in this case no data was actually taken but next time they might not be so lucky. The next infraction might be not be so well intentioned, consequently they should take advice from where ever they can get it (unpaid - see first paragraph) or else face charges of negligence/incompetence (now if that isn't illeagal, it should be).

                Just putting up a sign saying "do not enter" is not security, systems actually do have to be, well... secure. To the point of openly challenging the white hats to take their best shot. Only then can the general public be confident that their details are being looked after properly.

                Go on. Flame me.

                1. JimC Silver badge

                  > Just putting up a sign saying "do not enter" is not security

                  Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure. Of course in almost all cases a greater level of security is required, but ultimately you almost certainly can't keep a bad guy with sufficient resources* out, so its a question of achieving an appropriate balance. Anyone who believes in absolute security is rather charmingly naive.

                  -----------------------

                  *

                  "You and whose army?"

                  "My army. This one, with the guns, and tanks, and helicopters, and missiles, and nuclear submarines"

                  "Oh, that army. In that case I can't stop you from gaining physical access to the server."

                  1. This post has been deleted by its author

                  2. APA

                    Re: > Just putting up a sign saying "do not enter" is not security

                    "Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure."

                    Yes, it proves that a line has been crossed, that you've knowingly done something that you shouldn't have.

                    No, its irresponsible if you're holding sensitive information on behalf of someone else and rely on people's good will not to cross a line, especially once you've told them it's there.

                    Isn't relying on the legal position to follow up an attack a case of "shutting the stable door after the horse has bolted"? The damage has already been done and that data is now in the wild regardless as to whether the perpetrator is banged up or not. I'd rather it wasn't leaked in the first place.

        2. Charles Manning

          Re: Re: I sort of agree, but...

          It has nothing to do with privacy. Just entering a building without reasonable cause is a crime.

          In all the countries I have lived, there are laws against breaking and entry, these being separate crimes.

          Defined approximately as follows:

          "Breaking" means gaining access to a building via any use of force, even the slightest amount. If a door is open but ajar and the door is pushed wider open, then that is considered use of force and constitutes "breaking".

          "Entering" means entering without reasonable cause.

          I'm pretty sure UK uses these definitions too.

          Entering a building and taking pictures of people while they sleep would certainly fail the "reasonable cause" test.

    2. Anonymous Coward
      Anonymous Coward

      Yes indeed. But this is merely the latest example of cluster fuckwittery between an Internet company and an ignorant, lazy judicial system. Once again the contestant with the deepest pocket wins all.

      Really Facebook deserves to have its shitty source spread about for all to see. (Assuming of course they didn't just cobble the whole thing out of open source projects in the first place and the only secret bit is some Perl script.)

    3. Blofeld's Cat

      "The security flaw existed before Mangham found it..."

      Yes the security flaw that allowed Mangham in, already existed.

      It appears however that the judge was referring to the additional risk Mangham created by downloading the source code from the secure Facebook network.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        @Blofeld's Cat

        The quoted BBC article doesn't suggest that.

        1. friedegg03
          Facepalm

          Re: @Blofeld's Cat

          It does:

          Ex-burglar Peter Findlay said snapping the lock was "simpler and quicker".

          Mr Findlay, who now works with police to help them with crime prevention tactics

    4. Martyns
      Trollface

      What has Facebook got to hide?

      Indeed, and no one has asked why Facebook are so determined to hide their code. There's little doubt that Facebook trample privacy, could it be the beast has more to hide? I bet if the judge wanted a proper investigation into this affair it would have been blocked.

  7. Hans Upp
    Black Helicopters

    Well, surely the FBI would immediately demand his extradition to Gitmo , to which the UK govt would be only too happily fawning to do?

    I mean, hacking facebook must pose a huge threat to world peace.

    No wait, who ever said the yanks were interested in world peace, there's money to be made. Pah!

    1. Anonymous Coward
      Anonymous Coward

      While that would be their normal tactic, the FBI haven't heard of The Face Book because they're all still using MySpace

  8. Blofeld's Cat
    Holmes

    Hmm...

    Without getting into the black, grey or white hat issue...

    It's nice to see somebody accused of hacking a US computer system, from the UK, tried and sentenced in the UK.

  9. Anonymous Coward
    Anonymous Coward

    CPS

    I see the CPS had no trouble pursuing this "villain", meanwhile, how's the case against Phorm + BT going? Oh, there isn't one?

  10. Anonymous Coward
    Anonymous Coward

    To those supporting him...

    ...can you let me know your address?

    I'l come round with a sledge hammer, put in a window and nick your telly. No doubt you won't phone the police as I'm only highlighting a weakness in your security.

    1. . 3

      Bad metaphor

      that is. Are you a policeman?

    2. Anonymous Coward
      Anonymous Coward

      Re: To those supporting him...

      Facebook is a bit more exposed of a target than your private home. It's vulnerable to anyone with an internet connection and holds a lot of sensitive data, not just yours. It's more like you have been asked to store important details of a few billion people and you leave it in plain sight ... behind a window.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: To those supporting him...

        Yes, but no.

        Yes on your point about it being more than just an individuals data.

        No, on your point about it being more at risk. Facebook isn't vulnerable to anyone with an internet connection, Facebook is vulnerable to anyone with an internet connection and the skills to breach network security.

        A window of your house is vulnerable to anyone able to walk up to it (or even roll up to it in a wheel chair, I'm all for equal opportunities burglary) and open or smash it.

        I think we can agree that smashing glass is a somewhat simpler skill set than cracking network security.

        1. LaeMing Silver badge
          Trollface

          Re: To those supporting him...

          Hmmm. I live on the second floor. And good luck finding the stairwell. Most couriers can't!

    3. Anonymous Coward
      Anonymous Coward

      Re: To those supporting him...

      That'll be fun!

      You won't _believe_ the reception you'll get.

  11. g e

    "extract the software blueprints"

    Well, there's no way anyone would want the UI 'blueprints' for sure...

    1. amanfromearth

      Re: "extract the software blueprints"

      But I think you'll agree.. they Are blue

  12. Anonymous Coward
    Anonymous Coward

    I don't understand all this anger towards the guy. Better he exposes a lax security policy than someone who is truly dangerous. In my view Facebook should be fined for the lax policy! If companies are to be trusted with my data then they should be actively encouraging this kind of behaviour with bounties on success. This way round only the true criminals will have the data and the systems remain insecure hiding behind legal defence instead of a proper one. AC for obvious reasons.

    1. Anonymous Coward
      Anonymous Coward

      So...

      Are you offering to pay people to break in to your house then?

  13. Eponymous Cowherd
    Unhappy

    Great British Justice?

    Given that:-

    The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."

    8 months in the slammer seems a bit extreme seeing that I regularly read reports in the local rag of muggers getting community service and probation, even for repeat offences.

    It seems that crimes committed against "big business" by the little people is viewed by the courts as much more serious than crimes committed against the little people by big business.

    Undergraduate hacks Fartbook. That's serious. Have some jail time.

    BT Hacks 1000's of customers (Phorm). Nothing to see here. Move along.

    Joe blogs fiddles his income tax for a few £hundred. That's serious. Have some jail time.

    Vodafone fiddles its tax bill to the tune of £6 billion? We'll forget about that, shall we?

    1. Christoph Silver badge

      Re: Great British Justice?

      You mess with Facebook's data - 8 months jail.

      Facebook messes with everybody's data - tough luck.

    2. dephormation.org.uk
      Holmes

      Re: Great British Justice?

      "The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."

      On that particular point, I seem to recall the claim that there was "no criminal intent" being considered sufficient to excuse BT and Phorm Directors from any and all responsibility to obtain authorisation before covert interception, copyright theft, computer misuse, and fraud.

      Yet the BT/Webwise affair caused economic harm to the businesses affected (by industrial espionage) and privacy harm to the individuals (by unauthorised surveillance and disclosure to a 3rd party).

      So one rule for Ian Livingston, and another rule for Mangham?

    3. JimC Silver badge
      Megaphone

      Re: Great British Justice?

      It often seems to me that the legal system - at least at the lower courts type level - comes down rather harder on people who've had a reasonable background, education and the like than it does on some hapless little scrote who's never even been exposed to the concept of right, let alone had the opportunity to consider the philosophical differences between right and wrong.

      I'm not entirely sure that's wrong...

  14. JaitcH
    Happy

    Security and No Deportation

    Given the amount of data FB has given away or leaked it is hard to imagine they even employ security, other than on toilet cubicles.

    What I find interesting is "reported to the FBI, which passed the case over to the British police" which is what they should have done with all cases involving crime committed on British soil even if targeting any other country.

    France does it best - Our Citizens, Our Courts.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security and No Deportation

      Hard to believe FB have anything worth stealing that hasn't already been published!

    2. Matt Bryant Silver badge
      Facepalm

      Re: Security and No Deportation

      Yawn @ your poorly-veiled reference to McKinnon. Big difference - McKinnon hacked US military servers (with malicious intent), whereas Mangham hacked a social-networking site (with stupid inent). If Mangham had been dumb enough to try this recruitment stunt on US military servers he'd very likely have soon been sharing a plane across the Atlantic with McKinnon.

      ".....France does it best - Our Citizens, Our Courts." Glad you mentioned it, JaitcH, as neither McKinnon or Mangham are Fwench, so you can go join the Fwench in minding their own business.

  15. Anonymous Coward
    Anonymous Coward

    is it just me

    or is there something inherently bizarre about the idea of "hacking" something described as "social media" ?

    1. Anonymous Coward
      Anonymous Coward

      Re: is it just me

      "Sharing is the new default, mlud".

  16. JohnG

    Irony

    How much time did Facebook's founder serve for hacking into a private network at Harvard and harvesting student IDs for his new social network?

  17. JetSetJim Silver badge
    Stop

    McKinnon precedent?

    Surely he should be extradited after 10 years of appeals and whatnot to potentially suffer decades in the fed pen...

    Or maybe the example is being set as precedent for yet further appealings by the McKinnon camp...

    1. Anonymous Coward
      Anonymous Coward

      Re: McKinnon precedent?

      No, it just shows that Gary McKinnon would have been let out after only a few months if he hadn't listened to all those legal advisors with political motives.

      As is, he's been strung along in a nightmare for 10 years. For him, it should have been over and done with years ago.

  18. Titus Technophobe
    WTF?

    Punishment

    I do think that the punishment for these 'crimes' is too harsh. Well harsh is the wrong word. I think the punishment is wrong. Bring back the stocks, sit him in the town to be humiliated by the locals, this is both cheaper, and aids rehabilitation.

    1. Atonnis
      Stop

      Re: Punishment

      Only if we get to takes pictures of it and put them up on Facebook!

      1. LaeMing Silver badge
        Alert

        Re: Punishment

        I read that as "humilitatd by the lolcats".

        Too... much... internet...!

  19. Ru
    Meh

    "grave incident of social media hacking"

    I'm not quite sure why this was labelled as 'media hacking', though to be honest I'm not even sure I know what that means (Alan Sokal style, perhaps?). More importantly, to label this as a 'grave incident' is particularly egregious, given that the guilty party does not seem to have attempted to access user information, payment mechanisms or even tried to sell the source code he stole.

    To call this 'grave' isn't quite as daft as confusing burglary with tresspass, but it is close. It is a shame that the legal profession can't resist hyperbole either.

    Still, 8 months inside will do him good; seems like a fairly minor sentence and with any luck it'll send a message to others like him.

  20. Jeff 11

    I think the law stands on hacking where it does because if it wasn't this punitive, it'd be open season on people (at least in the West) breaking into systems and causing untold damage. It's the same as tax evasion; if the punitive aspects was less severe, more people would be inclined to try, and that could result in a huge loss for the government and the repercussions of that would hit the honest taxpayer.

    Most systems on the web just aren't secure, and never will be, because of the layers of complexiity that get built on top and between them, and the pace at which web development now occurs. And, unfortunately, the barrier to entry to break into these systems is pretty low for even a mediocre developer. With those risks in mind, I think a jail term is quite appropriate...

  21. David 66

    "In sentencing, Judge Alistair McCreath told Mangham his actions were anything but far from harmless"

    That's a relief! I thought there'd been some harm.

  22. Hooksie
    Pirate

    This guy's not the problem.....

    IP is. It's been mentioned recently around the relaunch of IPv6. Internet Protocol was never EVER designed to be used in the way that it is and the very fact that you CAN spoof an IP address or MAC address and use these methods to hack into a system proves that greater security is needed all over the internet.

    I personally feel that the guy deserved to be punished for the crime he committed but the allusions above to it being analogous to house breaking are utterly ridiculous. But as another person mentioned above, he is likely to get a tap on the shoulder at some point to come and 'consult' for some security firm. If the guy could hack into Facebook, which we all know isn't a case of just guessing someone's password, then he is likely to be highly skilled and have a deep understanding of how the underlying technology of the internet works. Unlike some of you.

    1. Anonymous Coward
      Anonymous Coward

      Re: This guy's not the problem.....

      You can spoof an IP address, sure, but good luck "hacking" with that. Since you're totally disregarding the concept of, oh, I don't know, how TCP and UDP work. Additionally, Mac addresses have really nothing to do with IP.

      Additionally, I don't believe he deserves to be punished. Better he exploits and fixes a hole than someone with malicious intentions does. It's funny, how safe and secure people think they are if they "punish the hackers", the guys who usually turn themselves in and/or admit everything.

      Protip: It's the mercenaries in the employ of organised crime that you need to be worried about.

    2. Vic

      Re: This guy's not the problem.....

      > Internet Protocol was never EVER designed to be used in the way that it is

      Errr - yes it was. It was designed to be used in *exactly* the way it currently is.

      > you CAN spoof an IP address

      You can, with a little bit of effort. What do you think that gains you? Hint: how are you going to get any replies with a spoofed IP address?

      > or MAC address

      And MAC addresses propagate over the Internet, do they?

      There are many *real* reasons for poor security on the Internet. We really don't need you making any up.

      Thanks muchly.

      Vic.

      1. Hooksie

        Re: Re: This guy's not the problem.....

        Errr - yes it was. It was designed to be used in *exactly* the way it currently is.

        Errr, no it wasn't. When the first IP standards were set nobody thought for a second that we would have an internet connection on a watch and this is why IP creaked and cracked, hence IPv6. If IP was designed for it's current use case then why is IPv6 needed??

        No, MAC addresses don't propagate over the internet, I was just pointing out that people who know what they're doing can change just about anything in a computing environment. I'm not a network engineer, just a Windows one so I don't profess to know everything there is to know about TCP/UDP except for what they stand for. I'm just saying that the very fact you are ABLE to do these things shows that the infrastructure isn't fit for purpose.

        1. Vic

          Re: Re: Re: This guy's not the problem.....

          > this is why IP creaked and cracked

          *IP* has done no such thing.

          IPv4 has run out of addresses. Not because it's being used differently than was envisaged at design time - just that it has become more widespread than is supported by that version. But the IP header deliberately has a version number for exactly this reason - so that it can be replaced as the system grows.

          > If IP was designed for it's current use case then why is IPv6 needed??

          IPv4 is IP. IPv6 is IP. IPv6 is needed because IPv4 doesn't hold enough addresses. But both are IP, and neither has anything to do with the intrusion for which you claimed them to be responsible earlier in the thread.

          > I'm not a network engineer,

          We'd never have guessed...

          > I'm just saying that the very fact you are ABLE to do these things shows

          > that the infrastructure isn't fit for purpose.

          And I'm saying that your saying that shows how little you know in this field. Really - IP and MAC spoofing have almost nothing[1] whatsoever to do with network intrusion.

          Vic.

          [1] I've qualified this because some of these games can be useful on a LAN; I frequently use ARP-spoofing attacks to debug network issues without having to make a physical intercept. But once you're on the WAN, they're irrelevant.

  23. ilithium

    Question is - will Facebook try to extradite him to the U.S?

  24. Anonymous Coward
    Anonymous Coward

    Too Bad

    Phuck around, go to prison.

  25. m0r1arty
    IT Angle

    Didn't Facebook ask for this?

    Pretty sure about a year ago there was a request from Facebook for users to find flaws in their system and report them, to them, for a cash prize.

    1. JDX Gold badge

      Re: Didn't Facebook ask for this?

      Maybe, but the <u>report them</u> part is kind of important.

  26. Anonymous Coward
    Anonymous Coward

    Denial is not a river in Egypt

    http://www.msnbc.msn.com/id/46453605/ns/technology_and_science-security/

  27. Anonymous Coward
    Anonymous Coward

    8 Months?? For this?!?

    FFS What a fuss over f*ck all... so what if someone hacked FB? Is it like the Pentagon now? The wrong people already have your information if you're on Facebook ;)

    You can beat someone half to death and get less. Priorities? I see....

    1. Anonymous Coward
      Anonymous Coward

      Re: 8 Months?? For this?!?

      The message should be clear. If you're a dumbarse hacker, you will go to jail.

  28. Climbing Kid

    Would this really have got this far had it not been a big business involved? Sentencing seems extreme; jail time for suspected hack with no malicious intent.

    In other news, the UK lets suspected terrorists out to walk the streets because we cannot jail or deport them! Our government cannot bang up criminals yet big business do just fine.

    CC

  29. Anonymous Coward
    Anonymous Coward

    Law of unintended consequences

    Putting him in prison was the single most fuckwittedly stupid thing the court could do. That way it is guaranteed that he comes to the attention of criminal gangs that will be able to put his skills to serious gain. And unless he particularly likes hospital visits for him and his family then the only thing he'll be arguing is the size of his share.

    1. Matt Bryant Silver badge
      FAIL

      Re: Law of unintended consequences

      "Putting him in prison was the single most fuckwittedly stupid thing the court could do....." Yes, because punishing crims is just wrong.... If you can't do the time, don't do the crime. Part of the justice system is prevention, and locking up one skiddie will probably deter quite a few more from following his stupid example. Letting them off with a few strong words would not.

      ".....That way it is guaranteed that he comes to the attention of criminal gangs....." Yes, but his parole terms (after much less than the 8 months) will also include lovely terms about not mixing with known criminals, and he will be on the Coppers' watch list. Any naughtiness and he'll be straight back inside. That's if he doesn't end up as an informant, which is what a lot of the convicted hackers end up as (http://www.theregister.co.uk/2011/06/07/hacker_snitches/).

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: Law of unintended consequences

        Of the 8 months, he'll serve 4 (possibly a bit less.) Then only 4 months on parole. Once the 8 months is up his sentence is fully served and he can consort with whomever he likes. For a criminal gang on the scent of multi-millions this is hardly a long-term project.

  30. Anonymous Coward
    Anonymous Coward

    Boo Hoo

    Not very brilliant to hack unless you need some place with free room and board for the next 8 months or more.

  31. Anonymous Coward
    Anonymous Coward

    Dumber than a rock

    If he's dumb enough to hack, he's dumb enough to go to jail. Maybe he'll have some Anon members joining him soon?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019