Hes lucky he wasn't extradited
I hear the Americans do that.
A UK man jailed for hacking into Facebook has vowed to rebuild his life – and his reputation – after winning an appeal against his sentence. Glen Steven Mangham, 26, from Acomb, near York, was jailed for eight months in February after he pleaded guilty to infiltrating the website's internal network between April and May last …
My guess is it that FB being a private company doesn't warrant extradition but hacking the military does in the case of Gary McKinnon. White Collar crime vs "terrorism"/Embarrassing the U.S State...
Would of been better for him to turn his skills to fixing bugs in Chrome, they pay you for that...
I missed that! If I could, I would down vote myself.
Maybe this is all happening because their ( or is it they're? or there? ) teachers didn't bother themselves, and somehow we are helping. Someone, somewhere.
Had I done something like that when I was learning English, I'd still be trying to get out of secondary school. Or whatever it's called over here in the UK, I honestly never spent too long trying to understand how education works.
Ah I did notice the grammatical error after posting it...I do forget that commentards post at their own risk here.
To all of El Reg, I humbly apologise for the error and will now go and sit in the corner.
On the brightside, if I only got down voted due to poor grammar I can live with that.
If somebody down voted you because of bad grammar, he or she would need to go out more maybe?
However, since there are people down vote others' ( <- i hope I got that right myself this time! ) comments just because they say they own a phone and it works fine, I wouldn't worry too much about those who did :)
Cleanup costs are almost always exaggerated - you can't prosecute someone successfully if you have to admit that they gained access due to a dumb coding error or stupid server permission that took all of ten minutes to fix ...
So you add in the costs of the backups, the maintenance, the fact that the backup restore didn't work so you had to rebuild the server, and the costs to review your code to "check" that other security issues had not been uncovered ... and then you call in the security consultant and charge that cost to them too .... and finally send the bill to the insurance company. If you've padded it enough then you may even make money! Getting hacked can be a profit center.
If it took 5 or 6 Facebook employess a few months to wade through the mess figuring out how far the hacker got, what systems were compromised, what files they took, of what commercial value they were, fixing the hole, reimaging the system plus all the preparation for trial then I can see how they came to a figure of £200,000. That's a remarkably low figure really. It would be more dubious if they said a million or something else.
I don't feel sympathy for the guy really. Facebook has a bug bounty program. I'm sure they would be cool with people abiding the terms of that rather than just breaking in, mooching around for a while and then claiming after the fact when they're caught that their intentions were purely altruistic.
the bug bounty system on FB is no more than a PR stunt to infer that they're serious about soliciting outside fixes, If you have the power or nous to seriously embarass, or the work that you'd have to do exceeds their terrible payment sums* they arent interested, which just leaves the door open for large-scale, clever blackhat hacks. Im not terribly sympathetic to the guy either, but he's very pragmatic about what happened by all accounts, and regardless of the attitude Im glad, as we all should be, that he's not on a flight to the US right now to be another subject of their for-profit incarceration machine.
*might be better now, they were frankly laughable when they were implemented
TL:DR : Glad he's not stateside, glad taxpayers arent paying for a pointlessly long jail time, Kudos to the guy for being pragmatic and mature about the outcome.
"the bug bounty system on FB is no more than a PR stunt to infer that they're serious about soliciting outside fixes, "
It's funny how the website for that "PR stunt" provides a long list of people who have collected on their claims, presumably by acting within the guidelines laid down by Facebook.
It even states on that site that if you act in an ethical manner, disclosing the bug to Facebook and giving them reasonable time to fix it they will not seek prosecution. Clearly whatever this guy was doing fell WAY outside of that remit.
I can see how costs can easily hit that mark, with auditors, code review and so on.
However, most of those costs are cost incurred because FB made mistakes and should have been incurred anyway in the normal security process.
Real costs are things like, "what did he make unavailable that we *want to change back* and did we lose any income because of it." How much does it cost us to revert what he changed, not what he might have changed. If someone breaks into your house, you can't claim he cost you the price of a new security system, or that you had to hire someone to look through all your CDs to work out if he had ripped any while he was there.
I do have to chuckle though, FB complaining that someone was looking at things they wanted to keep private...
Its irony, b*^%$%
I agree, the guy's an idiot: he should have made soothing statements to keep Facebook off his back, and to help keep his employment prospects open. Instead, his latest responses don't really show him as being sorry/as having learned anything, instead he ends up looking like a dumb brat. (I shouldn't be surprised: in Uni I was surrounded by what seem to be his type: technically brilliant, but with the common sense/social skills of a dead badger!)
See I have a problem with looking people up on the web for hiring reasons. My name for instance is more than a little common and the one time I gave a shit about checking to see what came up in my area I found out I was wanted for a bunch warrant on a DWI charge.
The problem with that is it wasnt me. It was another person with the same name who lived in the same area as me who apparently also got his kicks off with assault and battery on women, burglary, grand theft etc etc.
The best part of this is that I knew about all this when I had to pay a speeding ticket and the judge brought all that up at the time. Im standing there with my lawyer about as dumbfounded as you can get. Comments back and forth were these: Lawyer: "What didnt you tell me?" Me: "All this for a speeding ticket?"
It took the court about 15 minutes to figure out it wasnt me and another person. To top it all off the same lawyer calls me up about 4 months later saying there is a bench warrant for my arrest on a DWI charge. I hadnt been pulled over let alone been in that area for atleast 6 months at that point.
So yeah, why look stuff up on someone online if the possibilities of a false positive or wrong person/right name can lead to you suddenly being a no hire for things you havent done.
A reduction in sentance doesn't suddenly make him squeaky clean.
Why can't "hackers" get it into there thick heads..."I was doing it to highlight weaknesses"
Yup just like the buglar broke into your house to prove you need better doors and locks;
The car thief that showed that your car needs a better immobiliser;
The mugger that shows you should have learned self defence.
There are right and wrong ways to do security testing, this was not the right way.
Your comparison with muggers and car thieves is rather daft. I don't recall hearing of any martial arts instructors assaulting strangers in the street and then offering to sell them lessons in order to prevent it happening again, which is the closest analogy to the sort of activities this guy was engaging in.
Sure, he broken the law and will be punished appropriately. But you'll note there's that word 'appropriately' there. He did not engage in theft, fraud or extortion, and should not be punished as if he had.
> He did not engage in theft, fraud or extortion, and should not be punished as if he had.
He stole the source code for the site and did not disclose it until police were knocking at his door (which was then when he chose to delete it)
Frankly I disagree that the man did not want to gain anything.
He certainly wanted to gain a job out of it and use it to that end, or was hoping that facebook would be like yahoo and financially reward him for it.
He hacked the network without permission (something a true white hat doesn't do and is also against the law) and also didn't inform facebook of the hack or vulnerability at all until his arrest three weeks later.
Holding onto the source code for weeks without disclosing the bug is what caused facebook to be so agressive in court.
Ultimately the lesson here is: its ok to be a white hat as long as you have permission to do your testing.
Read, comprehend, post, please. I did not say that he did not want to gain anything. I did not say he was innocent, I did not say that he had not broken the law, and I did not say that he did not deserve to be punished.
"He stole the source code for the site"
He *copied* the source code for the site, with the intention of using it to point out security flaws. There is no indication he intended to sell it or distribute it, or threaten to do so in order to extort money from Facebook.
"Holding onto the source code for weeks without disclosing the bug is what caused facebook to be so agressive in court."
No, they were justifiably upset because he backdoored them. The fact he sat on the code for so long indicates that he was in no rush to do anything with it, good or bad; this implies a certain amount of laziness or simply a casual attitude, not someone out for money or fame at any cost.
"Stealing necessitates the intention to permanently deprive the owner of his property."
He was done under the computer misuse act which covers the offence of obtaining data without authorisation.
Perhaps some cases of lifting data could constitute theft, larceny, obtaining services by deception etc. For example. if I copied your customer database and put it up on the web then I've essentially deprived you of any value the original might have had.
This post has been deleted by its author
Here's a funny thought - since Mangham's seen the Facebook code, he has seen the FB "secret sauce", and could therefore be unhireable by any software company. Why? Well, any company that did hire him runs the risk of FB suing them to look at any code developed with Mangham's input to make sure he hasn't reproduced that "secret sauce". There doesn't have to actually be any infringement, FB just has to send the legal beagles round to any future employer and the majority of them will roll over at the sight of the FB lawyer posse. Any that chose to go to court could be looking at a very expensive jaunt, whether they are innocent or not. In essence, if FB really want to, they can make this guy leave the software industry. Mangham should just shutup, apologise long and hard, and hope FB forgets about him.
We should not preclude that having a copy of this source code and not doing anything with it for 3 weeks proves his good intent.
When it comes to the source code that is Facebook's business it is worth a lot of money to a lot of people (scammers, identity theives, etc) and facebook for their part had no idea what he was going to do with it as he didn't contact them to report the vulnerability that let him into their site before he was arrested.
Let me sit with a hard drive full of stolen *ahem* "copied" credit card data liberated from someone's database and then plead my intentions were honourable because I was looking for vulnerabilities at the time, I am sure in such a case nobody would be moved by making speeches of my 'good intentions'.
The sentance may well have been disproportionate in the original case but the guy chose to take the risk, got burned and now has a criminal record because of it.
I'd put my grammar nazi hat on, but I'll let the use of "preclude" slide for now.
One might download a copy of some code in order to study it for further vulnerabilities. One cannot do that with a list of credit card numbers; they are readily useable for fraud but have no other particular use outside of purchases by their legitimate owner. That doesn't preclude (note usage) a 'good intentions' defence however... given the whole 'innocent until proven guilty' thing, so long as you don't have a whole load of searches from your IP address for things like 'selling credit card numbers' or 'credit card fraud for dummies' you might well find that you are merely punished for computer misuse.
"The sentance may well have been disproportionate in the original case but the guy chose to take the risk, got burned and now has a criminal record because of it."
Sentance, you say? Are you the OP? Any, I'm not disputing that he committed a crime and I don't object to him being punished for it. Presumably the number of downvotes suggests that the there are a handful of commentards who cannot read or comprehend this, despite me saying it 3 times so far.
Original sentence (note spelling) was a bit harsh. We agree on that. New sentence a bit more sensible. We agree on that. In fact, it doesn't matter even if we disagreed, because the Judge clearly feels the same way as I do about the issue. What Mr. Mangham could have done with the code, and how Facebook felt about the whole issue is quite irrelevant.
"....I don't recall hearing of any martial arts instructors assaulting strangers in the street and then offering to sell them lessons...." Stupid comparison. Martial arts instructors have to be licensed, have insurance, and be able to explain the law regarding their art, otherwise they don't get to teach, not legally anyway. This numpty obviously was too stupid top know the law, and definately didn't bother following it.
"....But you'll note there's that word 'appropriately' there...." LOL! I always laugh at that one when haxor wannabes sprout it. They always say "it was a victimless crime, no-one got hurt", but they're usually the same type that think bankers should be hung.
I find it quite incredible his evidence hasn't been used to take Facebook to the cleaners. We have laws for protecting sensitive data and FB store an awful lot of it on us Brits. If some undergraduate berk can penetrate their network over a couple of months, they might as well have admitted they've been wide open for every Tom, Dick and Vladimir.
Personally I'd enjoy seeing their asses hauled over the coals.
"The lopsided-extradition treaty is doing a marvellous job at ensuring British citizens are whisked off to cloud-cuckoo land to be buried in some desert for a few years."
The Yanks think it is a perfectly viable treaty. Now if he had gone after Iranian nuclear fuel enrichment facilities then that's a different story.
"...ensuring British citizens are whisked off to cloud-cuckoo land to be buried in some desert for a few years..."
I'm not aware of any British hackers who have been successfully extradited to the US. McKinnon, for example, is still in Britain. Seems if anything, the "lopsided-extradition treaty" is lopsided towards the citizen being extradited, as it should be.
The Natwest Three were. Not hackers, but they were extradited to America to face charges of defrauding Natwest Bank while working for them in London. They sold some shares to the bank which later turned out to be worthless having decided that it was probably a good idea to get rid of them before the price collapsed. The only American link in this alleged offence was that the shares were in a company called Enron.
I'm guessing selling the shares to the bank means logging in to their Natwest Stockbroker account and clicking the sell button. Certainly, the English Department of Public Prosecution thought there was no case to answer.
"....Gary McKinnon has been having a nice, relaxing easy life...." Which raises two points - firstly, the positive discouragement of other skiddies to go messing with military systems; and secondly, the thought that if he was so sure of his innocence, Gary could just save himself a load of time, money and stress by just getting on a plane to the States....
and $200k is chump change for a forensic investigation.
This is about 3 people for three weeks doing a forensic gig at somewhere that charges decent rates. He should start getting quotes and see if he could get it cheaper. Thats before FB factor in the cost of providing staff to support the forensics, imaging software, disks etc etc etc.
Probably just ruined his chances of getting a job in the security community. Mainly because he's obviously a whiny idiot.
...got what he deserved.
You don't hack into an individual or company's private data, source code or whatever. That's the spirit behind the law and you have to be an asshat to think that you're exempted because you claim you did it for benevolent purposes.
He was either:
a) Trying to impress his little asshat friends
b) Deluding himself with the age-old story of how 'good hackers get £100K jobs as security experts'
c) So twisted up in his own twisted spiral of sadness that he actually believed that it was his position and authority to crack someone else's software just to show them their mistakes - which also makes him an arrogant asshat.
Hacking into a website without the owner's prior consent is not a benevolent activity, in any way shape or form. Had this ended with Facebook thanking him instead of reporting this to the FBI, his reputation, career and bank balance stood to benefit from *directly breaking criminal law* - in at least one country, possibly both the UK and US.
The way to approach this problem isn't to hack first and ask questions later, it's to first obtain a formal agreement with the remote system's owners. If they won't give you one, too bad. They don't have to agree to expose themselves to any number of side effects of you trying to worm your way into their systems just to further your f***ing career.
And $200k for a systems audit seems very very cheap to me given the extent of their infrastructure. Facebook ultimately have to thoroughly inspect this and any interconnected systems that trust the system he broke into.
Whilst Facebook adds flashy features that most developers get a headache every month by being forced against their will to update their code... Facebook never seem to fix the broken portions of code... trying to 'run before you can walk' comes to mind with the Facebook platform.
Whatever happened to Quality Control and Testing? Or would that deduct too much, or not fit in with a business continuity plan, from Mr Zuckerburg's giganticly generous income and outstanding leadership?
This post has been deleted by its author
@pompurin
So the guy is a security expert - but:
- Does not get admin approval of act - or anyone else's approval for that matter
- Holds onto source code until collar felt
- Does not know how much a post-intrusion analysis can cost and what it entails
- Did not realise that a big company can get nasty after an intrusion
- Never went with anon's rule of wanting to get your behind behind a proxy
- Worried that he may have torn up his chosen carreer path
+1 for Darwin. One security idiot less in the world
Sounds like what we call an "entitled brat".
Sorry kids, you don't get to break into people's stuff and not pay the price of admission. The price here is that his chosen career is no longer available. Yes, doing stupid crap is a fineable offense punishable by screwing over the rest of your life. At this point he is unemployable as a security researcher because he has proven a distinct lack of morals; which is absolutely required for such sensitive positions.
Oh, and $200k is nothing. Sounds like FB was trying to go easy on him.
Whilst I salute your attempt to educate, you have made the mistake of assuming that the sheeple either want to look up facts before making a judgement, or that they would let said facts get in the way of their frothing. The sheeple are happy to be led around just as long as they are told they're in the trendy herd.