18 months for incompetent opsec
The Register has covered a tutorial for this sort of thing already. If you must use someone else's business proposal, put it through the encheferizer first.
An engineer has been jailed for 18 months after admitting to stealing blueprints from his former employer's FTP server. Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall until 2013, when he left to set up his own consultancy, HNA. But in the two years following his departure he hacked …
The Register has covered a tutorial for this sort of thing already. If you must use someone else's business proposal, put it through the encheferizer first.
He took a copy. If not theft then what is it?
Making un unauthorised copy?
You're straying into a very old debate here. If I recall correctly, the argument against calling it theft is because it leaves the original in place and the owner is not deprived of the actual data, the argument "for" is that the copy is unauthorised and deprives the owner of benefits of the original such as the gains of exclusive use (in case of company secrets such as the coca cola formula) and/or proceeds of resale of duly authorised copies.
In any case, it's not good.
It's needed for headline and outrage value. Politicians, for instance, don't deliver witty put-downs to colleagues, they "slam" "opponents".
Besides, to be really word true it should be called "cracking", "hacking" got highjacked by an ignorant press incapable of distinguishing the one from the other.
They probably rotated through a few known ones, actually never bothered changing it, or had a formula they stuck to and he knew. Happens all over the place. If the password was S3cur1tyW0rd2 when he joined, and S3cur1tyW0rd7 when he left, for example the "hack" would be simply trying S3cur1tyW0rd8 ,9,10,11 etc
If the password was S3cur1tyW0rd2 when he joined, and S3cur1tyW0rd7 when he left, for example the "hack" would be simply trying S3cur1tyW0rd8 ,9,10,11 etc
I've seen that practice in action, used for mainframe operators.
Mind you, that was in the days when systems weren't usually connected to t'internet.
When I decide it's time to move on, the last thing I do is ask the company to change passwords to all I have access to and let them sign off that they changed them. I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation :).
Certain things are just not worth keeping IMHO.
" I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation "
"Certain things are just not worth keeping IMHO"
This is a tricky one. On one hand I have a duty of care regarding the information collected during a period of employment with a company, on the other hand I have to keep records of the things I've said/done as part of that employment.
My compromise is to use triple encrypted* off-line storage that gets shoved in a safe. i.e. it isn't easily accessible, so no real temptation to use it (not saying it wouldn't be useful sometimes, hence why I make it difficult) but the information is there should it ever be required for evidence purposes.
*Files are password protected, folders are zipped/encrypted and then there's the whole disc encryption.
I've done similar, and with good reason - even just last week I had a request from an client of a business that I formerly owned for source code for a project that I had done - seems that their archive had come up missing or damaged.
Unfortunately, the WD External hard drive that has been locked in a cabinet for the last 10+ years wouldn't spin up when we tried, so it is off right now for data recovery. At least the recovery bill is less than the cost of re-writing the application, and I'm not the one footing the recovery bill.. I just hope we can decrypt the files after recovery.
This is a tricky one. On one hand I have a duty of care regarding the information collected during a period of employment with a company, on the other hand I have to keep records of the things I've said/done as part of that employment.
Probably a different kind of employment. Key is that you only retain data that you have explicit, written permission to retain and that there is provable containment in case data ever gets out so you can prove it didn't come from you..
"I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation"
It's now been quite a while since I worked on customer kit, but back when I did, temptation wasn't the driving factor (I trust myself).
The driving factor was the thought of my own kit getting hacked or stolen.
It is the fault of the company for not locking him out. The managers should be fired/jailed for letting it happen.
I test my logons when I leave and frequently have to tell my previous employer to get their act together. I will now get them to sign off before I leave.
It is the fault of the company for not locking him out. The managers should be fired/jailed for letting it happen.
If incompetence was an argument for a jail sentence, they'd have to start building extra jails in Washington and near Wall Street. Not that that is not a good idea, but the courts would not be able to handle the sheer volume of cases.
"This case shows that law enforcement officials throughout the Western District of Tennessee will work together to ensure that individuals participating in any criminal act will be brought to justice."
Isn't that basically just their job description? What exactly would be the point of a law enforcement department that refused to ever work as a team or to go after criminals? Does the state attorney really need to end every statement by saying "The fact this case exists shows we're not completely incompetent"?
Yes, the company obviously had crappy InfoSec; however, this doesn't put them at fault. If you leave your home unlocked, this doesn't mean anyone can enter it and browse through your possessions.
It's illegal to access any system you are not authorized to use in all 50 states. Regardless of how poor information security practices are.
You can always tell those who don't have a lot of information security experience. Just because the company you work for does this or that... doesn't mean it should be done by all companies. It's a bit stupid for a small company to spend 9 million dollars a year to protect assets worth 4 million. Good InfoSec isn't cheap; all businesses have to conduct a risk assessment and spend accordingly. Especially small businesses. Just having 8 good information security professionals can cost over 1 million a year, before good security hardware and software is purchased. Have you seen how much ONE good security router costs these days?
In this case, it seems like there was likely an insider assisting him with gaining access. Not uncommon in a small business environment.
"Yes, the company obviously had crappy InfoSec; however, this doesn't put them at fault. If you leave your home unlocked, this doesn't mean anyone can enter it and browse through your possessions."
Blame is not a zero-sum game. Sure, if you leave your house unlocked it's still illegal for someone to wander in and take your stuff. But your insurance company won't pay anything to cover the losses, because it absolutely is your fault that you left it unlocked. Exactly who shares what portion of the blame will obviously vary; with the example of the house the burglar is a criminal who should go to jail, while you've just been a bit stupid and will suffer some financial loss as a result. But just because one party was worse than the other doesn't mean that everyone else involved must be completely free of any blame.