back to article Engineer gets 18 months in the clink for looting ex-bosses' FTP server

An engineer has been jailed for 18 months after admitting to stealing blueprints from his former employer's FTP server. Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall until 2013, when he left to set up his own consultancy, HNA. But in the two years following his departure he hacked …

  1. Flocke Kroes Silver badge

    18 months for incompetent opsec

    The Register has covered a tutorial for this sort of thing already. If you must use someone else's business proposal, put it through the encheferizer first.

    1. Flakk

      Re: 18 months for incompetent opsec

      Not to mention that it's probably really amazingly bad OpSec to illegally access a system directly from your home Internet connection.

  2. Phil W

    Hacking?

    Not entirely convinced this was "hacking" as it is labelled in the article. The company say they rotated passwords but I think the reality is they didn't or at least not for all accounts.

    1. Mark 110

      Re: Hacking?

      Might not be hacking as such, but its definitely theft!!

      1. Doctor Syntax Silver badge

        Re: Hacking?

        "its definitely theft"

        It definitely isn't.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hacking?

          Mark 110: "its definitely theft"

          Doctor Syntax: "It definitely isn't."

          Basic definition of "theft": taking something that doesn't belong to you without the owner's permission.

          1. John Brown (no body) Silver badge

            Re: Hacking?

            "Basic definition of "theft": taking something that doesn't belong to you without the owner's permission."

            The operative word being "taking" as opposed to "making a copy of". On the other hand, maybe he "stole" customers and business as a result of making copies of the file?

            1. Anonymous Coward
              Anonymous Coward

              Re: Hacking?

              He took a copy. If not theft then what is it?

              1. Anonymous Coward
                Anonymous Coward

                Re: Hacking?

                He took a copy. If not theft then what is it?

                Making un unauthorised copy?

                You're straying into a very old debate here. If I recall correctly, the argument against calling it theft is because it leaves the original in place and the owner is not deprived of the actual data, the argument "for" is that the copy is unauthorised and deprives the owner of benefits of the original such as the gains of exclusive use (in case of company secrets such as the coca cola formula) and/or proceeds of resale of duly authorised copies.

                In any case, it's not good.

      2. TheVogon

        Re: Hacking?

        "but its definitely theft!!"

        Common misconception thanks to the copyright cartels, but it most definitely isn't. If not clear why, please see:

        https://www.youtube.com/watch?v=IeTybKL1pM4

    2. Anonymous Coward
      Anonymous Coward

      Re: Hacking?

      It's needed for headline and outrage value. Politicians, for instance, don't deliver witty put-downs to colleagues, they "slam" "opponents".

      Besides, to be really word true it should be called "cracking", "hacking" got highjacked by an ignorant press incapable of distinguishing the one from the other.

    3. rmason

      Re: Hacking?

      They probably rotated through a few known ones, actually never bothered changing it, or had a formula they stuck to and he knew. Happens all over the place. If the password was S3cur1tyW0rd2 when he joined, and S3cur1tyW0rd7 when he left, for example the "hack" would be simply trying S3cur1tyW0rd8 ,9,10,11 etc

      1. Wensleydale Cheese

        Re: Hacking?

        If the password was S3cur1tyW0rd2 when he joined, and S3cur1tyW0rd7 when he left, for example the "hack" would be simply trying S3cur1tyW0rd8 ,9,10,11 etc

        I've seen that practice in action, used for mainframe operators.

        Mind you, that was in the days when systems weren't usually connected to t'internet.

    4. Doctor Syntax Silver badge

      Re: Hacking?

      "The company say they rotated passwords but I think the reality is they didn't or at least not for all accounts."

      Probably just kept sending password reset emails to his old account.

    5. TheVogon

      Re: Hacking?

      "Not entirely convinced this was "hacking""

      I'm pretty sure unauthorised access counts as hacking...or computer misuse at least.

    6. bombastic bob Silver badge
      Pirate

      Re: Hacking?

      "The company say they rotated passwords"

      except for the 'back door', apparently

  3. Anonymous Coward
    Anonymous Coward

    I force password changes to protect myself

    When I decide it's time to move on, the last thing I do is ask the company to change passwords to all I have access to and let them sign off that they changed them. I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation :).

    Certain things are just not worth keeping IMHO.

    1. Anonymous Coward
      Anonymous Coward

      Re: I force password changes to protect myself

      " I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation "

      "Certain things are just not worth keeping IMHO"

      This is a tricky one. On one hand I have a duty of care regarding the information collected during a period of employment with a company, on the other hand I have to keep records of the things I've said/done as part of that employment.

      My compromise is to use triple encrypted* off-line storage that gets shoved in a safe. i.e. it isn't easily accessible, so no real temptation to use it (not saying it wouldn't be useful sometimes, hence why I make it difficult) but the information is there should it ever be required for evidence purposes.

      *Files are password protected, folders are zipped/encrypted and then there's the whole disc encryption.

      1. Anonymous Coward
        Anonymous Coward

        Re: I force password changes to protect myself

        I've done similar, and with good reason - even just last week I had a request from an client of a business that I formerly owned for source code for a project that I had done - seems that their archive had come up missing or damaged.

        Unfortunately, the WD External hard drive that has been locked in a cabinet for the last 10+ years wouldn't spin up when we tried, so it is off right now for data recovery. At least the recovery bill is less than the cost of re-writing the application, and I'm not the one footing the recovery bill.. I just hope we can decrypt the files after recovery.

      2. Steve Aubrey

        Re: I force password changes to protect myself

        Triple-encrypted: I put then through ROT-13 three times, and then once more for good measure.

      3. Anonymous Coward
        Anonymous Coward

        Re: I force password changes to protect myself

        This is a tricky one. On one hand I have a duty of care regarding the information collected during a period of employment with a company, on the other hand I have to keep records of the things I've said/done as part of that employment.

        Probably a different kind of employment. Key is that you only retain data that you have explicit, written permission to retain and that there is provable containment in case data ever gets out so you can prove it didn't come from you..

    2. Wensleydale Cheese

      Re: I force password changes to protect myself

      "I also erase any data I have retained from that company on anything private because it's not mine, also prevents any later temptation"

      It's now been quite a while since I worked on customer kit, but back when I did, temptation wasn't the driving factor (I trust myself).

      The driving factor was the thought of my own kit getting hacked or stolen.

    3. Doctor Syntax Silver badge
      Devil

      Re: I force password changes to protect myself

      "Certain things are just not worth keeping IMHO."

      Alternatively, get it out ahead of time.

  4. John Smith 19 Gold badge
    FAIL

    ¬ enough pride not to do it. Too arrogant (or no skillz) to think he won't get caught.

    Not a great set of character traits on display here.

    Would you trust this guy to do some engineering for you?

  5. Potemkine! Silver badge

    Low level flying

    The IP address Needham used to illegally access the inbox was logged, and traced back to Needham's home internet connection.

    That guy clearly doesn't deserve to be called an 'engineer'!

    1. John Brown (no body) Silver badge

      Re: Low level flying

      "That guy clearly doesn't deserve to be called an 'engineer'!"

      Why would knowing which end of the screwdriver or spanner to hold while not knowing about infosec stop him from being an engineer?

  6. Anonymous Coward
    Anonymous Coward

    Incompetence of the highest order.

    It is the fault of the company for not locking him out. The managers should be fired/jailed for letting it happen.

    I test my logons when I leave and frequently have to tell my previous employer to get their act together. I will now get them to sign off before I leave.

    1. Anonymous Coward
      Anonymous Coward

      Re: Incompetence of the highest order.

      It is the fault of the company for not locking him out. The managers should be fired/jailed for letting it happen.

      If incompetence was an argument for a jail sentence, they'd have to start building extra jails in Washington and near Wall Street. Not that that is not a good idea, but the courts would not be able to handle the sheer volume of cases.

      1. John Brown (no body) Silver badge
        Coat

        Re: Incompetence of the highest order.

        "If incompetence was an argument for a jail sentence, they'd have to start building extra jails in Washington and near Wall Street."

        Or just build one big wall and massively invasive searches on all the visitors entering.

    2. Anonymous Coward
      Anonymous Coward

      Also incompetence on his end

      I mean, he was accessing it directly from his home IP address? No VPN or Tor? Stupid criminal!

    3. Anonymous Coward
      Anonymous Coward

      Re: Incompetence of the highest order.

      "The managers should be fired/jailed for letting it happen."

      Incompetence has become a jailable offense? I get to lead the posse cuz I've got a rope!

  7. Cuddles

    "This case shows that law enforcement officials throughout the Western District of Tennessee will work together to ensure that individuals participating in any criminal act will be brought to justice."

    Isn't that basically just their job description? What exactly would be the point of a law enforcement department that refused to ever work as a team or to go after criminals? Does the state attorney really need to end every statement by saying "The fact this case exists shows we're not completely incompetent"?

    1. Mark 85

      Ever notice that the canned spiel by any prosecutor always sounds like it's a "form" speech with a few words changed? Personally, I thing El Reg could just drop them from their articles. They add nothing except some self-serving ego boast to the prosecutor.

      1. Steve Aubrey

        My guess is that El Reg is offering them up as a sort of ironic postscript.

        "The horse left the barn - again - and we got it back. Again!!"

  8. Aodhhan

    It's not the company's fault.. yeeesh.

    Yes, the company obviously had crappy InfoSec; however, this doesn't put them at fault. If you leave your home unlocked, this doesn't mean anyone can enter it and browse through your possessions.

    It's illegal to access any system you are not authorized to use in all 50 states. Regardless of how poor information security practices are.

    You can always tell those who don't have a lot of information security experience. Just because the company you work for does this or that... doesn't mean it should be done by all companies. It's a bit stupid for a small company to spend 9 million dollars a year to protect assets worth 4 million. Good InfoSec isn't cheap; all businesses have to conduct a risk assessment and spend accordingly. Especially small businesses. Just having 8 good information security professionals can cost over 1 million a year, before good security hardware and software is purchased. Have you seen how much ONE good security router costs these days?

    In this case, it seems like there was likely an insider assisting him with gaining access. Not uncommon in a small business environment.

    1. Doctor Syntax Silver badge

      Re: It's not the company's fault.. yeeesh.

      That may be how it's seen in the US. The EU & UK seem to be taking a different view, at least in some situations: https://www.theregister.co.uk/2017/08/08/critical_infrastructure_firms_threatened_with_huge_fines_for_lax_security/

    2. Anonymous Coward
      Anonymous Coward

      Re: It's not the company's fault.. yeeesh.

      As an employee you have a duty of care. The current and ex-employees failed in this respect.

    3. Cuddles

      Re: It's not the company's fault.. yeeesh.

      "Yes, the company obviously had crappy InfoSec; however, this doesn't put them at fault. If you leave your home unlocked, this doesn't mean anyone can enter it and browse through your possessions."

      Blame is not a zero-sum game. Sure, if you leave your house unlocked it's still illegal for someone to wander in and take your stuff. But your insurance company won't pay anything to cover the losses, because it absolutely is your fault that you left it unlocked. Exactly who shares what portion of the blame will obviously vary; with the example of the house the burglar is a criminal who should go to jail, while you've just been a bit stupid and will suffer some financial loss as a result. But just because one party was worse than the other doesn't mean that everyone else involved must be completely free of any blame.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not the company's fault.. yeeesh.

        I'd still fire them, just to encourage the others.

  9. EJ

    "This case shows that law enforcement officials throughout the Western District of Tennessee will work together..."

    Seems to me if that's noteworthy then it must be unusual, and that should be concerning. What, do they usually feud with each other?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon