After selling his site for millions, founder hacked it for a second payday "Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kent's plan to build the membership of his oil and gas industry networking site Oilpro.com. Court documents indicate that Kent, 41, of Spring, Texas, USA, had a buyer in mind: DHI Group, the employment data biz that in 2010, when …
does human greed truly know no bounds?
I believe it is bound by the degree to which human stupidity extends, which is almost certainly infinite.
So no, no bounds really.
(If it wasn't for those pesky GET's*, he might have gotten away with it!)
*For our American cousins, 'GET' is a term of endearment for ones' offspring, i.e. Children :)
Interesting, they use a GET request no password just a publicly accessible URL added before they bought the company.
If it was put there intentionally as a feature, was it actually hacking?
This says more about the lack of security duediligence by the new owners than the hacking intentions of the former owner.
Need a lot of popcorn to watch this one.
"This says more about the lack of security duediligence by the new owners than the hacking intentions of the former owner."
What is with this always blame the victim mentality when it comes to hacking?
The former owner is a greedy unscrupulous b*stard who deliberately left a hidden back door in his software. Just because the new owners didn't find it straight-away doesn't make it their fault!
I change locks when I get a new house.
It's naive not to do basic security checks.
It's also a bit shocking they didn't notice copies of their database (they spent millions on) being systematically stolen.
What the chap did is clearly morally wrong...however douzens of chances to catch him were missed by lax management of systems and no basic security checks.
He could reasonably argue the url was a public feature from when he had the system and it was up to the new owner to decide it was no longer need...given what the new owner has missed already, it wouldn't suprise me if this url was documented and they missed it.
Sorry but this was not so much about changing the locks, in your analogy.
This was a case of the previous owner making one of the window latches look like it closed and locked, but in actual effect when pushed on just right, opened up like there was no latch.
Have you checked all of your windows in every available spot to make sure the previous occupant didnt do something similar? Of course not, and it wouldnt be considered normal practice for you to do that unless the previous occupant was known to be a dodgy bugger with a penchant for breaking back into his old houses.
A well built back door will be extremely well hidden, it's not something you will find unless your really lucky or it starts getting exploited.
This guy is a total bastard, and what surprises me is that they didnt try and get him on something premeditated. You dont build a back door into your system unless your planning to use it at a later date...
Possibly there are secondary effects (do idea what but could be things like being disbarred from owning companies or things like that) which kicjk in when you are "sentenced to a period of imprisonment longer than one year" so Judge wanted to ensure that those would apply.
Looks like one year means one year inside. However one year and one day could mean six months inside.
"In the United States federal system, only sentences of more than one year allow prisoners to obtain early release for good time while incarcerated"
https://en.wikipedia.org/wiki/Year_and_a_day_rule#As_a_sentence_for_felons
This list was available via a standard web request hence clearly not secured by either party, what happened to duty of care?
lglethal said "This was a case of the previous owner making one of the window latches look like it closed and locked, but in actual effect when pushed on just right, opened up like there was no latch.". No, it was a web get i.e. the standard pathway for information transfer so definitely a door and the require action you talk about was twisting the handle i.e. in the normal way not hidden at all except most people would assume you would lock it.
If the information had been passed directly from an employee then yes there would be a case of espionage but failing to confirm data security when it is a legal responsibility lies at the buyer's door after purchase.
Personally I have zero sympathy with either party and hope that the tax payer is not funding any of this stupidity
That guy was too greedy AND a bit stupid ...
1. Why did he steal email accounts in the first place, they are useless UNLESS you can coerce the account holder to register
2. Why did he try to sell the data to the same guy again???? knowing that he stole the accounts from him ... did he really think he could get away with that ????
There was reportedly a non-compete covenant which expired. Had the seller merely kept a backup of the database after the sale (not saying the contract would have allowed that, but surely, less risky than accessing the data from someone else's site), much of this could have been avoided. I'm also not saying that this would have been morally above board.
As far as the buyer is concerned (the second time around), one would think that part of the due-diligence routine would be to be reasonably assured that the Company was not paying for contact information already in his (its) possession.
I can't help but feel like we're only getting one facet of the story.
No sympathy for criminals.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
