Brit student locked up for Facebook source code hack A British computer science student was jailed for eight months on Friday for hacking into the internal network at Facebook. Glenn Mangham, 26, previously pleaded guilty to hacking into the social networking site between April and May last year. The incident created a flap at Facebook amid fears that hackers were attempting to …
I beleive that the correct method has always been NEVER to hack a network that you aren't being paid to do penetration testing on, with signed paperwork attesting that from their network manager.
Unless your willing to do some jail time if and when entire teams of people just as good or better than you are decide to track you down and pass your info to the police.
"How many police in the world are able to track someone who is borrowing someone elses wireless internet service?"
We know of at least one company that built a huge wifi database that included MAC and physical address correlations, even if they did get slapped down for it (Google, I'm looking at you). It's not a big stretch to see police using such information in high profile cases.
-d
No. You don't give criminals a job just because they broke the law. In fact, it's a reason not to give them a job. The very fact a person has illegally hacked a computer shows that they are not suitable for working in IT because it demonstrates a lack of integrity and moral fibre. It also demonstrates that you can't trust them, a not insubstantial point when working in any non sandboxed position of trust in operations, security, or any job where you work with sensitive material.
Secondly, giving criminals jobs because they are criminals is stupid. It's encouraging people to break the law for their own gain. Not only is it stupid for that reason, but it would be disadvantageous and insulting to the law abiding (and more competent) people to hire a incompetent "hacker" who firstly broke the law and secondly got caught doing it.
Oh really? What about Frank Abagnale Jr then?
I know of one person who was given a choice of being charged or working as a security consultant. He's now a very respected member of the security world and gives many lectures and talks on the subject of network security. He did it because "he could" and because he had nothing better to do. There wasn't any malicious intent and he's one of the most trustworthy people I know.
As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.
>>As he put it: "would you rather your security was designed by someone who knew the theory of security or the practice?" Using people who've been caught in the act is more common than you'd imagine and has to be the ultimate definition of rehabilitation.
Hiring someone who was once a criminal is one thing. Hiring a current criminal is another.
Setting a thief to catch a thief is more common than you know. I was going to provide anecdotal evidence of my local police using a guy with a B&E conviction as an official locksmith, but decided against it because it's just anecdotal. Then, with perfect timing, this appeared:
http://www.bbc.co.uk/news/uk-england-leeds-17075027
For those who can't be bothered clicking, West Yorkshire Police employ an ex-burglar as a consultant on crime prevention tactics.
>>Facebook would do well to employ this guy instead of prosecuting him. He clearly knows better than any of their current security team what needs to be tightened up.
That their security team not only detected his intrusion but tracked him back to his bedroom suggests they're not exactly useless.
I'm not trying to question the outcome of this trial (his attempts to cover his tracks was always going to go down badly in a court of law) BUT... have a look at these words of Judge McCreath quoted on the BBC site:
"The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."
Doesn't this suggest that Judge McCreath doesn't know what he is talking about? The security flaw existed before Mangham found it and it is the responsibility of Facebook to put it right regardless of if it has been exploited or not. If Mr Manghams actions cost Facebook anything, it'll be the legal costs they incurred in order to shoot the messenger. Facebook surely have all liability for the consequences of any insecurities in their own system?
Whilst I agree that the flaw in facebook's security is their problem, this is not the correct way to bring it to their attention.
For instance, you go to bed at night, and you forget to shut your back door.
1) Your neighbour wakes you up by calling your phone or ringing the doorbell, you get up, thank them and shut and lock the door.
2) Someone else enters your house, takes photos of you and your family asleep and later emails them to you with a note saying "by the way, you forgot to lock your door"
Clearly 1 is legal and 2 is not. This gentleman's actions, whilst (probably) good intentioned are more like 2 than they are like 1.
IMO.
Ah, I see what you're saying here. Yes indeed the cost of putting the security flaw right should fall on facebook, however, there is the cost of the investigation by various agencies plus any time facebook had to spend on it. None of which would apply had the individual contacted Facebook immediately saying "here is a flaw in your security, it would allow access to source code if I wanted it, I used this flaw at (list of dates / times) in order to confirm this."
Still not really legal, but would at least give him significantly more mileage in his "I was going to tell them, honest" defence.
Also, as has been said by others, definitely NOT the way to get someone to want to give you a job.
"however, there is the cost of the investigation by various agencies"
Very good point. I hadn't considered that.
Yes, obviously he absolutely should have let them know of the vulnerability immediately, especially considering he went on to use the "I was going to tell them, honest" defence.
At least he didn't (by which I mean that I haven't read) dump the code into pastebin or make it easily and readily available in some other way. If he'd of done that, the judge would be absolutely correct in that he created new risk. We don't know how he did store the source code so the judge may still be correct in this point.
I'll just shut up now then :)
Well, I'll have the last word (as if!). The way you tell them depends on how willing they are to listen. I'm sure it still happens that of these various online businesses in which security is critical, there are plenty who ignore you, ignore your report, until you force them to take notice in one imaginative way or other. Unlike the dodos who get taken by email scams and you suspect anyone that stupid won't learn any other way, said businesses who just ignore security are - whether legally, or only morally - themselves committing a crime. You know, like the various government departments who just repeatedly spunk our private data into the public domain and, because the taxpayer gets penalized for it, never learn. I certainly won't assume Facebook is blameless any more than I do that this guy was acting benevolently.
"Clearly 1 is legal and 2 is not."
Except 2 is not necessarily illegal of itself. There might be a case for 'protection of privacy' in your example but that's debatable and we can take that out of the equation if you replace the analogy with someone sitting in your unlocked car taking their photos of its equipment and then emailing them to you.
The up-votes suggest a lot of people think it would be illegal. Being greatly shocked by what has transpired doesn't necessarily make for a crime.
You mean an unlocked door isn't an open invitation? 'snot exactly "breaking and entering" now, is it if the door's already open? And while it might be trespass, that's "only" a civil offence... (I think)
So what are you views on open wifi? If that's not an open invitation (quite literally, it is being broadcast after all) then I don't know what is. I suspect that some individuals may still try the house analogy though.
No, of course an unlocked door isn't an open invitation. An Open invitation is where there's a bloody great sign saying "please come in". The only way an open wifi would be an open invitation would be if it said so in the damn network name.
Some of you people really badly need to go to ethics classes...
I was trying to highlight fallacy of comparing break in and entering/burglary/trespass against anything in the digital realm - the two just don't correlate and the overly simplistic analogies are quite misleading. Though I do believe the above discussion was really to do with poacher-turned-gamekeeper scenarios and how effective they can be. In this case, I'm not sure that applies for the very simple reason HE GOT CAUGHT! That rules you out of "cyber mastermind" in my book and so you certainly shouldn't be offered jobs, leaniency (you know what you were doing) etc. Give the hypothetical job to a cracker with a clean record because that means either he's A) trustworthy or B) really good. You won't see it coming in either case...
In Britain there are two laws that cover this general area, the Computer Misuse Act which concerns the access and use of machines without permission but there's also the Data Protection Act which addresses companies' responsibility to look after their collected data, i.e. personal information about US and how they're accountable; register with the ICO and report any breaches (Sadly they don't seem to have any teeth and IMO there should be associated penalties, see the ICO's own FAQ http://goo.gl/M5I6X). Nevertheless, Facebook should treat their user information with the utmost respect. Sure, in this case no data was actually taken but next time they might not be so lucky. The next infraction might be not be so well intentioned, consequently they should take advice from where ever they can get it (unpaid - see first paragraph) or else face charges of negligence/incompetence (now if that isn't illeagal, it should be).
Just putting up a sign saying "do not enter" is not security, systems actually do have to be, well... secure. To the point of openly challenging the white hats to take their best shot. Only then can the general public be confident that their details are being looked after properly.
Go on. Flame me.
Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure. Of course in almost all cases a greater level of security is required, but ultimately you almost certainly can't keep a bad guy with sufficient resources* out, so its a question of achieving an appropriate balance. Anyone who believes in absolute security is rather charmingly naive.
-----------------------
*
"You and whose army?"
"My army. This one, with the guns, and tanks, and helicopters, and missiles, and nuclear submarines"
"Oh, that army. In that case I can't stop you from gaining physical access to the server."
This post has been deleted by its author
"Well, yes it is. Because it deliniates the point at which you become one of the bad guys. Anyone who goes past that sign has crossed the line at which they become of concern to the security infrastructure."
Yes, it proves that a line has been crossed, that you've knowingly done something that you shouldn't have.
No, its irresponsible if you're holding sensitive information on behalf of someone else and rely on people's good will not to cross a line, especially once you've told them it's there.
Isn't relying on the legal position to follow up an attack a case of "shutting the stable door after the horse has bolted"? The damage has already been done and that data is now in the wild regardless as to whether the perpetrator is banged up or not. I'd rather it wasn't leaked in the first place.
It has nothing to do with privacy. Just entering a building without reasonable cause is a crime.
In all the countries I have lived, there are laws against breaking and entry, these being separate crimes.
Defined approximately as follows:
"Breaking" means gaining access to a building via any use of force, even the slightest amount. If a door is open but ajar and the door is pushed wider open, then that is considered use of force and constitutes "breaking".
"Entering" means entering without reasonable cause.
I'm pretty sure UK uses these definitions too.
Entering a building and taking pictures of people while they sleep would certainly fail the "reasonable cause" test.
Yes indeed. But this is merely the latest example of cluster fuckwittery between an Internet company and an ignorant, lazy judicial system. Once again the contestant with the deepest pocket wins all.
Really Facebook deserves to have its shitty source spread about for all to see. (Assuming of course they didn't just cobble the whole thing out of open source projects in the first place and the only secret bit is some Perl script.)
This post has been deleted by its author
Indeed, and no one has asked why Facebook are so determined to hide their code. There's little doubt that Facebook trample privacy, could it be the beast has more to hide? I bet if the judge wanted a proper investigation into this affair it would have been blocked.
Facebook is a bit more exposed of a target than your private home. It's vulnerable to anyone with an internet connection and holds a lot of sensitive data, not just yours. It's more like you have been asked to store important details of a few billion people and you leave it in plain sight ... behind a window.
Yes, but no.
Yes on your point about it being more than just an individuals data.
No, on your point about it being more at risk. Facebook isn't vulnerable to anyone with an internet connection, Facebook is vulnerable to anyone with an internet connection and the skills to breach network security.
A window of your house is vulnerable to anyone able to walk up to it (or even roll up to it in a wheel chair, I'm all for equal opportunities burglary) and open or smash it.
I think we can agree that smashing glass is a somewhat simpler skill set than cracking network security.
I don't understand all this anger towards the guy. Better he exposes a lax security policy than someone who is truly dangerous. In my view Facebook should be fined for the lax policy! If companies are to be trusted with my data then they should be actively encouraging this kind of behaviour with bounties on success. This way round only the true criminals will have the data and the systems remain insecure hiding behind legal defence instead of a proper one. AC for obvious reasons.
Given that:-
The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."
8 months in the slammer seems a bit extreme seeing that I regularly read reports in the local rag of muggers getting community service and probation, even for repeat offences.
It seems that crimes committed against "big business" by the little people is viewed by the courts as much more serious than crimes committed against the little people by big business.
Undergraduate hacks Fartbook. That's serious. Have some jail time.
BT Hacks 1000's of customers (Phorm). Nothing to see here. Move along.
Joe blogs fiddles his income tax for a few £hundred. That's serious. Have some jail time.
Vodafone fiddles its tax bill to the tune of £6 billion? We'll forget about that, shall we?
"The prosecution accepted that Mangham's actions were not maliciously intended but said they were unauthorised."
On that particular point, I seem to recall the claim that there was "no criminal intent" being considered sufficient to excuse BT and Phorm Directors from any and all responsibility to obtain authorisation before covert interception, copyright theft, computer misuse, and fraud.
Yet the BT/Webwise affair caused economic harm to the businesses affected (by industrial espionage) and privacy harm to the individuals (by unauthorised surveillance and disclosure to a 3rd party).
So one rule for Ian Livingston, and another rule for Mangham?
It often seems to me that the legal system - at least at the lower courts type level - comes down rather harder on people who've had a reasonable background, education and the like than it does on some hapless little scrote who's never even been exposed to the concept of right, let alone had the opportunity to consider the philosophical differences between right and wrong.
I'm not entirely sure that's wrong...
Given the amount of data FB has given away or leaked it is hard to imagine they even employ security, other than on toilet cubicles.
What I find interesting is "reported to the FBI, which passed the case over to the British police" which is what they should have done with all cases involving crime committed on British soil even if targeting any other country.
France does it best - Our Citizens, Our Courts.
Yawn @ your poorly-veiled reference to McKinnon. Big difference - McKinnon hacked US military servers (with malicious intent), whereas Mangham hacked a social-networking site (with stupid inent). If Mangham had been dumb enough to try this recruitment stunt on US military servers he'd very likely have soon been sharing a plane across the Atlantic with McKinnon.
".....France does it best - Our Citizens, Our Courts." Glad you mentioned it, JaitcH, as neither McKinnon or Mangham are Fwench, so you can go join the Fwench in minding their own business.
No, it just shows that Gary McKinnon would have been let out after only a few months if he hadn't listened to all those legal advisors with political motives.
As is, he's been strung along in a nightmare for 10 years. For him, it should have been over and done with years ago.
I'm not quite sure why this was labelled as 'media hacking', though to be honest I'm not even sure I know what that means (Alan Sokal style, perhaps?). More importantly, to label this as a 'grave incident' is particularly egregious, given that the guilty party does not seem to have attempted to access user information, payment mechanisms or even tried to sell the source code he stole.
To call this 'grave' isn't quite as daft as confusing burglary with tresspass, but it is close. It is a shame that the legal profession can't resist hyperbole either.
Still, 8 months inside will do him good; seems like a fairly minor sentence and with any luck it'll send a message to others like him.
I think the law stands on hacking where it does because if it wasn't this punitive, it'd be open season on people (at least in the West) breaking into systems and causing untold damage. It's the same as tax evasion; if the punitive aspects was less severe, more people would be inclined to try, and that could result in a huge loss for the government and the repercussions of that would hit the honest taxpayer.
Most systems on the web just aren't secure, and never will be, because of the layers of complexiity that get built on top and between them, and the pace at which web development now occurs. And, unfortunately, the barrier to entry to break into these systems is pretty low for even a mediocre developer. With those risks in mind, I think a jail term is quite appropriate...
IP is. It's been mentioned recently around the relaunch of IPv6. Internet Protocol was never EVER designed to be used in the way that it is and the very fact that you CAN spoof an IP address or MAC address and use these methods to hack into a system proves that greater security is needed all over the internet.
I personally feel that the guy deserved to be punished for the crime he committed but the allusions above to it being analogous to house breaking are utterly ridiculous. But as another person mentioned above, he is likely to get a tap on the shoulder at some point to come and 'consult' for some security firm. If the guy could hack into Facebook, which we all know isn't a case of just guessing someone's password, then he is likely to be highly skilled and have a deep understanding of how the underlying technology of the internet works. Unlike some of you.
You can spoof an IP address, sure, but good luck "hacking" with that. Since you're totally disregarding the concept of, oh, I don't know, how TCP and UDP work. Additionally, Mac addresses have really nothing to do with IP.
Additionally, I don't believe he deserves to be punished. Better he exploits and fixes a hole than someone with malicious intentions does. It's funny, how safe and secure people think they are if they "punish the hackers", the guys who usually turn themselves in and/or admit everything.
Protip: It's the mercenaries in the employ of organised crime that you need to be worried about.
> Internet Protocol was never EVER designed to be used in the way that it is
Errr - yes it was. It was designed to be used in *exactly* the way it currently is.
> you CAN spoof an IP address
You can, with a little bit of effort. What do you think that gains you? Hint: how are you going to get any replies with a spoofed IP address?
> or MAC address
And MAC addresses propagate over the Internet, do they?
There are many *real* reasons for poor security on the Internet. We really don't need you making any up.
Thanks muchly.
Vic.
Errr - yes it was. It was designed to be used in *exactly* the way it currently is.
Errr, no it wasn't. When the first IP standards were set nobody thought for a second that we would have an internet connection on a watch and this is why IP creaked and cracked, hence IPv6. If IP was designed for it's current use case then why is IPv6 needed??
No, MAC addresses don't propagate over the internet, I was just pointing out that people who know what they're doing can change just about anything in a computing environment. I'm not a network engineer, just a Windows one so I don't profess to know everything there is to know about TCP/UDP except for what they stand for. I'm just saying that the very fact you are ABLE to do these things shows that the infrastructure isn't fit for purpose.
> this is why IP creaked and cracked
*IP* has done no such thing.
IPv4 has run out of addresses. Not because it's being used differently than was envisaged at design time - just that it has become more widespread than is supported by that version. But the IP header deliberately has a version number for exactly this reason - so that it can be replaced as the system grows.
> If IP was designed for it's current use case then why is IPv6 needed??
IPv4 is IP. IPv6 is IP. IPv6 is needed because IPv4 doesn't hold enough addresses. But both are IP, and neither has anything to do with the intrusion for which you claimed them to be responsible earlier in the thread.
> I'm not a network engineer,
We'd never have guessed...
> I'm just saying that the very fact you are ABLE to do these things shows
> that the infrastructure isn't fit for purpose.
And I'm saying that your saying that shows how little you know in this field. Really - IP and MAC spoofing have almost nothing[1] whatsoever to do with network intrusion.
Vic.
[1] I've qualified this because some of these games can be useful on a LAN; I frequently use ARP-spoofing attacks to debug network issues without having to make a physical intercept. But once you're on the WAN, they're irrelevant.
Would this really have got this far had it not been a big business involved? Sentencing seems extreme; jail time for suspected hack with no malicious intent.
In other news, the UK lets suspected terrorists out to walk the streets because we cannot jail or deport them! Our government cannot bang up criminals yet big business do just fine.
CC
Putting him in prison was the single most fuckwittedly stupid thing the court could do. That way it is guaranteed that he comes to the attention of criminal gangs that will be able to put his skills to serious gain. And unless he particularly likes hospital visits for him and his family then the only thing he'll be arguing is the size of his share.
"Putting him in prison was the single most fuckwittedly stupid thing the court could do....." Yes, because punishing crims is just wrong.... If you can't do the time, don't do the crime. Part of the justice system is prevention, and locking up one skiddie will probably deter quite a few more from following his stupid example. Letting them off with a few strong words would not.
".....That way it is guaranteed that he comes to the attention of criminal gangs....." Yes, but his parole terms (after much less than the 8 months) will also include lovely terms about not mixing with known criminals, and he will be on the Coppers' watch list. Any naughtiness and he'll be straight back inside. That's if he doesn't end up as an informant, which is what a lot of the convicted hackers end up as (http://www.theregister.co.uk/2011/06/07/hacker_snitches/).
Of the 8 months, he'll serve 4 (possibly a bit less.) Then only 4 months on parole. Once the 8 months is up his sentence is fully served and he can consort with whomever he likes. For a criminal gang on the scent of multi-millions this is hardly a long-term project.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
