back to article After selling his site for millions, founder hacked it for a second payday

"Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kent's plan to build the membership of his oil and gas industry networking site Oilpro.com. Court documents indicate that Kent, 41, of Spring, Texas, USA, had a buyer in mind: DHI Group, the employment data biz that in 2010, when …

  1. Anonymous Coward
    Anonymous Coward

    Of course DHI declined to comment

    They're still trying to figure out if they still own Slashdot and SourceForge.

    1. fobobob

      Re: Of course DHI declined to comment

      Seems you have beaten me to the Slashdot snark, I've not got much else to say on this aside from... does human greed truly know no bounds?

      1. Sir Runcible Spoon

        Re: Of course DHI declined to comment

        does human greed truly know no bounds?

        I believe it is bound by the degree to which human stupidity extends, which is almost certainly infinite.

        So no, no bounds really.

        (If it wasn't for those pesky GET's*, he might have gotten away with it!)

        *For our American cousins, 'GET' is a term of endearment for ones' offspring, i.e. Children :)

  2. robidy

    Interesting, they use a GET request no password just a publicly accessible URL added before they bought the company.

    If it was put there intentionally as a feature, was it actually hacking?

    This says more about the lack of security duediligence by the new owners than the hacking intentions of the former owner.

    Need a lot of popcorn to watch this one.

    1. serendipity

      "This says more about the lack of security duediligence by the new owners than the hacking intentions of the former owner."

      What is with this always blame the victim mentality when it comes to hacking?

      The former owner is a greedy unscrupulous b*stard who deliberately left a hidden back door in his software. Just because the new owners didn't find it straight-away doesn't make it their fault!

      1. robidy

        I change locks when I get a new house.

        It's naive not to do basic security checks.

        It's also a bit shocking they didn't notice copies of their database (they spent millions on) being systematically stolen.

        What the chap did is clearly morally wrong...however douzens of chances to catch him were missed by lax management of systems and no basic security checks.

        He could reasonably argue the url was a public feature from when he had the system and it was up to the new owner to decide it was no longer need...given what the new owner has missed already, it wouldn't suprise me if this url was documented and they missed it.

        1. lglethal Silver badge
          Thumb Down

          Sorry but this was not so much about changing the locks, in your analogy.

          This was a case of the previous owner making one of the window latches look like it closed and locked, but in actual effect when pushed on just right, opened up like there was no latch.

          Have you checked all of your windows in every available spot to make sure the previous occupant didnt do something similar? Of course not, and it wouldnt be considered normal practice for you to do that unless the previous occupant was known to be a dodgy bugger with a penchant for breaking back into his old houses.

          A well built back door will be extremely well hidden, it's not something you will find unless your really lucky or it starts getting exploited.

          This guy is a total bastard, and what surprises me is that they didnt try and get him on something premeditated. You dont build a back door into your system unless your planning to use it at a later date...

          1. Sir Runcible Spoon

            The company should really have had a dummy account set up from the outset to try and detect comms to their userbase which would indicate a breach, is that not common practice?

  3. Anonymous Coward
    Anonymous Coward

    A year and one day

    What was the day for? is that to show how the justice system doesn't go easy on people with lots of money?

    I sentence you to one year.... and one day, muhahahaha

    1. Anonymous Coward
      Anonymous Coward

      Re: A year and one day

      Possibly there are secondary effects (do idea what but could be things like being disbarred from owning companies or things like that) which kicjk in when you are "sentenced to a period of imprisonment longer than one year" so Judge wanted to ensure that those would apply.

    2. Alistair Mann

      Re: A year and one day

      Looks like one year means one year inside. However one year and one day could mean six months inside.

      "In the United States federal system, only sentences of more than one year allow prisoners to obtain early release for good time while incarcerated"

      https://en.wikipedia.org/wiki/Year_and_a_day_rule#As_a_sentence_for_felons

    3. gnasher729 Silver badge

      Re: A year and one day

      One year plus one day turns you into a felon, which will affect your life significantly. It is a much more severe punishment than 364 days, once you're out of jail.

  4. Anonymous Coward
    Anonymous Coward

    Oilpro's 500,000 users = $20,000,000

    I know nothing about marketing or the oil industry, but $40 per user seems like an awful lot of money !

    1. Anonymous Coward
      Anonymous Coward

      Re: Oilpro's 500,000 users = $20,000,000

      Last time I checked, oil men made lots of money.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oilpro's 500,000 users = $20,000,000

        Nah, all the smart money's in sunbeams now.

        1. m0rt

          Re: Oilpro's 500,000 users = $20,000,000

          You sure about that?

    2. phuzz Silver badge

      Re: Oilpro's 500,000 users = $20,000,000

      Generally the oil industry pays really well, but there's less work and sometimes lower (but not necessarily low) wages when the price of oil is low.

  5. Anonymous Coward
    Anonymous Coward

    Just to check, the information being stolen was a spam list?

    This list was available via a standard web request hence clearly not secured by either party, what happened to duty of care?

    lglethal said "This was a case of the previous owner making one of the window latches look like it closed and locked, but in actual effect when pushed on just right, opened up like there was no latch.". No, it was a web get i.e. the standard pathway for information transfer so definitely a door and the require action you talk about was twisting the handle i.e. in the normal way not hidden at all except most people would assume you would lock it.

    If the information had been passed directly from an employee then yes there would be a case of espionage but failing to confirm data security when it is a legal responsibility lies at the buyer's door after purchase.

    Personally I have zero sympathy with either party and hope that the tax payer is not funding any of this stupidity

  6. Hans 1

    That guy was too greedy AND a bit stupid ...

    1. Why did he steal email accounts in the first place, they are useless UNLESS you can coerce the account holder to register

    2. Why did he try to sell the data to the same guy again???? knowing that he stole the accounts from him ... did he really think he could get away with that ????

  7. Anonymous Coward
    Anonymous Coward

    He must be white

    1 year for a $20m fraud is royalty taking the piss. Imagine a kid from the hood defrauding or stealing $20m - he'd be in the big house for life without.

  8. Anonymous Coward
    Anonymous Coward

    How is $51m not enough?

    Way too lenient a sentence though.

  9. Anonymous Coward
    Anonymous Coward

    Holy Crap!

    I've met this guy! In fact, we had talked about building his first website.

    I didn't get the job. Mostly because he was a cheap bastard.

    Sold his site for millions? When I think about what he wanted to pay for his website, all I can say is fuck him, he got what he deserved.

  10. Lewis R

    Enough dumbness to go around

    There was reportedly a non-compete covenant which expired. Had the seller merely kept a backup of the database after the sale (not saying the contract would have allowed that, but surely, less risky than accessing the data from someone else's site), much of this could have been avoided. I'm also not saying that this would have been morally above board.

    As far as the buyer is concerned (the second time around), one would think that part of the due-diligence routine would be to be reasonably assured that the Company was not paying for contact information already in his (its) possession.

    I can't help but feel like we're only getting one facet of the story.

    No sympathy for criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like