UK Student Jailed For Facebook Hack Despite 'Ethical Hacking' Defense

Diamonddavej writes "The BBC reports that software development student Glenn Mangham, a 26-year-old from the UK, was jailed 17 February 2012 for eight months for computer misuse, after he discovered serious Facebook security vulnerabilities. Hacking from his bedroom, Mangham gained access to three of Facebook's servers and was able to download to an external hard drive the social network's 'invaluable' intellectual property (source code). Mangham's defense lawyer, Mr. Ventham, pointed out that Mangham is an 'ethical hacker' and runs a tax registered security company. The court heard Mangham previously breached Yahoo's security, compiled a vulnerability report and passed on to Yahoo. He was paid '$7000 for this achievement,' and claims he was merely trying to repeat the same routine with Facebook. But in passing sentence, Judge Alistair McCreath said despite the fact he did not intend to pass on the information gathered, his actions were not harmless and had 'real consequences and very serious potential consequences' for Facebook. The case's prosecutor, Mr. Patel, said Facebook spent '$200,000 (£126,400) dealing with Mangham's crime.'"

Uhh

[The MAZZTer]

This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

$200,000?

[koan]

So Zuckerberg had to go to his wallet instead of pulling change from his pants pocket, maybe the hacker should have been less ethical and just sold the code.

$200,000?

[leptons]

Sounds like Facebook spent $200,000 fixing their security holes that he found. Security through obscurity is not security. In light of his 'tax-registered security company' status, and past efforts with Yahoo, I think the judge in this case made the wrong decision.

Let this be a lesson to all

[erroneus]

In the case of companies like Yahoo, you can do this. But in the case of Facebook, it's better to sell any uncovered flaws to interested parties other than Facebook or to simply release the information anonymously to the public.

These "damages" are the lawyer's fees associated with making claims against the "criminal" and the programmers needed to correct the vulnerability... (which are probably the same programmers whose code was vulnerable in the first place.)

Facebook, you just set the tone for how security researchers will reveal your vulnerabilities in the future. You just made a very uncomfortable bed for yourself to lie in.

Re:Uhh

[Jah-Wren Ryel]

This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.

While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.

Re:Judges from the 20th century have to go

[bieber]

Who says he doesn't understand the issue? What this kid did was illegal and wrong, regardless of his "ethical" motivations for doing it. If you suspect that there's a security vulnerability somewhere, then you can notify the owner of the systems in question about it. If they feel inclined, they might ask you to do some penetration testing for them. If you just go ahead and do it without permission, though, you're illegally accessing someone else's systems without their consent, and by all means you should be convicted and sentenced for it. If I forget to lock my door on my way out of my house one day and come home to find an "ethical" thief in my home waiting to educate me on the importance of locking my doors, you can bet that I'll be calling the police.

Sugarcoat it all you want...

[MindPrison]

...but a breach into any company is a break-in-and-entering if you haven't been assigned to do so for testing the security vulnerabilities by the company itself.

It's kind of like catching a thief without any goods, but inside of your home. Uhm...I'm just testing your security system, now you know you have a weak system, thank you - I'll mail you the bill.

Re:Uhh

[AmiMoJo]

I'd say it was a valuable public service, much like a journalist investigating a company. Rather than being prosecuted the story here should be that apparently some random guy was able to hack into Facebook where hundreds of millions of people's most personal data is kept. The fact that it cost Facebook money to fix is irrelevant as they should have fixed the problems anyway. If someone pushes on your security door and it falls off the hinges that should not be criminal damage.

By prosecuting the guy all they have done is ensure that in the future people who manage to find these holes will either just exploit them for criminal gain or post giant .torrent of personal data to The Pirate Bay. It will also discourage others from pointing out problems they find so that criminals can just carry on exploiting them with no way for us or the companies affected to know about it.

Re:Uhh

[Anonymous Coward]

His actions did have consequences. I work for a large company with lots of publicly facing servers. If the guy had hacked into our servers, he may well have tripped an IDS or some other log analysis process, which would have alerted us to someone being somewhere they shouldn't be. Imagine how many man hours would be involved in identifying the intrusion.

Now that's not to say that I don't disagree with the rest of your post: the holes obviously existed, and if a black hat had got in they'd have to respond in the same manner. The thing is, a black hat would (hopefully) be found and prosecuted too, for the same reasons.

Re:Uhh

[rgbrenner]

Not only that, but it almost sounds like bribery. He hacks into Yahoo, downloads confidential data, then "asks" them for a reward?

Why did he need to download facebook source code after he found the vulnerability? Why did he need to breach the server at all? Much less 3 servers?!

Physical world analogy.

[khasim]

So you're walking through the business district of a city and just jiggling door knobs to see if anyone left anything unlocked.

Why? Because you're a "white hat".

That's the FIRST issue that you have to get through to the judge.

Once you find an open door, you go inside and take some important stuff out. So that you can prove to the company that you were inside.

That's the SECOND issue you have to get through to the judge.

Then, you call the company and tell them that door X is unlocked and you can prove it because you have property Y.

The company (being unenlightened and still thinking in physical world terms) calls the cops and you are arrested. Even though you intended to give property Y back to the company.

It makes sense that way.

So, do NOT freelance. If you do NOT have a signed contract with the company you CAN be prosecuted. You have to put in the EXTRA EFFORT to distinguish your actions from the actions of the bad guys. A signed contract does that.

Re:Let this be a lesson to all

[davecb]

A new way to profit: leave the holes in place, and charge anyone who discovers them. If the person is stupid enough, he or she will do more than notify you. If they exceed what a random uninterested person would do with the the hole, they've just self-identified as a criminal. You can therefor recover enough money from them to pay for fixing the holes.

This creates a whole new meaning for "honeypot" (;-))

--dave

Re:Uhh

[rgbrenner]

The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

Your welcome.

I would like my reward now.

Re:Judges from the 20th century have to go

[korean.ian]

Also as to the judge's understanding:
"'You and others who attempt to hack really must understand how serious this is, the creation of that risk the extent of that risk and the cost of putting things right.' "

As others have said - the risk was there whether or not the kid hacked in. He didn't create the risk.

Re:Uhh

[Dahamma]

By prosecuting the guy all they have done is ensure that in the future people who manage to find these holes will either just exploit them for criminal gain

Or maybe it will make some of those people think twice before they do it in the first place...

Re:$200,000?

[Dahamma]

What does that matter? $200,000 is $200,000, just because the victim "can afford it" doesn't change the crime itself.

Re:Uhh

[russotto]

The lock on your bedroom window is crap. I broke it last night, and then rifled through all of your stuff. Did the same to 2 of your neighbors also.. ya know, just to show it wasn't a fluke.

Your welcome.

I would like my reward now.

OK, we'll sentence you based on the potential damage you might have done -- to wit, you could have accidentally burned the entire house down while you were there, and the fire could have spread to the entire neighborhood and killed a bunch of people.

Sentence the man for what he did: breaking into the computers. Not based on crap like "Potentially what you did could have been utterly disastrous to Facebook"

Re:Uhh

[poity]

There is a common sentiment on Slashdot that whatever good intentions a company may have, its gathering of data without permission constitutes both a violation and a risk. That risk being the potential for the data in their hands to be compromised by yet another party. Can this logic not also apply to this Glenn and his company as well?

Re:Uhh

[Dahamma]

While that may be true, that doesn't appear to be the judge's rational for convicting the kid.

Why does everyone keep calling him "the kid"? He's 26 years old. Just because he's a student doesn't make him some naive, innocent minor - he clearly knew what he was doing...

Re:Uhh

[Dekker3D]

There will always be people trying to do this, whether hobbyist or professionals making a quick buck. So any leak -needs- to be fixed. Your argument implies that it's possible to scare people into never ever doing this sort of thing again, and people have been trying to do just that for years already. Newsflash: people still hack into servers, and all the scare tactics have only served to punish those who went public with their findings-... the ones who mean to do right and point out the risks, rather than keep it to themselves and use it for personal gain.

Scare tactics are not having the intended effect. Perhaps it'd be good if people started thinking of other solutions?

Re:"Damage"

[spire3661]

Causing a full security review after a known penetration costs REAL WORLD MONEY. You have to pay people for the expense of figuring out what happened. It is interesting that you disregard this aspect of the problem entirely. He had no business being there, flat out. There is no inherent right to crack other people's property. I find nothing wrong in the law saying 'thou shalt not penetrate others network without explicit permission or authority.' This person had neither.

Re:Uhh

[tibit]

That's not even remotely the same: one happens in the physical world, the other is pretty much a bunch of numbers being sent between computers on a network without any other consequences at all -- he didn't log into their servers and issue rm -rf, did he? No data was lost/deleted, there was no material/financial loss, so what the heck? It seems almost like a mind crime: he knows what he's not supposed to know, and nothing else, and he's not blackmailing anyone over it, nor is he intending to. Sure someone's feathers got ruffled, but -- to me -- it seems like Facebook basically says: we have a big ego, and we have lotsa money to show for it. And we won't mind jailing people just to show how big of an ego we have.

Re:Uhh

[rgbrenner]

Nothing was lost when I broke into your bedroom and went through all of your stuff either.. yet you seem to think that is a crime that should be punishable.

The only problem with my analogy is that I didn't take anything from your house. This guy took source code worth millions of dollars from the server.

Re:Uhh

[Nadaka]

Its a lot closer to this situation:

You walk into the gaping hole in the wall of a casino or bank, walk up to the dude behind the counter and say "dude behind the counter, you got a giant gaping hole in your wall, maybe you should do something about that". And then you get arrested for the $200 dollars of damage that they have to repair now that they are aware of the giant gaping hole in the wall.

Re:Uhh

[russotto]

So you don't think a string of break-ins could have very serious potential consequences? Someone will wind up dead sooner or later - guaranTEED. The police, not knowing your motives, have no choice but to treat it very seriously and escalate things on their end until they stop it.

And yet, even if I accepted this as true, burglars -- even serial burglars -- are not sentenced based on potential deaths.

Re:Uhh

[joocemann]

A gaping hole is blatant. These security holes were no and required skilled approach just to be identified. aka, i snuck in through the vents, pkease fix that and pay me.

Re:Uhh

[Anonymous Coward]

>>The only problem with my analogy.

The only problem with your analogy is that fucking idiots reason by analogy. It's not like anything, it fucking is what it is and should be treated differently. FYI I can use deadly force to end your intrusion. Nice analogy, fucking idiot.

Re:Uhh

[rohan972]

Sentence the man for what he did: breaking into the computers. Not based on crap like "Potentially what you did could have been utterly disastrous to Facebook"

Creating a hazard can be illegal, eg: you can be booked for reckless driving even if no other cars are around at the time. Leaving aside the question of whether it was he or Facebook that created the hazard, or what proportion of culpability should be shared, the sentence is based not on what he did, but who he did it to (from the first link in the summary) :

"You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance,"

So to answer rgbrenner's "lock on your bedroom window is crap", argument, the judge's response is "You broke the bedroom lock on a rich man's house, it's not like you broke into the house of normal people".

You don't have to be sympathetic to this guy to find this court judgement reprehensible.

Equality before the law

[Hentes]

Mr McCreath said while he acknowledged that Mangham had never intended to pass on any of the information he had gathered, nor did he intend to make any money from it, his activities were "not just a bit of harmless experimentation".

"You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said.

So it's okay to hack a small business but not a large international one? The legality of an offence depends on the amount of capital the plaintiff has? The rich now have more rights than the poor?

Re:Uhh

[AlienIntelligence]

His actions did have consequences. I work for a large company with lots of publicly facing servers. If the guy had hacked into our servers, he may well have tripped an IDS or some other log analysis process, which would have alerted us to someone being somewhere they shouldn't be. Imagine how many man hours would be involved in identifying the intrusion.

Now that's not to say that I don't disagree with the rest of your post: the holes obviously existed, and if a black hat had got in they'd have to respond in the same manner. The thing is, a black hat would (hopefully) be found and prosecuted too, for the same reasons.

If someone is able to hack into YOUR SERVERS... it's YOUR problem... not the hackers. YOU left the vuln... he exploited it.

It's not the, "I left my front door open, you came in uninvited, and now I'm installing an alarm system"

it is, "I own a company, it's in a building, the public comes to it... someone found I left a door open
that wasn't marked and now I have to install a lock, sign and alarm system, even though,
I SHOULD HAVE ALREADY."

The hacker didn't CREATE the situation that allowed his access. He just FOUND it.

-AI