> "He added that when Mangham was arrested he made "copious" admissions to police about what he had done."
Given the chance, I always bang the "don't talk to authorities" drum. So now you have to wonder, how did his "copious admissions" help him? Seriously, if you are suspected of anything, no matter how innocuous or momentous: Shut. The. Hell. Up. Get a damned attorney.
In Britain (where this case was tried), the law is different. If you don't mention facts that you will rely upon in court, it can harm your defense. Shutting up is not as much of an option:
"You do not have to say anything unless you wish to do so, but I must warn you that if you fail to mention any fact which you rely on in your defence in court, your failure to take this opportunity to mention it may be treated in court as supporting any relevant evidence against you"
F.U.D. made law. Well done England.
Fortunately England still requires a Jury, and Jury's still acquit people despite the police and prosecution spouting outright lies from the moment a person is arrested. If you naively believe that the police do not do so, see if anyone in your circle of friends is a defense lawyer/solicitor who has represented people at police stations and have a candid conversation with them.
If you get arrested in the UK (or anywhere) shut up and say only "I invoke my right to silence. Get me my lawyer."
Just a quick note: If you don't have a solicitor or your solicitor is not available you're in even more shit as they'll get the "duty solicitor" out.
They are their own breed of scum you have to avoid like the plague as they sleep, eat and drink with the arresting officers and are definitely not impartial. Actually that is pretty much the same for most of the legal profession in the UK. Half of them are friends, the other go to the same masonic lodges - fine example at [1]
The UK is 100% guilty until proven innocent.
As for trial by Jury - seriously speaking they are usually manned by idiots most of the time.
Half of the duty "solicitors" are cops. You don't have to actually be a solicitor in the UK. You just have to pass a test. So retired cops take the test and earn themselves beer money (on top of their pension) to work with their mates.
Upvoted too because I preach this to friends/family regularly for serious issues/offenses. However I've talked my way out of around 9 out of 12 speeding fines in various states by being nice and kissing a bit of ass during the last decade.
Cops are people too and when they walk up to your window after pulling you over, they may actually be scared. And you know fear leads to anger, anger leads to hate, hate leads to your suffering in traffic court.
So the next cop who pulls you over, wind down your window before he gets there, get your drivers license out so you don't have to fish your pockets, put your hands on the wheel so he can see you're not going to blow his brains out and if it's not more than 20 miles over the limit, try admitting guilt and being nice. You might be surprised.
This is excellent advice. The cop that arrests you and pulls you in for questioning is confident and in a position of control. The cop that stops you on the street or in your car is dealing with an unknown potentially dangerous situation.
Both are cops. But they are entirely different people.
Correct me if I'm wrong, but I believe you are not supposed to fish for anything after you are pulled over. Just keep your hands on the wheel. If the officer sees you leaning over trying to find something after you're pulled over he/she could see that as suspicious behavior.
Just to reiterate, it really hurts to see so many people saying "have your ID ready". From the very moment an officer pulls you over they will be anxiously watching your every move, hoping you're not the next one that attempts to pull a gun on them.
Reaching for anything when pulled over is the absolute worst thing you can do to an officer no matter how innocuous you may think you seem.
Please, just keep your hands on the wheel until they're at the window.
Well, that's in the US. Fortunately, a lot of people live in countries where you can do whatever when stopped and the officer will never suspect you are trying to pull a gun on them, or pull a gun on you.
That's because, in those countries, it NEVER happens (i.e for someone pulled over to shoot the cop). So you can go get your ID or whatever, and then you have a chat, and they maybe give you a fine for speeding or whatever.
The cops here don't even carry guns on their person. If you draw one on them, they will retreat to a safe distance, get out the guns from the trunk of the radio car, and keep an eye on you until the cavalry arrives.
I've avoided 9 out of the past 10 with a simple strategy of pulling over as soon as I feel like a cop might be following be (ideally before the lights come on), turning the dome light on in my car, rolling down the window, putting my hands on the wheels and admitting that I "assume" the cop was going to pull me over "because I was probably speeding".
This is not your best strategy if:
(a) You are driving on a suspended license
(b) You or anyone in your car have anything in the car to hide
(c) You have a radar detector (just give up)
I bring this up because, for me at least, there's no skill involved in "talking my way out of a ticket". There's no magic words, and it doesn't involve charm, just a little mindfulness.
I have been pulled over 3 times and gotten 2 warnings (one written, one not) and a ticket for not having my insurance card on me (that was later dismissed). The first time I was going 75 in a 55, the second time I was going 45 in 30 and the third time I was going 65 in a 55.
The 65 in a 55 I pulled over as soon as I saw him slow down to turn around, the rest of the time I just admitted I was probably going too fast. Again, nothing special just mindfulness.
This is very true. The main difference is that these are not criminal charges - unlike what the professor says in the video, this is something the officer can and and often will let you get away with if you evoke enough empathy.
The important thing to keep in mind of course is that with a speeding ticket, at worse you'll have to pay a few bucks for something you maybe even didn't do. This is as opposed to spending a few years in jail for a crime you did not commit...
I agree with everything here except the admitting guilt part. Don't EVER confess to anything to a law enforcement agent, especially if surprise surprise, you're actually guilty, even for something as minor as a traffic ticket.
If you're caught speeding, suck it up and take the ticket.
I live in a large city where speed traps are common. Good luck talking your way out of speeding tickets in those circumstances. Here warnings are very, very uncommon.
That's advice if taken literally is horrible. Never talk to the cops if accused of a SERIOUS crime, always get some sort of legal council. If however you get pulled over for running a stop sign or some other traffic violation/small offense and you know the cop saw you, don't insult their intelligence. Judge the situation I've gotten out of every traffic ticket by being polite and honest. I'll usually try and apologize as soon as the cop walks over "i'm sorry officer i don't know what i was thinking going that fast" i've caught cops off guard saying stuff like that, they will usually reply "uh so you know why i pulled you over" a simple "yes" and an ashamed look will work wonders. Also use your judgment, if the weather is bad always have your license and paperwork ready before the cop walks over, "I know you're just doing your job i didnt wanna make you wait in the rain" has gotten me out of a few speeding tickets too. ;)
As stated above though, if you're accused of something serious just keep your mouth shut.
The difference is, a trafic cop doesn't want to arrest you. They don't want to book anyone, but their boss told them to go balance the books by fleecing drivers. If you make their job easier, they might let you off with a warning.
A cop who's investigating a real crime wants to get a conviction. And they aren't in a position to do plea bargaining (like a traffic cop), that's the DA's job (then the judge's, if it gets that far). It's not a terrible idea to negotiate with the DA and judge, but you need a lawyer to help you do it.
If it's possible you may be on the hook for something more serious than a traffic ticket, clam up; your implied admission of having done anything in traffic can harm you.
There have been a number of miscarriages of justice in the UK.
It's important to remember that there is not right to silence here, and Judges can make inferences based on a person's silence during police question.
Better advice is to ask for a solicitor, and say calmly that you'll only talk when you have legal representation.
If you're innocent it's important to give a minimal account (with legal representation) of your actions, because not doing so could lead to a false conviction.
But a Judge in England can say that s/he is taking the defendant's refusal to answer questions in a police station, or a refusal to testify, as evidence of guilt.
A US judge saying that would leave the case open to appeal.
I manage Facebook's Whitehat program (https://www.facebook.com/whitehat). We have taken an incredibly open stance towards security researchers and welcome the contributions they make towards securing the internet. Our policy towards this research is documented quite succinctly:
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
His attempt to access data was outside our whitehat guidelines, had clear malicious intent, and included extensive and destructive efforts to remain undiscovered and anonymous. In addition, he made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is false and insulting to the community of responsible security researchers.
As an infosec professional myself, I applaud you for the stance you take. Offering a public bug bounty is an excellent way to allow researchers to conduct their experiments in an ethical fashion while protecting all parties involved.
At first glance at the article, it seemed that Facebook may have reneged on its offer of protection, but based on your explanation, it now seems that the hacker was indeed malicious, and only used the "white hat defense" as a shield.
I'm a huge advocate of ethical and responsible disclosure, so kudos to you for encouraging it where appropriate.
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
You think you can sue someone for sharing vulnerability information?
Unfortunately, much of the internet industry has an established history of doing just that. This heavy-handed approach to vulnerability disclosure has led to an atmosphere of distrust and is bad for everyone. Facebook's policy is intended to alleviate much of the tension involved with vulnerability disclosure.
If you're curious, the EFF has published a number of great articles on the topic:
I think you are confused. I've been in the security industry for about 10 years. Disclosing a vulnerability is not illegal. Over the years, some companies have tried to sue over this, but these censorship attempts do not turn out well.
Not only is it legal to disclose unfixed vulnerabilities, but it is legal to sell them. Presently, the biggest buyer of them is none other than the US government.
Whoah. Whoah. Whoah. You're handwaving around the real issue. It's not legal to find vulnerabilities by testing other people's running web applications without permission, and it never has been.
People obviously do it, all the time, against sites that haven't officially given permission (as Google and Facebook have), and most of the time they get away with it, but they are rolling the legal dice every time they do. People have been getting in trouble for doing this for years.
The people selling vulnerabilities are generally running the software themselves. Huge difference.
My post, and his reply, were only discussing the disclosure of vulnerability information. I didn't say it was legal to attack a live system that you don't own. I see how you are making that logical leap in the case of facebook, but it isn't necessarily a given. There are ways one can legally become aware of vulnerabilities in facebook, and share that information.
I don't know the specific amount of data (as a percentage or bytes) accessed, but I think there are two main reasons you might want to know:
If you're wondering whether it affected the privacy of data created by people who use Facebook, the referenced article has a statement that it was not, but it appears this was added after the article was published, so you may have missed it.
If you're wondering whether it might be a small amount that a security researcher might collect to verify their report, from what I understand it was more than that.
"You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said.
This is the kind of thing that makes my blood boil.
While it is indeed despicable to imagine that there's a different law for big and small companies, it is long known that the size of actual and potential harm is considered when crime and punishment is being discussed. One would probably get different punishment for stealing $10 and stealing $100K (though if you manage to steal $100M you may actually get away with it, but that's another story).
If his lawyer would argue (and a good lawyer probably should) that "he did no harm to anyone, of course it's illegal but he didn't mean to hurt anything and he did not, so let's not throw the book at him" - it could influence the outcome. In this case, the judge didn't buy it.
You can't compare this to $10 vs. $100000K because the actual damage done here versus him doing the same thing to the servers of a small company is not x10000 the size, if that makes sense. The harm caused in both cases is negligible.
I suppose you could count the large amount of time facebook probably had to spend going through their systems to make sure they were clean. Surely the money for their security team was already spent though?
Also, isn't messing around with the records of a small business somewhere that probably doesn't even have proper backups actually more potentially damaging than poking at part of a globally distributed, multiply redundant decentralised system like facebook?
It was really the way the judge chose to phrase that whole bit that annoyed me to be honest.
Surely the money for their security team was already spent though?
I doubt Facebook's security team is just sitting idly waiting for an attacker to give them something to do. Each hour devoted to this is an hour they can't use for other tasks, besides the possibility of having to pay overtime.
You do realize there are people in jail in California for life for stealing very small amounts, due to the "3 strikes law", where as the people responsible for sucking billions out of the US economy... well, none of them have gone to jail. (I did read about someone that did go to jail, but he was a low-level actor... it was clear it was a sacrificial lamb).
I know and do realize. I know there are people in jail in California for not stealing anything at all but enjoying in their privacy some activities that the government does not condone and considers bad for them, so it puts them in jail, which is obviously much better for them. I realize all the sad state of it. I'm just noting one small point that the size of the harm does matter and always had and will matter in the court, whatever we may be thinking about it.
Even sacrificing lambs is useful - with time, the bigger fish will find very hard to get enough sacrificial lambs and the lambs themselves may start demanding larger rewards for their sacrifice.
While "importance" is a pretty subjective (read: bullshit) metric in legal terms, using the dollar value of theft to threshold criminal charges is used around the world. In the U.S. you can press charges for any amount, but depending on the state they have different thresholds between misdemeanor and a felony (grand theft) usually around $500-$1000. Interestingly enough, in some places such as China (where I originally learned about the theft lines / thresholds in a class at Peking University), there is a minimum value that must be stolen before one can prosecute, which is on the order of US$100. This obviously saves the court from wasting too much time on judicial abuse, but clearly discriminates against people in among the lowest rungs of the economic ladder. On the other hand it sets the priority for handling larger cases that impact more people (such as official corruption scandals which admittedly China does a more prudent job of enforcing responsibility in white collar crime than the States).
Of course the argument could be made that criminal prosecution is largely a function of who you know rather than the spare resources of the judicial system, which is probably correct, but it is still food for though.
But that's not what the quote implies at all, at least taken in the context of the article. Instead, it implies that the only reason he is being punished is, not because of the hack, but because he hacked facebook. It implies that, had he done the same on some "tiny business of no great importance" it wouldn't have been such a big deal.
I don't think China does a more prudent job of enforcing responsibility. Rather China occasionally makes an example of the most blatant cases of corruption.
In specific instances the fact that China kills people where the US does little to the individuals involved feels good. However, the US approach of mostly free press coupled with regular and independent policing of government contracts, coupled with class action lawsuits changes the landscape significantly. In the end you might argue that corruption is endemic of both systems, yet that's the case for any large scale government thought out history.
What the US does well is simply keep things public enough that everyone tries to at-least appear to follow the rules. And if you ever tried to do significant business in China as apposed to a Chinese company you will quickly understand that that in and of it's self is huge.
It's better when "everyone tries to at-least appear to follow the rules" ? Isn't that worse than blatantly not following the rules, because at least you know what they are doing?
Following the rules in this case means actually providing the service that the government paid for. The government may overpay for a building because people skim off the top, but it's far less common for them to build something that's so poorly constructed that people can't actually use it. The first case is less efficient the second is useless.
I can spare my karma and you can downvote me now for saying this (but my blood is boiling too), but I can bet you my left arm (I'm left-handed) that if that "international business" called Facebook would go down for longer than 25 minutes, you would see world's work-power suddenly increased by 40%.
I think you're biased due to where you live. Many people don't work with computers and at least around here (southern European country) the number of smartphones is still very low (2.8% in August). Not to mention that FB only has 640M users of working age, vs the 3.25 billion people of working age in the world.
Rest assured hackers are seeing these cases and acting accordingly. When the sentence for curiosity is comparable to malicious deeds, then the incentive is obvious. You have successfully incentivised hackers to make sure that their deeds are so great that their sentences actually come close to representing them.
That's just giving an impulse to black hat hackers: "Hey, if they still punish us (although we just wanted to show them weaknesses) at least let's give them hell!"
Facebook themselves have a policy of tolerance toward white hat hackery (basically `give us a reasonable amount of time before releasing to the public' and `do what you can to protect other users' privacy). I want to hear their side of this.
> Between 17 April and 9 May he is accused of downloading a computer program "to secure unauthorised access" to Facebook; of attempting to hack into Facebook's "Mailman" server; of using PHP script to secure access to another Facebook server, dubbed "Phabricator"; of sharing a PHP script intended to hack into that Facebook server; and of securing "repeated" access to another Facebook server.
This is deeply disturbing to me. I'm a participant in Facebook's whitehat program (http://facebook.com/whitehat) and have been awarded a cash prize several times. These accusations are things that I've either done, attempted to do, or succeeded in doing myself with the goal of getting paid for discovering a vulnerability.
>> downloading a computer program "to secure unauthorised access" to Facebook
Any basic security auditing tool falls into this category and this is something I've done all the time. Wish they would more clearly state what made his access unauthorized when my hacking attempts are welcomed.
>> attempting to hack into Facebook's "Mailman" server
I've attempted this too. It's a great target since it's 3rd party code, Facebook runs an out of date version, and some versions have publicly known vulnerabilities.
>> using PHP script to secure access to another Facebook server, dubbed "Phabricator"
I've attempted to do this and just yesterday was considering another attempt. It's a great target since it doesn't go through Facebook's normal release process, it's a large project, and it's open source.
>> sharing a PHP script intended to hack into that Facebook server
I've done this. Sometimes I need another set of experienced eyes to help me get a proof of concept working. Of course it was someone I trusted to keep my discovery confidential.
>> securing "repeated" access to another Facebook server.
I've done this too, both before and after Facebook announced their whitehat program. Before the program they thanked me and sent me swag, after introducing the whitehat program they started awarding me cash on prepaid debit cards.
I can only assume that this guy was prosecuted instead of thanked because he didn't tell Facebook promptly about his discoveries, or perhaps he used them to do something like stealing source code out of Phabricator (Facebook's code review tool). I wish the reporting of this did a better job of covering the details.
I've participated in the program as well (and I'm going to be interning with Facebook's Security team this summer). This incident doesn't worry me personally and I hope it doesn't worry anybody else. But if you want clarity, I think arice's comment sums up this particular situation very well:
> His attempt to access data was outside our whitehat guidelines, had clear malicious intent, and included extensive and destructive efforts to remain undiscovered and anonymous. In addition, he made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is false and insulting to the community of responsible security researchers.
Did you consider if you should have shared this admission of what probably amounts to criminal activity in USA?
The FB "whitehat" pages to my reading are in no way giving you a right to "security test" their servers. Their statement appears more like an amnesty, akin to "if you did happen to shoplift from Walmart and you choose to return the goods unspoilt, packaged and in saleable condition, then we won't prosecute you".
They also say, FWIW, that "Security bugs in third-party applications" are not included in the program; so that would rule out attempting to compromise Mailman.
Moreover they say "Security bugs in Facebook's corporate infrastructure" are ruled out from their program which to my mind rules out compromises on Phabricator - it's not a part of the publicly facing Facebook site but instead is a backend tool.
knock knock
If you were in the UK you'd be getting an extradition order for this based on recent history.
Facebook's Responsible Disclosure Policy applies to all Facebook properties. The exceptions you outlined specifically apply to our bounty program. Basically, we may not pay a cash reward for a security issue reported in Mailman (an open source tool), but we still appreciate the responsible disclosure and you absolutely shouldn't be worried about a lawsuit.
I found myself wondering if perhaps the 'white-hat' reference is a blunder in the headline. This article woefully lacks any actual details regarding what he did or how he approached communication with Facebook, only stating that he was a white-hat hacker for Yahoo once (which obviously proves nothing).
I searched around a little bit, since I found the lack of details somewhat disturbing. This is the best I found: http://www.seattlepi.com/news/article/Facebook-hack-lands-UK.... From the sounds of it, he broke into an employees account (likely their work computer, possibly further access). I'm speculating, but that makes it sound like he stole some portion of the Facebook source code, coupling that with the "intellectual property" claims.
I'm curious about this line, towards the bottom:
his intention throughout was to contact Facebook in due course when he had rectified their problems
I agree, dubious use of the term white-hat. He hacked into their systems, stole the code, and kept a copy on an external hard drive. Didn't do anything malicious, but didn't contact Facebook about it either. They discovered the intrusion by accident, and it took them months to track him down.
So "keeping the data to himself and doing nothing with it" is considered white hat?
Usually "white hat" have some kind of responsible disclosure. It seems that this "white hat" did not disclose anything to facebook, then got caught and only then, pretended to be acting for everyone's good.
Admitting everything in police custody is NOT responsible disclosure
Sounds to me like someone who accessed Facebook for kicks and made up an excuse when he got caught. There's no more evidence that he profited than there is that he was being helpful.
I knew a kid back in the '90s who got hauled off a couple of times by the FBI for hacking. He wasn't looking for profit — he just thought it was fun to break into systems.
[Without knowing the full details of the case or proceedings] I don't see how putting this, clearly quite gifted, young person in jail for 8 months is going to help him, Facebook or anyone else for that matter.
Surely, there must be other options except jail?! Maybe some form of community service where he would then be an asset rather than a cost to the general public. If he can infiltrate Facebook, I am sure there are government sites and systems with much more sensitive information that he could be testing and identifying security threats.
Eight months hard time, plus the stigma of a criminal record, just seem like such a waste.
The article states that the judge clearly wanted to send a message to other hackers that this type of hacking is not "just fun". To give him a job as a professional security consultant would send the opposite message.
"You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance," he said.
How small does a company have to be, where it's ok for someone to "fiddle about" in their business records?
"The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I'm afraid a prison sentence is inevitable."
I'm not sure what the "creation of that risk" part is supposed to mean. If it refers to the security weakness the hacker uncovered, well as I said the hacker did not "create" it, he merely "found" it.
If the risk is the potential disclosure, then what is "the cost of putting it right"? Fixing the security weakness? Well since it was not "created" by the hacker, they are just fixing something that they should have, or would have fixed anyway..
Now I'm not saying that the poor hacker should not go to jail. The article doesn't give much details so I'm not sure he should be called a "white hat". However, I'm not convinced by the argument given by the judge..
It seems that the government(s) make a lot of noise about how valiantly they pursue these 'dangerous' hackers, but they won't go near the state sponsored industrial espionage that appears to be coming out of China. Why are we so proud of persecuting our own citizens while we ignore much more damaging actions carried out by another government?
Probably because it's not a one sided affair and both sides in a (China/US) confrontation have a lot of leverage over each other so a conflict is not in the interest of either party...
There is obviously a spectrum to this sort of thing, but I know of many people that will just habitually enter javascript alerts into a web services's forms to see what happens.
Mostly this is just to evaluate the product and to see if it is trustworthy, but they'll often send along a polite FYI to the site owners letting them know if they have security issues that need addressing.
Actions like that: finding vulnerabilities, privately disclosing them, not disrupting the service, are all fairly innocuous things that most reasonable technically savvy people would consider 'white hat'.
People can and will go nuts if you, for instance, accidentally mess up the DOM for their customers by getting an XSS payload cached and redisplayed in e.g. "saved search" results.
It sucks, but if your goal is to avoid legal drama, don't test without permission.
Indeed. It's all about what you do as a result of your shenanigans. If you, say, leave a discrete note behind that you have a gaping security hole the size of a hallway on your systems, that would be considered white hat, as opposed to say, stealing a bunch of internal emails, code, etc and selling it or putting it out on torrent sites.
From this article, I take that judge McCreath acknowledged that Mangham did not intended to use the data he downloaded. Yet, he talks of "stealing" and "creating a risk" (a huge one, given Facebook's size). But really, how risky is it to keep data in an external hard drive at home? There is a risk, but I'd say not much. Also, there were no theft, since Facebook did not lose any data. And since this "intellectual property" has not been used, Facebook didn't lose a penny over this unwanted duplication.
From there, I see only 3 possibilities: (i) judge McCreath did not actually trust Mangham's alleged intentions (I'm not sure I do either), or (ii) he doesn't know enough about computer security, or (iii) other actual damages warrants the sentence (like wasted effort at Facebook's and by the law enforcement).
I bet judge McCreath wanted to punish Mangham over (i) and (iii), but it was easier to use (ii) to do so. Or, he doesn't really understand computer security, though that's less likely by the year.
Seems ridiculous for a company who has the word "HACK" all over the inside and outside of their office, to put energy into this. Hire the kid and move on.
It really depends on the intent and extent of the intrusion, which I don't know. If there was no malicious intent and nothing was irreparably damaged, I'd say yeah, hire him. Even Microsoft, when WP7 was jailbroken, hired the hackers and put them on their openness team. The end result so far is that Microsoft allows "developer unlocks" for non-developers, so sideloading is possible.
You'd think tech companies would have learned something from all the retribution the cracker community has laid down in the past few years. If you have security holes, own up to them and fix them. Hire real security teams and have external pen-testing on outward-facing products. And if, after all that, you get breeched still... at least learn something from the attack, and possibly from the attacker.
As far as I know, once you turn something like this over to the FBI or other authorities, it's out of your control. You've already lit the fuse -- where the rocket goes from there isn't your choice.
Hypothetically, could Facebook later say, "Oh, actually, we're retroactively granting him access to our systems, so he didn't actually access beyond his authorization"? Or would that get someone at Facebook charged with making a false report to the authorities?
If facebook was involved in helping prosecute this guy, sounds like they were, makes me want to boycott facebook. I only get online once every 2-3 days, but this is too much.
If someone breaks into a company's system, surely the company has a very real obligation to help prosecute the law-breaker? While I can see where there's an argument to made in favour of not prosecuting someone who really is a white-hat hacker (although I'm personally loathe to apply that label to anyone who doesn't have a track record of responsible security research and pen testing as opposed to J. Random Hacker who happens to tell the company after the fact), this guy pretty clearly doesn't fall into that category.
While the article was light on the details (being as it was that it was about the sentencing rather than the crime), it does seem as though he both copied some of Facebook's source code or other internal data (as it mentions it being copied to an external hard drive), and it does not seem as though he reported the hole to Facebook along with any details of how he penetrated their system.
Given that, why should Facebook not help to prosecute him?
he is not an ethical hacker. he did not offer his services to facebook to agree on a price. hacked it of his own initiative
then disclosed the vulnerabilities with his real identity which means he assumed-expected to somehow benefit, probably not financial - just craved recognition / 'pat on the back' / coolness / job offer
This. As soon as data is fetched from the system (that is beyond what's required for the hack), you're headed square into darker territory. To be white hat, you find the vuln, alert the company to it, and that's that. There is no "no, really, here's a load of data I grabbed using it!". White hat is generally hired gun to hack for the good of the site/company, grey not hired, but hacks; black is for the lulz/profit.
What it sounds like from the article isn't that he destroyed $200,000 worth of property; it's that $200k is what it cost Facebook to fix a security hole he discovered. Meaning it was money they needed to spend on security before someone with truly malicious intentions found it. Does Facebook seriously think that sending kids to jail is a viable substitute for building good security into their product, or that it will deter future attempts and mean they won't have to spend another $200k next time? More likely, next time they won't know about it, or it will come from a country where they have no power to find the responsible party. They should be on their knees thanking this kid; just another reason to loathe FB, I guess.
In general, the time to fix an identified security hole is dwarfed by the time to investigate a breech.
You have to identify the actions taken by the attacker and correlate events between systems to understand the extent of stolen, destroyed, or modified information, and to ensure that no additional backdoors are left behind.
If there is an indication of malicious intent, you also have to interact with law enforcement, discover the identity of the attacker, provide enough information to get a warrant, and so forth.
In the whitehat report case, it is as simple as fixing the security hole (and identifying how it got there and how to prevent similar cases) and thanking and rewarding the reporter. However, that wasn't the case here - there was no disclosure, no reason to believe that the attacker was benign, and so an investigation needed to be done.
(I work at Facebook, but not in one of the teams involved in this investigation.)
This hacker should be awarded for finding flaws in facebook that could be misused by people who really wanted to do harm.
If this hacker didnt find these flaws facebook would haver never known that they have a security flaw.
Even better: Facebook should hire this guy! He managed to break into a system that is developer by the "top notch" facebook engineers.
There seems to be no evidence to support his allegations he was going to properly disclose his exploits to Facebook. OTOH, there is evidence he misappropriated data and deleted information that could be used to track him.
Usually when news like this comes up there are many comments along the lines of "it's okay, if you behave/do not touch data files/disclose/etc". Bad news folks - this might be ok by you, it's not ok by the law.
Unauthorized computer access is jail-time illegal. Do not access any computer or computer network without owner's permission. Seek legal counsel if you're not 100% clear about this, and do it before you get your ass in trouble.
It's still fair to say that prosecuting after the fact, if you can find the person responsible, is a pretty shoddy way to run your security. And if you acknowledge that, then it isn't difficult to see the value - both to product and to PR - of choosing to be magnanimous with the benign ones. It's still fair to criticize Facebook for an overreaction which appears to be a way to cover its own ass and deflect attention from the larger issue, namely, that it should have spent to prevent this in the first place, and that nobody knows who else is accessing user information.
Given the chance, I always bang the "don't talk to authorities" drum. So now you have to wonder, how did his "copious admissions" help him? Seriously, if you are suspected of anything, no matter how innocuous or momentous: Shut. The. Hell. Up. Get a damned attorney.
Of course the classic video needs to be linked: http://www.youtube.com/watch?v=6wXkI4t7nuc