
"White hat" Facebook hacker gets 8 months in jail - phpnode
http://www.bbc.co.uk/news/uk-england-york-north-yorkshire-17079853
======
bryanh
> "He added that when Mangham was arrested he made "copious" admissions to
> police about what he had done."

Given the chance, I always bang the "don't talk to authorities" drum. So now
you have to wonder, how did his "copious admissions" help him? Seriously, if
you are suspected of _anything_ , no matter how innocuous or momentous: _Shut.
The. Hell. Up._ Get a damned attorney.

Of course the classic video needs to be linked:
<http://www.youtube.com/watch?v=6wXkI4t7nuc>

~~~
wyclif
Upvoted. Never, ever, talk to the cops.

~~~
mmaunder
Upvoted too because I preach this to friends/family regularly for serious
issues/offenses. However I've talked my way out of around 9 out of 12 speeding
fines in various states by being nice and kissing a bit of ass during the last
decade.

Cops are people too and when they walk up to your window after pulling you
over, they may actually be scared. And you know fear leads to anger, anger
leads to hate, hate leads to your suffering in traffic court.

So the next cop who pulls you over, wind down your window before he gets
there, get your drivers license out so you don't have to fish your pockets,
put your hands on the wheel so he can see you're not going to blow his brains
out and if it's not more than 20 miles over the limit, try admitting guilt and
being nice. You might be surprised.

~~~
sumukh1
Correct me if I'm wrong, but I believe you are not supposed to fish for
anything after you are pulled over. Just keep your hands on the wheel. If the
officer sees you leaning over trying to find something after you're pulled
over he/she could see that as suspicious behavior.

~~~
molesy
Just to reiterate, it really hurts to see so many people saying "have your ID
ready". From the very moment an officer pulls you over they will be anxiously
watching your every move, hoping you're not the next one that attempts to pull
a gun on them.

Reaching for anything when pulled over is the absolute worst thing you can do
to an officer no matter how innocuous you may think you seem.

Please, just keep your hands on the wheel until they're at the window.

~~~
batista
Well, that's in the US. Fortunately, a lot of people live in countries where
you can do whatever when stopped and the officer will never suspect you are
trying to pull a gun on them, or pull a gun on you.

That's because, in those countries, it NEVER happens (i.e for someone pulled
over to shoot the cop). So you can go get your ID or whatever, and then you
have a chat, and they maybe give you a fine for speeding or whatever.

~~~
bosse
The cops here don't even carry guns on their person. If you draw one on them,
they will retreat to a safe distance, get out the guns from the trunk of the
radio car, and keep an eye on you until the cavalry arrives.

------
arice
I manage Facebook's Whitehat program (<https://www.facebook.com/whitehat>). We
have taken an incredibly open stance towards security researchers and welcome
the contributions they make towards securing the internet. Our policy towards
this research is documented quite succinctly:

"If you give us a reasonable time to respond to your report before making any
information public and make a good faith effort to avoid privacy violations,
destruction of data and interruption or degradation of our service during your
research, we will not bring any lawsuit against you or ask law enforcement to
investigate you."

His attempt to access data was outside our whitehat guidelines, had clear
malicious intent, and included extensive and destructive efforts to remain
undiscovered and anonymous. In addition, he made no effort to contact Facebook
with his discoveries, and even denied involvement when initially questioned.
His attempt to claim he intended responsible disclosure only after faced with
criminal action is false and insulting to the community of responsible
security researchers.

~~~
lawnchair_larry
_"If you give us a reasonable time to respond to your report before making any
information public and make a good faith effort to avoid privacy violations,
destruction of data and interruption or degradation of our service during your
research, we will not bring any lawsuit against you or ask law enforcement to
investigate you."_

You think you can sue someone for sharing vulnerability information?

~~~
arice
Unfortunately, much of the internet industry has an established history of
doing just that. This heavy-handed approach to vulnerability disclosure has
led to an atmosphere of distrust and is bad for everyone. Facebook's policy is
intended to alleviate much of the tension involved with vulnerability
disclosure.

If you're curious, the EFF has published a number of great articles on the
topic:

[https://www.eff.org/issues/coders/vulnerability-reporting-
fa...](https://www.eff.org/issues/coders/vulnerability-reporting-faq)

[https://www.eff.org/deeplinks/2010/12/knowledge-power-
facebo...](https://www.eff.org/deeplinks/2010/12/knowledge-power-facebooks-
exceptional-approach)

~~~
lawnchair_larry
I think you are confused. I've been in the security industry for about 10
years. Disclosing a vulnerability is not illegal. Over the years, some
companies have tried to sue over this, but these censorship attempts do not
turn out well.

Not only is it legal to disclose unfixed vulnerabilities, but it is legal to
sell them. Presently, the biggest buyer of them is none other than the US
government.

~~~
tptacek
Whoah. Whoah. Whoah. You're handwaving around the real issue. It's not legal
to _find_ vulnerabilities by testing other people's running web applications
without permission, and it never has been.

People obviously do it, all the time, against sites that haven't officially
given permission (as Google and Facebook have), and most of the time they get
away with it, but they are rolling the legal dice every time they do. People
have been getting in trouble for doing this for years.

The people selling vulnerabilities are generally running the software
themselves. _Huge_ difference.

~~~
lawnchair_larry
My post, and his reply, were only discussing the disclosure of vulnerability
information. I didn't say it was legal to attack a live system that you don't
own. I see how you are making that logical leap in the case of facebook, but
it isn't necessarily a given. There are ways one can legally become aware of
vulnerabilities in facebook, and share that information.

------
JonnieCache
_"You accessed the very heart of the system of an international business of
massive size, so this was not just fiddling about in the business records of
some tiny business of no great importance," he said._

This is the kind of thing that makes my blood boil.

~~~
newhouseb
While "importance" is a pretty subjective (read: bullshit) metric in legal
terms, using the dollar value of theft to threshold criminal charges is used
around the world. In the U.S. you can press charges for any amount, but
depending on the state they have different thresholds between misdemeanor and
a felony (grand theft) usually around $500-$1000. Interestingly enough, in
some places such as China (where I originally learned about the theft lines /
thresholds in a class at Peking University), there is a minimum value that
must be stolen before one can prosecute, which is on the order of US$100. This
obviously saves the court from wasting too much time on judicial abuse, but
clearly discriminates against people in among the lowest rungs of the economic
ladder. On the other hand it sets the priority for handling larger cases that
impact more people (such as official corruption scandals which admittedly
China does a more prudent job of enforcing responsibility in white collar
crime than the States).

Of course the argument could be made that criminal prosecution is largely a
function of who you know rather than the spare resources of the judicial
system, which is probably correct, but it is still food for though.

(Sources: [http://www.california-criminal-lawyer-
blog.com/2010/11/grand...](http://www.california-criminal-lawyer-
blog.com/2010/11/grand_theft_threshold_in_california_increased_to_950.html)
and <http://www.chinareview.info/issue2/pages/case.htm> and some classes I
took, but IANAL)

~~~
Retric
I don't think China does a more prudent job of enforcing responsibility.
Rather China occasionally makes an example of the most blatant cases of
corruption.

~~~
newhouseb
You might be right, but the net effect is that it encourages responsibility
regardless.

~~~
Retric
In specific instances the fact that China kills people where the US does
little to the individuals involved _feels_ good. However, the US approach of
mostly free press coupled with regular and independent policing of government
contracts, coupled with class action lawsuits changes the landscape
significantly. In the end you might argue that corruption is endemic of both
systems, yet that's the case for any large scale government thought out
history.

What the US does well is simply keep things public enough that everyone tries
to at-least appear to follow the rules. And if you ever tried to do
significant business in China as apposed to a Chinese company you will quickly
understand that that in and of it's self is huge.

~~~
Volpe
It's better when "everyone tries to at-least appear to follow the rules" ?
Isn't that worse than blatantly not following the rules, because at least you
know what they are doing?

~~~
Retric
Following the rules in this case means actually providing the service that the
government paid for. The government may overpay for a building because people
skim off the top, but it's far less common for them to build something that's
so poorly constructed that people can't actually use it. The first case is
less efficient the second is useless.

------
koenigdavidmj
<https://www.facebook.com/whitehat>

Facebook themselves have a policy of tolerance toward white hat hackery
(basically `give us a reasonable amount of time before releasing to the
public' and `do what you can to protect other users' privacy). I want to hear
their side of this.

~~~
nbpoole
The title of this submission is completely inaccurate: the person in question
is in no way a "white hat":

[http://www.guardian.co.uk/technology/2011/aug/17/facebook-
ha...](http://www.guardian.co.uk/technology/2011/aug/17/facebook-hacking-case)

> _Between 17 April and 9 May he is accused of downloading a computer program
> "to secure unauthorised access" to Facebook; of attempting to hack into
> Facebook's "Mailman" server; of using PHP script to secure access to another
> Facebook server, dubbed "Phabricator"; of sharing a PHP script intended to
> hack into that Facebook server; and of securing "repeated" access to another
> Facebook server._

~~~
gdeglin
This is deeply disturbing to me. I'm a participant in Facebook's whitehat
program (<http://facebook.com/whitehat>) and have been awarded a cash prize
several times. These accusations are things that I've either done, attempted
to do, or succeeded in doing myself with the goal of getting paid for
discovering a vulnerability.

>> downloading a computer program "to secure unauthorised access" to Facebook

Any basic security auditing tool falls into this category and this is
something I've done all the time. Wish they would more clearly state what made
his access unauthorized when my hacking attempts are welcomed.

>> attempting to hack into Facebook's "Mailman" server

I've attempted this too. It's a great target since it's 3rd party code,
Facebook runs an out of date version, and some versions have publicly known
vulnerabilities.

>> using PHP script to secure access to another Facebook server, dubbed
"Phabricator"

I've attempted to do this and just yesterday was considering another attempt.
It's a great target since it doesn't go through Facebook's normal release
process, it's a large project, and it's open source.

>> sharing a PHP script intended to hack into that Facebook server

I've done this. Sometimes I need another set of experienced eyes to help me
get a proof of concept working. Of course it was someone I trusted to keep my
discovery confidential.

>> securing "repeated" access to another Facebook server.

I've done this too, both before and after Facebook announced their whitehat
program. Before the program they thanked me and sent me swag, after
introducing the whitehat program they started awarding me cash on prepaid
debit cards.

I can only assume that this guy was prosecuted instead of thanked because he
didn't tell Facebook promptly about his discoveries, or perhaps he used them
to do something like stealing source code out of Phabricator (Facebook's code
review tool). I wish the reporting of this did a better job of covering the
details.

~~~
nbpoole
I've participated in the program as well (and I'm going to be interning with
Facebook's Security team this summer). This incident doesn't worry me
personally and I hope it doesn't worry anybody else. But if you want clarity,
I think arice's comment sums up this particular situation very well:

<http://news.ycombinator.com/item?id=3605343>

> _His attempt to access data was outside our whitehat guidelines, had clear
> malicious intent, and included extensive and destructive efforts to remain
> undiscovered and anonymous. In addition, he made no effort to contact
> Facebook with his discoveries, and even denied involvement when initially
> questioned. His attempt to claim he intended responsible disclosure only
> after faced with criminal action is false and insulting to the community of
> responsible security researchers._

~~~
gdeglin
Ah, that certainly clarifies it. Thanks!

------
Zarathust
Usually "white hat" have some kind of responsible disclosure. It seems that
this "white hat" did not disclose anything to facebook, then got caught and
only then, pretended to be acting for everyone's good.

Admitting everything in police custody is NOT responsible disclosure

~~~
Locke1689
Moreover, he actually accessed files. White hat hacking includes finding
vulnerabilities, not using them to actually steal data.

This sounds like someone who was accessing Facebook for profit and made up an
excuse when he got caught.

~~~
chc
Sounds to me like someone who accessed Facebook for kicks and made up an
excuse when he got caught. There's no more evidence that he profited than
there is that he was being helpful.

I knew a kid back in the '90s who got hauled off a couple of times by the FBI
for hacking. He wasn't looking for profit — he just thought it was fun to
break into systems.

------
tstonez
[Without knowing the full details of the case or proceedings] I don't see how
putting this, clearly quite gifted, young person in jail for 8 months is going
to help him, Facebook or anyone else for that matter.

Surely, there must be other options except jail?! Maybe some form of community
service where he would then be an asset rather than a cost to the general
public. If he can infiltrate Facebook, I am sure there are government sites
and systems with much more sensitive information that he could be testing and
identifying security threats.

Eight months hard time, plus the stigma of a criminal record, just seem like
such a waste.

~~~
troels
Well, that's true of incarceration in general.

------
ferrofluid
"You accessed the very heart of the system of an international business of
massive size, so this was not just fiddling about in the business records of
some tiny business of no great importance," he said.

How small does a company have to be, where it's ok for someone to "fiddle
about" in their business records?

------
abraxasz
"The creation of that risk, the extent of that risk and the cost of putting it
right mean at the end of it all I'm afraid a prison sentence is inevitable."

I'm not sure what the "creation of that risk" part is supposed to mean. If it
refers to the security weakness the hacker uncovered, well as I said the
hacker did not "create" it, he merely "found" it.

If the risk is the potential disclosure, then what is "the cost of putting it
right"? Fixing the security weakness? Well since it was not "created" by the
hacker, they are just fixing something that they should have, or would have
fixed anyway..

Now I'm not saying that the poor hacker should not go to jail. The article
doesn't give much details so I'm not sure he should be called a "white hat".
However, I'm not convinced by the argument given by the judge..

------
ck2
I'm not saying he deserved this sentence but if you have that much talent and
energy BUILD SOMETHING OF YOUR OWN.

We all understand the tinkering nature of taking something apart to see how it
works.

But if you are that clever and deep into hacking apart facebook, stop and make
your own project with that kind of energy.

------
guard-of-terra
"Sentencing Mangham, Judge Alistair McCreath said his actions could have been
"utterly disastrous" for Facebook."

So what?? Facebook isn't a British business; why should british judical system
should care that much? Even if he was that guilty.

Countries should totally quit being unpaid prostitutes to foreign companies.

------
CHsurfer
It seems that the government(s) make a lot of noise about how valiantly they
pursue these 'dangerous' hackers, but they won't go near the state sponsored
industrial espionage that appears to be coming out of China. Why are we so
proud of persecuting our own citizens while we ignore much more damaging
actions carried out by another government?

~~~
Volpe
Probably because it's not a one sided affair and both sides in a (China/US)
confrontation have a lot of leverage over each other so a conflict is not in
the interest of either party...

------
machrider
Is it possible to be a "white hat" hacker if you weren't actually contracted
by the target for penetration testing?

~~~
michaelbuckbee
There is obviously a spectrum to this sort of thing, but I know of many people
that will just habitually enter javascript alerts into a web services's forms
to see what happens.

Mostly this is just to evaluate the product and to see if it is trustworthy,
but they'll often send along a polite FYI to the site owners letting them know
if they have security issues that need addressing.

Actions like that: finding vulnerabilities, privately disclosing them, not
disrupting the service, are all fairly innocuous things that most reasonable
technically savvy people would consider 'white hat'.

~~~
tptacek
People can and will go nuts if you, for instance, accidentally mess up the DOM
for their customers by getting an XSS payload cached and redisplayed in e.g.
"saved search" results.

It sucks, but if your goal is to avoid legal drama, don't test without
permission.

------
loup-vaillant
From this article, I take that judge McCreath acknowledged that Mangham did
not intended to use the data he downloaded. Yet, he talks of "stealing" and
"creating a risk" (a huge one, given Facebook's size). But really, how risky
is it to keep data in an external hard drive at home? There _is_ a risk, but
I'd say not much. Also, there were no theft, since Facebook did not lose any
data. And since this "intellectual property" has not been used, Facebook
didn't lose a penny over this unwanted duplication.

From there, I see only 3 possibilities: (i) judge McCreath did not actually
trust Mangham's alleged intentions (I'm not sure I do either), or (ii) he
doesn't know enough about computer security, or (iii) other actual damages
warrants the sentence (like wasted effort at Facebook's and by the law
enforcement).

I bet judge McCreath wanted to punish Mangham over (i) and (iii), but it was
easier to use (ii) to do so. Or, he doesn't really understand computer
security, though that's less likely by the year.

------
joshmattvander
Seems ridiculous for a company who has the word "HACK" all over the inside and
outside of their office, to put energy into this. Hire the kid and move on.

~~~
daeken
As far as I know, once you turn something like this over to the FBI or other
authorities, it's out of your control. You've already lit the fuse -- where
the rocket goes from there isn't your choice.

~~~
nitrogen
Hypothetically, could Facebook later say, "Oh, actually, we're retroactively
granting him access to our systems, so he didn't actually access beyond his
authorization"? Or would that get someone at Facebook charged with making a
false report to the authorities?

------
wyclif
So, what did he break?

------
amalag
If facebook was involved in helping prosecute this guy, sounds like they were,
makes me want to boycott facebook. I only get online once every 2-3 days, but
this is too much.

~~~
elemeno
Why so?

If someone breaks into a company's system, surely the company has a very real
obligation to help prosecute the law-breaker? While I can see where there's an
argument to made in favour of not prosecuting someone who really is a white-
hat hacker (although I'm personally loathe to apply that label to anyone who
doesn't have a track record of responsible security research and pen testing
as opposed to J. Random Hacker who happens to tell the company after the
fact), this guy pretty clearly doesn't fall into that category.

While the article was light on the details (being as it was that it was about
the sentencing rather than the crime), it does seem as though he both copied
some of Facebook's source code or other internal data (as it mentions it being
copied to an external hard drive), and it does not seem as though he reported
the hole to Facebook along with any details of how he penetrated their system.

Given that, why should Facebook not help to prosecute him?

------
mickey7
he is not an ethical hacker. he did not offer his services to facebook to
agree on a price. hacked it of his own initiative

then disclosed the vulnerabilities with his real identity which means he
assumed-expected to somehow benefit, probably not financial - just craved
recognition / 'pat on the back' / coolness / job offer

acted like a muppet

------
paulhauggis
I think this guy is grey hat at best.

~~~
gvsyn
This. As soon as data is fetched from the system (that is beyond what's
required for the hack), you're headed square into darker territory. To be
white hat, you find the vuln, alert the company to it, and that's that. There
is no "no, really, here's a load of data I grabbed using it!". White hat is
generally hired gun to hack for the good of the site/company, grey not hired,
but hacks; black is for the lulz/profit.

------
noduerme
What it sounds like from the article isn't that he destroyed $200,000 worth of
property; it's that $200k is what it cost Facebook to fix a security hole he
discovered. Meaning it was money they needed to spend on security before
someone with truly malicious intentions found it. Does Facebook seriously
think that sending kids to jail is a viable substitute for building good
security into their product, or that it will deter future attempts and mean
they won't have to spend another $200k next time? More likely, next time they
won't know about it, or it will come from a country where they have no power
to find the responsible party. They should be on their knees thanking this
kid; just another reason to loathe FB, I guess.

~~~
nbm
In general, the time to fix an identified security hole is dwarfed by the time
to investigate a breech.

You have to identify the actions taken by the attacker and correlate events
between systems to understand the extent of stolen, destroyed, or modified
information, and to ensure that no additional backdoors are left behind.

If there is an indication of malicious intent, you also have to interact with
law enforcement, discover the identity of the attacker, provide enough
information to get a warrant, and so forth.

In the whitehat report case, it is as simple as fixing the security hole (and
identifying how it got there and how to prevent similar cases) and thanking
and rewarding the reporter. However, that wasn't the case here - there was no
disclosure, no reason to believe that the attacker was benign, and so an
investigation needed to be done.

(I work at Facebook, but not in one of the teams involved in this
investigation.)

------
dreamdu5t
What was the exploit?

------
ericboggs
Surprised that Facebook didn't hire this guy on the spot.

------
JS_startup
8 months for this? I thought that was the average length of a sentence given
to murderers in the UK.

------
TeeWEE
Facebook you suck.

This hacker should be awarded for finding flaws in facebook that could be
misused by people who really wanted to do harm. If this hacker didnt find
these flaws facebook would haver never known that they have a security flaw.

Even better: Facebook should hire this guy! He managed to break into a system
that is developer by the "top notch" facebook engineers.

Get him out of prison!

~~~
rbanffy
There seems to be no evidence to support his allegations he was going to
properly disclose his exploits to Facebook. OTOH, there is evidence he
misappropriated data and deleted information that could be used to track him.

His hat is not impeccable white.

------
DenisM
Usually when news like this comes up there are many comments along the lines
of "it's okay, if you behave/do not touch data files/disclose/etc". Bad news
folks - this might be ok by you, it's _not_ ok by the law.

 _Unauthorized computer access is jail-time illegal._ Do not access any
computer or computer network without owner's permission. Seek legal counsel if
you're not 100% clear about this, and do it before you get your ass in
trouble.

~~~
noduerme
It's still fair to say that prosecuting after the fact, if you can find the
person responsible, is a pretty shoddy way to run your security. And if you
acknowledge that, then it isn't difficult to see the value - both to product
and to PR - of choosing to be magnanimous with the benign ones. It's still
fair to criticize Facebook for an overreaction which appears to be a way to
cover its own ass and deflect attention from the larger issue, namely, that it
should have spent to prevent this in the first place, and that nobody knows
who _else_ is accessing user information.

