
Man to pay $300k in damages for hacking employer - happy-go-lucky
http://www.bbc.com/news/technology-39883229
======
photoGrant
Maybe not the time for semantics, but curious where people's line in the sand
is with regards to calling logging in with the correct admin credentials as
'hacking'.

~~~
dsacco
I consider "hacking" to be any instance of an entity deliberately undermining
the confidentiality, integrity or availability assurances (the CIA triad) of a
technical security control; be it passively or actively, and regardless of the
apparent weakness of the control.

Information security begins with confidentiality, which brings us to the
concept of authorization and and the use of encryption. When Bob and Alice
want to communicate in secret, they want to assure confidentiality, and they
use encrypted messages. Then we also have integrity: when Bob and Alice are
enjoying a confidential communication, they want to make sure no one has
altered the messages even if they can't read them, so we get hash functions
and MACs. Maybe Bob wants authentication: he wants to make sure the person who
sent him the message really is Alice, even if he's already sure it's
confidential and unaltered, so now we've got digital signature schemes.
Eventually Alice decides she wants non-repudiation, or peer entity auth, etc.

Every technical security control can be modeled as the practical
implementation of one of these desires for a particular type of assurance.
This is neat, because it precludes pernicious questions like, _" Well what if
it's weak and the 'hacker' just incremented a value in a URL"_ \- we shift the
slippery-slope problem of ascribing malicious intent to the legal sphere
without sacrificing the cleanly drawn _technical_ definition.

Under this definition, I'd consider the individual in this story to have
"hacked" their employer. A login interface is a technical security control
designed to provide authorization/access control as a method of implementing
confidentiality (among other things). The employee logged in as a user other
than themselves, thereby undermining the control. Furthermore, he did it
intentionally, which establishes the deliberation requirement. It was not a
sophisticated hack, but then again real world hacking _very rarely_ is
technically sophisticated.

Despite the composition of Blackhat/DEFCON proceedings every year, the median
company is far more likely to be compromised through a social engineering or
endpoint failure (e.g. executive is phished, employee pirates media and gets a
virus, etc).

EDIT: Apparently this is an unpopular answer, that's fine. But it's an answer
that probably goes the farthest and with the fewest rabbit holes. Humans need
to trust software in different ways, and if you deliberately break that trust
by bypassing the implementation that assures it, you've hacked the software.

~~~
im3w1l
> I consider "hacking" to be any instance of an entity deliberately
> undermining the confidentiality, integrity or availability assurances

That sounds extremely broad, in the same way that calling jaywalkers criminals
would be.

~~~
dsacco
It's actually not. Laws are not an appropriate analogy for technical security
controls. First and foremost, laws exist which are clearly not enforced.
Technical security controls exist, or they don't. They don't generally rely on
human arbitrators for enforcement, unlike legislation. Once it is in place,
the technical nature of the control is self-enforcing; bypassing the
enforcement is what constitutes "hacking." In this way criminality and hacking
aren't comparable. A better comparison might be security policies and laws,
but that's close to tautological because they're so similar.

Moreover, laws can be broken unintentionally, and under this definition you
cannot hack something unintentionally. Awareness can be tantamount to
intentionality - I'd argue most people aren't even aware they're jaywalking
when they do it. It stretches the boundaries of believability that someone
would log in as someone else and not be aware that they did it. In a contrived
scenario where they did somehow accomplish that, I wouldn't call it hacking.

~~~
lazylizard
just to confirm. within this scheme, all a website needs is 2 form fields
"userid" and "password" , they don't even have to do anything, and if you
crawled it, you've hacked it?

~~~
dsacco
If the login interface actually works (i.e. it's actually an access control),
and you successfully login with credentials that aren't yours - yes, you've
hacked it. It's only a hack if you intend to do it and the interface is a good
faith implementation.

I don't really follow your question in this comment and the other one though -
what do you mean about CIA desires? You need to understand that a technical
control represents a control in order to intentionally bypass it.

~~~
lazylizard
the problem is good faith and desire?

if theres a bunch of numbers in my url after i login, and i'm oh so curious
what i'd see if i increment that number by 1, now i'm hacking? i mean, i
believe the website simply didnt want to implement session control, if i saw
someone else's account details, is that acceptable interpretation? there's no
"rule of the internet" that says we must only navigate by provided links on a
html page, is there?

~~~
dsacco
_> if theres a bunch of numbers in my url after i login, and i'm oh so curious
what i'd see if i increment that number by 1, now i'm hacking_

Under the definition above, if you do it to deliberately bypass the control,
then yes. If you do it out of curiosity without believing you might subvert
any control, then no you're not hacking.

------
arthulia
Assuming this is the correct website, it appears to still be defaced:

[http://www.capatrol.com/](http://www.capatrol.com/)

~~~
SmellyGeekBoy
Wow, that's crazy! You'd think that part of the ruling would include restoring
the website to its former glory...

~~~
vacri
It's bizarre that the issue made it to court and the website still hasn't been
fixed. That's a long time.

------
AmVess
"Then, he noticed that someone had tampered with the program’s 'Lunch' field.
Four hours had been added into the lunch field each day, which accounted for
the unexplained extra 40 hours of overtime in Garcia’s records. The hours had
been entered in black text on a black background, in one-point font. As a
result, the alterations to Garcia’s hours would not have been noticeable to
the casual observer. The alterations resulted in Garcia’s being paid wages for
overtime that, presumably, he did not work."

That's just one of the things he did.

If you're going to be a criminal, at least be a smart criminal. He's going to
be stuck with trying to pay off $300k on a fast food worker's wages which will
take him the rest of his life unless he inherits a lot of money or plans on
winning the lotto. He effectively removed himself from consideration from any
decent job and thus his ability to pay the fine in a comfortable manner.

------
whatnotests
That's like $2000/month for 7 years.

In cases like this, I would expect that $300K to drop later, or to be
renegotiated at some point.

~~~
obstinate
Maybe! The justice system allows for damages beyond just compensation.
Sometimes, it's about sending a message.

~~~
cm2187
In France the judge doesn't have any discretion on damages. The defendant is
liable for all damages as a result of his action. Even if these amount to $1
billion.

~~~
kuroguro
What's the point? There's no way anyone could pay that.

~~~
tyingq
Just in case they win the lottery perhaps? Debt is debt.

------
bbcbasic
Why not criminal charges?

