Hacker News new | comments | show | ask | jobs | submit login
Teens Who Hacked Microsoft's Xbox Empire and Went Too Far (wired.com)
515 points by wolfgke 27 days ago | hide | past | web | favorite | 173 comments

For kicks, he says, the guards tossed the prisoners’ sandwiches onto the floor of the van, knowing that the tightly shackled men couldn’t reach them.

Why is this permitted? Does anyone other than me think the guards should also be prosecuted for this behavior? Worst of all who are the sort of people who apply for these jobs, behave like this all day and then just go home at the end of the day to have a nice evening with family. Very disturbing.

Aside, odd feeling reading this article featuring a US-Canada border crossing right after playing Detroit: Become Human last night.

Disciplined maybe, not prosecuted, as there are very few ways of placing a sandwich ("in a jet turbine" for example) that would constitute a crime. Also don't forget you're reading Wired's telling of Pokora's telling of the event. Do we know this was done "for kicks?" Do we know the guards' inner thoughts, or did they express them outwardly? All we have is that Wired says Pokora says it was for kicks. Another explanation I can dream up right now: It's futile to give a shackled man a sandwich, even if you leave it right in his lap. (Assuming hands shackled behind.) So maybe the guards roll their eyes at the bureaucracy they work for, that insists on prepping a sandwich for someone who has no way of eating it, and they toss it in, in a combination of frustration with that, and the usual disdain for the kind of people they carry in the back of the vehicle who have (allegedly, but probably, since prosecutors don't like weak cases) acted to harm other people in a way that's serious enough to be illegal. Disclaimer: Unjust laws and victimless crimes exist.

You’re doing mental gymnastics to justify cruel and dehumanizing behavior.

Justify? You'll note I never declared what was right or wrong, nor do I hasten toward any such conclusion. That was, not coincidentally, the point I was trying to illustrate... well firstly 1) that we don't know as much as we think we do, but mainly 2) that things are usually more complicated and murky than some simplistic moral fairy tale.

Anyway to a mind that's flexible and agile, nothing feels particularly like gymnastics, but I do note that there is a weird disproportionality of anguish and outrage on this thread, over something that happened to me just now -- 3 hours without a sandwich. Partly because of fortune and partly by my own will not to fuck people over, I've never seen the inside of one of these places, but I'm still willing to wager that "no sandwich" is not the worst abuse that goes on "in custody." So if it outrages you, and prisoner rights is something that matters to you, all that energy might be better directed toward addressing some of those more serious abuses.

Sorry to say, there are myriad other ways that the systems and institutions we all participate in, will ruin entire lives, including of non-prisoners, in cruel and dehumanizing ways. And there are criminals dead-set against those systems, who will do the same. Neither one is particularly your friend. Or sorry, that's presumptuous... neither one is particularly my friend.

The point is that we can't determine with certainty that cruel and dehumanising behaviour occurred in the first place. Unless you're willing to investigate the issue further it's probably more sensible to suspend your judgement or at least acknowledge that you're interpreting the article literally and assuming that it's factually correct.

you're advocating prosecution for improper sandwich distribution.

Or prosecution for people who's job it is to properly take care of people in their charge, when those people aren't allowed to take care of themselves.

You simplify the situation by completely ignoring the context. We’re advocating prosecution for torture.

>> Does anyone other than me think the guards should also be prosecuted for this behavior?

I do, but there's a whole lot of people who are happy with behavior like this because they think prisoners should suffer and they are 100% ok with this.

> just go home at the end of the day to have a nice evening with family

You mean, assuming they have do have a family and are capable of having a nice evening? Sometimes people's behavior convey their inner issues. Not that I'm justifying their behavior in any way, just objective thinking.

Most terrible things are done by "normal" people.

Putting them into mutually exclusive categories is an attempt to hide from the discomfort of that idea and is ultimately counter-productive.

Thank you for the insight.

I was just saying this was a possibility but I totally see what you mean, which probably results from human nature not being necessarily "good".

  Does anyone other than me think the guards should also be prosecuted for this behavior
So yes, and

  who are the sort of people who apply for these jobs, behave like this all day and then just go home at the end of the day to have a nice evening with family
Normal people? :/

Aka "the banality of evil"

Adding a quote:

> There are hardly any excesses of the most crazed psychopath that cannot easily be duplicated by a normal kindly family man who just comes in to work every day and has a job to do.

- Terry Pratchett, Small Gods

Thats what you took away from this story? Really?

That some transportation guards were reportedly jerks. If tossing a sandwhich just outside of arms reach is cruel and unusual punishment to you, must not have had older siblings.

People are jerks sometimes. These kids, had a lot more than an out of reach sandwhich coming to them.

That’s the most spirited defense I’ve seen of denying food to prisoners, congratulations?

And yours is the most missing the forest for the trees I've ever seen. Congrats.

Can you please run us through the upsides of normalizing and supporting dehumanization and torture?

This is the first time I’ve read that conduct legally ruled cruel and unusual punishment and used by authoritarian regimes around the world is actually a loving act of kindness, so I’m very curious about how youve reached that conclusion.

In the same vein, do you also believe victims in abusive relationships that the violence towards them is their fault, and that their abusers are doing it out of love?


Your definition of torture is a guard tossed a sandwich out of arms reach for a 3 hour ride because he's a jerk.

I rest my case.

Why should we not treat all people humanely?

You mean, assuming it happened? It's probably not permitted. It'd fall under the category of cruel and unusual punishment, or maybe extrajudicial punishment. Plenty of things happen that are not permitted.

If there are no consequences, there is no prohibition.

A facile response. Sometimes prohibited activities are not observed. In these cases, it's hard to impose consequences.

But it's much more complex than this. There's a question of how much we want to prevent such things, and, even supposing we're willing, how many resources we're willing to dedicate to the solution. There's also a question of prevention via cultural change, which is a hard problem if there ever was one.

This really hit home with me. As a kid I hacked Microsoft and leaked some Windows Longhorn (the precursor to Vista) builds.

One of those kids was wondering around the exact floor where my desk was. I got a job and career out of it, these kids got jail time and one suicide. Geez.

This is not a case of teenagers stumbling across some leaked software and then getting disproportionately punished for the unauthorized access. This is a about a guy who, in one example, tried actively to sell leaked software for profit. This is not about kids just having some harmless fun.

The sentences of 18-24 months seem entirely reasonable for the crimes committed too. At least compared to some other horror stories you hear about sentencing for computer crimes. These kids definitely have a chance to put all of this behind them and be productive members of society.

Of course with the american prison system being the way it is, the chances of these children coming out in any way better prepared to contribute to society than before they were imprisoned are very slim.

I wasn’t commenting on the activity or punishment, more just the generally similar circumstances and outcomes.

> and be productive members of society.

I personally doubt whether one wants to be a productive member of a society that put one into jail.

The thing is... morality is a lot more fluid in the years < 20. Doesn't absolve him from responsibility, but the protagonist was hacking Xbox code at 10 and was into serious stuff long before being an adult. If someone, anyone would have put him aside and gave him serious options, he would have probably taken them.

I'm inclined to agree that people who commit "crimes of skill" are better able to repay their debt to society by using their ability for good rather than rot in a cage.

> I'm inclined to agree that people who commit "crimes of skill" are better able to repay their debt to society by using their ability for good rather than rot in a cage.

I agree with the mind of this statement. The problem is: For lots of such skills, it is hard to find jobs where these are needed (for example reverse engineering). Based on my personal observation, to stay in the example, there exist much more skilled reverse engineers than jobs where these skills are useful/needed.

Do you have any idea how many engineers on a daily basis are either reverse engineering some government weapon, or a competitions product, or a geopolitical strategy? Being able to understand exactly how things work, allow you to anticipate and even dictate how they will behave.

I find this profoundly unlikely.

> I find this profoundly unlikely.

I know lots of examples where this is the case (I am talking about Germany, where the situation might be a little different, but I do not believe that the difference is too large).

I know some really great reverse engineers who have difficulties to find a decent job (they get through with some badly paid jobs that are far below their skills).

I can assure that I have hardly ever seen a job ad where reverse engineering (as in software) skills are even mentioned. And I openly admit that I (who also have some knowledge in reverse engineering) would not even know where to ask/look for a job that gratifies such skills. Be assured that I would have passed on such job hints if I knew of any.

In my observation the whole "IT security" scene (I am aware this is a somewhat different area than reverse engineering) is a close-knit circle that is hard to get into. If you are able to get into, I have strong evidence that the salary is actually rather good. But I have no idea how to get into the inner circle where the job offers await.

Seriously: I have some colleagues who even asked me with my knowledge about security why I do not get into this the field of activity of IT security. I tell them to give me hints how to get into this inner circle where the interesting job offers await. None of these loudmouths could tell me. Of course...

EDIT: I could go on and on. The statements stay the mostly the same all the time: Where can such a person find job offers?

Reverse Engineering is a much broader field than simply in the context of software engineering. But it takes an engineering mind to be able to replicate another engineers work. Other examples include: bomb squad detectives, Root cause analysis experts, market/competition research, Prototyping(taking apart an existing product and adapting it to make a new one). NTSB agent which I think would be really interesting.

> Reverse Engineering is a much broader field than simply in the context of software engineering.

I will not disagree. But I am explicitly talking about reverse engineering as in the original article (i.e. mostly software and to a lesser (but not less important) sense electronics).

I do not know enough details about the other segments that you mention to make deep statements about them. But I am pretty confident in my opinion that the kind of skills that you require for them are really different from those that you need for software/electronics reverse engineering. What I want to say with this: The skills that you need for hacking an XBox (as in the article) do hardly ever transfer to any of your examples (bomb squad detectives, Root cause analysis experts, market/competition research, Prototyping, NTSB agent).

I can think of some fields where these kids would be well suited - like employing them to make the XBox Live/PS/Steam gaming networks more secure, or employed by game companies to root out the cheaters (Sea of Thieves being a very recent example of a game infested with too many cheats).

> I can think of some fields where these kids would be well suited - like employing them to make the XBox Live/PS/Steam gaming networks more secure

In my opinion/experience, finding loopholes/security bugs in an existing system and designing systems that are unprone to security bugs are two very distinct skills. It is quite imaginable that many people that people who work in the branch become good at both, but being good at one of them does not make you good at the other.

EDIT: The only kind of knowledge that comes spontanously to my mind that transfers well between both areas is having an immense amount of obscure knowledge about weaknesses in lots of protocol designs.

In order to design a really secure system, wouldn't you first have to know what "secure" is? If I am an expert an building impenetrable servers, then I must know how to penetrate servers since I've added patches to block all known attacks. How could I do that without first being a hacker?

See, its a progression not a dichotomy. A hacker possesses only a subset of a truly skilled security programmer. And the security programmer always has home field advantage. As a hacker becomes more seasoned, they learn more and more about the system until they reach the level of the security programmer or the person implementing all the locks and keys

> In order to design a really secure system, wouldn't you first have to know what "secure" is?

Indeed. For this one loves to build mathematical models, formulate security properties, make proofs, think deeply about the limits of the formulated models (e.g. tempest attacks, cache timings etc. which might introduce side channels) etc.

Finding exploits is quite a different job: Here you very often have lots of legacy systems which have an architecture that is hard to make secure. To give an example: A parser for a very complicated and ill-specified file format where mistakes can easily lead to catastrophes (for example because the format allows to embed "executable scripts" that are run in a JIT-based virtual machine). So you look for loopholes in an often badly designed or at least complex and thus error-prone system and think about how you can exploit these mistakes in a clever way.

I am very sure that both can be very exciting jobs, but they are in my opinion quite different in nature.

> If I am an expert an building impenetrable servers, then I must know how to penetrate servers since I've added patches to block all known attacks. How could I do that without first being a hacker?

I think the essential difference is that if you are an expert in building impenetrable servers, you simply avoid lots of design decisions that are prone to security problems (to stay in my explanation above: these also typically have the property that they can be specified rather well formally). On the other hand, if you want to penetrate servers, you need creativity to turn "suspicious looking design decisions/oversights" into working exploits.

So being an expert in building impenetrable servers will not make you good in penetrating servers: Knowing what design decisions are hard to keep in control security-wise does not (necessarily) give you the knowledge about how to concretely exploit them. On the other hand: Having a strong creativity for how one can in practice exploit oversights does not (necessarily) make you a good engineer for systems that are hard to exploit.

“On the other hand, if you want to penetrate servers, you need creativity to turn "suspicious looking design decisions/oversights" into working exploits.” - imagine you at 30 trying to beat your 10 year older self for eternity.

The coder oversights wont be there because that seasoned expert once exploited someone else like that and knows where to defend. There is such a thing as 100% secure code. Although instances of it are very small. My point is, you get to be so good at building defenses because youve seen so many offenses and know what to expect and how to counter.

Of course, they do! Reverse engineering is the skill of being able to see how things are put together without having the whole picture. It's having an intuition of where to find the clues to solve the bigger puzzle. From decerning which chip to decode to find the encryption key, to deducing that a broken fan blade is the only item that could strike a window at high enough velocity to shatter it, the skills are the same. A software reverse engineer is good because they possess many of the same traits as other types of reverse engineers. It's just a matter of how they apply their skill.

First: I respect your view on this topic.

> Of course, they do! Reverse engineering is the skill of being able to see how things are put together without having the whole picture.

I disagree and have done quite some reverse engineering out of private interest. To me it was mostly about learning and applying an excessive amount of knowledge about obscure trivia that can hardly be applied anywhere else (except perhaps for some really rare embedded developing stuff), such as knowledge about some obscure flags in the linker format, knowledge about aracane details of the call convention and instruction encoding, arcane features of the respective CPU/chipset that probably only OS developers are even aware of, etc.

This is what > 90% of reverse engineering consist of for me: Learning/having/applying an immense knowledge of a giant amount of arcane details that are hardly useful anywhere else.

> It's having an intuition of where to find the clues to solve the bigger puzzle.

I am not aware that I have used a lot of intuition. It is rather a lot about documenting everything well, documenting how each subsystem/function relates to others, ... lots of long, monotonous (but not boring) documentation. The reasons is that if you do not document a lot, you will soon be struck by the immense amount of details. A little bit like how you would document the inner workings of a space ship that landed on earth exhaustively in terms of lots engineering diagrams.

As you say infoSec groups are _very_ close-knit. Normally forming groups based off of geographic location due to regular social meetups. These groups also are normally all part of an online chat (think irc, but most people have moved onto some other platform these days)

If someone were looking to join the easiest way would be find a conference near you. In the US pretty much any major city has these, but in other countries I'm sure they are just as common. Some are very professional, some are less so. If there is copious amounts of drinking you're at the right place. Generally the smaller the conference the better, so that also means less advertising and harder to find

Lots of different InfoSec groups go to meetups so at that point just talk to as many people as you can, it might seem difficult to break into a group without anyone to vouch for you but most of the time everyone is open to newcomers

As someone who does work in security: the field is far wider than you seem to imply really.

When you say "IT security" do you mean pentesting? Access management? Network security? ISO 27001 auditing? Working with any of the many security-related software suites around?

Similar story. Looking back it really felt like a "boys will be boys" experience. I wasn't doing any real harm. Just script kiddie stuff. Some basic JavaScript stuff. When I was 17 a lawyer came after me with a cease and desist on behalf of a very large board game company. That's when I realised that I'm basically an adult now and I can't screw around anymore.

> I wasn't doing any real harm.

If you really were not doing any real harm (where I believe you), why didn't you become an activist to abolish/change the laws on which you were cease and desisted?

It was trademark infringement using their product's logo on my site promoting how to cheat at their crappy online boggle-like game with client side scripting.

That's weird. Trademark doesn't protect such usage. If you use the trademark to refer fake product, it's a trademark violation.

Oh for sure. I even responded saying that it's clearly parody (modified their logo to be the hacking softwares logo) and that's protected in Canada. But she kept coming and I forget who but someone said that while I'm right I'm in over my head and to decide how much I care about the site. Decided to just move on to other projects.

Also I was 17 and I imagine I was more easily intimidated.

They have to protect their trademarks or they risk losing them so they send out C&D letters so they can show they actively protect them.

My old watering hole used to get them from Archie Comics and ended up changing their name to avoid the (legal) usage of a trademarked name, mostly because they didn't want to spend the money to prove they were in the right.

This is such a turn-off to the industry. I'm not going to accidentally login to an unencrypted URL and get jail time because it's considered unauthorized. I'd love to be a hacker, but the thought of prison is too much.

That's not what happened here. They did extensive infiltration of computer networks, including the US military. They exfiltrated source code from those networks and sold it and used stolen hardware schematics to make clones of unreleased hardware.

They did not attempt to let the targeted companies know so they could improve their security. They were hacking for profit.

There is plenty of software on your local machines that can be hacked risk free. No one will care if you find an exploit in your own IoT doormat.

I wouldn't be so sure about all products you own. If you try tweaking a John Deere tractor they'll sue you!

Nothing Runs Like a Deere.. to court.

Only in America. The rest of the world doesn't have the DMCA.

IANAL, but the UK's copyright laws appear to me to have many of the same restrictions as the DMCA when it comes to circumventing copyright protection measures. And it wouldn't surprise me to find other countries had passed similar laws.

See: https://en.wikipedia.org/wiki/Copyright_and_Related_Rights_R...

Have you considered looking into white hat hacking? You could essentially be paid by companies to hack their own product entirely legally for the purpose of better securing it against potentially malicious hackers.

> Have you considered looking into white hat hacking?

In my observation, this is a branch of industry that is very hard to get into.

> You could essentially be paid by companies to hack their own product entirely legally for the purpose of better securing it against potentially malicious hackers.

For this purpose, one uses quite different techniques than for blackhat hacking. E.g. in the whitehat case, the source code is often available etc.. So brutal code reviews, which require rather different skills (e.g. knowing all the subtle details of the language standard (e.g. C/C++)), are much more effective to secure applications than using the typical "blackhat techniques" (reverse engineering, knowing subtle details of CPU behaviour etc.).

As someone who works as a "white hat hacker", allow me to shine some light on the industry. There are many branches, distinctly divided into two categories: Red team/Attackers and Blue team/Defenders. Within the attacking side is what most people think of when they hear "hacker", key among them is penetration testing (pentesting). Pentesting breaks down into distinct categories that target different scopes: internal/external network, web application, mobile app, thick client, IoT, SCADA, Social Engineering, and physical. The list shifts over time, but that's the gist of it. Those that interact with software/hardware rarely have the benefit of white box testing, which includes having the source available, nor do the tests often go deep enough to require subtle CPU behavior or assembly-level reverse engineering. All of these pentests are dynamic, where as what you've described falls under the static analysis camp which involves a different set of skills and tools.

There are some who work in reverse engineering, CPU interactions or static analysis but those are often more senior positions within a company, are more research focused or specifically marketed as such; my role as a pentester is focused on dynamic testing from a blackbox perspective. Sometimes we are lucky to have architecture diagrams, API docs, or source code but they only serve to benefit the test from an external perspective. I don't analyze the code and report vulnerabilities there, I report findings from a perspective of breaking the application in runtime; the code only makes that easier.

Anyone here wishing to break into security to "be a hacker" might find web app pentesting to be the most familiar for developers (it's not far from skills used for UAT, QA and debugging) and provides a pathway down the OSI model. There are companies that will take strongly motivated and technical people to train into pentesters, as the field is vastly understaffed and it's easier to train someone on your methodology from day 1. However, this normally starts as Web App (it's where the money and clients are) and one can move into other areas over time.

I'm more than happy to provide more details or resources to those interested. My knowledge is more in the attacker area, but its possible to start in either side and pivot into the other. Time, patience, and a willingness to learn.

I agree it's not easy to get a job where your role is exclusively reversing software, but I don't think it's all that hard to get in if you're willing to take on a wider variety of projects. If can do code review, web app security, hunt for bugs in big Java or .NET codebases, and so on then there's work definitely work available. There will be cool projects that require serious reverse engineering, and if you deliver results on those then you'll tend to get that type of work more often. But yeah, consulting means billing hours, so you have to work on stuff that's less interesting to earn money for your company, especially when you're new.

> But yeah, consulting means billing hours, so you have to work on stuff that's less interesting to earn money for your company, especially when you're new.

I know some people (myself included) who would work as consultant but have no idea how to even get hold of consulting jobs. Yes, I often ask people who are much much successful in getting those, how they got them. These successful consultants eventually admit that they themselves have no real idea. People just approached them etc. I (and lots of other people) are not the kind of people "that are simply approached".

TLDR: I would not even know how to start to get consulting jobs (and lots of people have a similar problem).

Disclaimer: I am talking about the situation in Germany. In the USA, it might be different.

Okay I'll offer some advice:

First of all, forget about the "situation in Germany". Work is everywhere, so be willing to accept work anywhere. There's definitely a pecking order in consulting firms and you can get projects because the company gets a one off engagement with a new client who wants the work done on site. The company has some really awesome full time employees who could do it in their sleep, but they're busy on long term contracts with key clients. Be willing to go, as a subcontractor, to some unglamorous location for a week long project to pentest some shitty internal application that nobody has ever heard of. Get a few of those under your belt and you'll know how it works.

Second, understand that there's more to it than your technical skills. Make friends who work in the industry. Talk with them about what they're working on. Find any interesting bugs or behavior in what you're working on? Chat with them about that. Doesn't really matter if it's security related or not. The people who do the work in the industry are all generally interested in the details of software. If you're into that, then you belong.

Keep reminding your friends that you're hungry for work. Keeping in touch will keep you in mind when they need an extra guy to help out.

Once you start getting work be sure you contribute well. Everyone wants to have the most high severity findings, and obviously you will need to produce those if you wanna keep getting work, but also be that guy who goes the extra mile to help put the report together, write up extra recommendations that would be helpful.

Keep in touch with the people you work with. Be cool to the sales/project management/accounting people. It's simple things like getting your expenses/timesheets/invoices filed in a timely manner. There's more to the business than finding vulnerabilities. Everyone wants to close out the job, get paid, and move on. Show everyone that you know how to behave like a professional. Remember that the people responsible for staffing are asking themselves: Who do we know that we can send in there to take care of this work, so that we can bill them and collect this revenue, who will get the job done and be easy to work with?

Be that guy, and you will be approached too, and you can find full time work in the industry if you want.

> For this purpose, one uses quite different techniques than for blackhat hacking. E.g. in the whitehat case, the source code is often available etc..

I used to work at a company that did pentests (although I never did any myself). This was never the case. Every single one was approached in the same way an unprivileged attacker would approach it, apart from, when testing a production instance of an application:

- dummy accounts are set up, so that if user data must be extracted it doesn't come from real users

- you're not allowed to do anything that risks taking the application offline, destroying data, etc.

> used to work at a company that did pentests (although I never did any myself). This was never the case.

brandonjm wrote above (emphasis by me): "You could essentially be paid by companies to hack their own product entirely legally".

It would be a massive waste of time and ressources not to give the internal whitehead team any internal information possible to secure the application. For this I stand by my point that the methods that I stated are usually much more effective.

Pentesting is typically applied in very different scenarios (not a company hacking their own product as in brandonjm's scenario).

In my experience the reverse engineering type jobs tend to involve targeted malware and related forensics or code review of software the client doesn't own but is forced to depend on for some reason or another. And of course there's research but that's not something most security firms generate revenue from directly.

You are absolutely right about the massive waste of resources that holding back info causes. It's way better to give consultants complete control of a working test system with the full build environment. And they might as well just let you do it remotely. But many companies don't do that. Instead they would rather eat your travel and accommodation costs, and then when you show up you're being paid to sit around for a week because they don't even have things ready, so you sit around reading bullshit documentation so you look busy and your contact doesn't look bad. And when you finally do get something you spend lots of billable hours figuring out how to get it up and running, which provides absolutely no value to them and wasted valuable time you could have been finding bugs. But that's just how it goes.

That would be fun. How can I start?

a turn off to the industry of .. illegally accessing other people's computers?

That's not really an industry.

Pen. tester is, security researcher or implementer or auditor is, crime committer isn't.

If you want a job and a career these days, make or contribute to open source projects.

The days of getting a career from unauthorized hacking into systems are over. That road leads to prison/death, as it should.

You created, and then fed, a huge pointless flamewar with this absurd bit about "death". That's trolling. We ban accounts that do that, so please don't do it again on this site.

> That road leads to prison/death, as it should.

As it should?

English isn't my first language and I really hope you aren't suggesting that the one who does unauthorized hacking should die.

I'm not exactly sure but I think he's implying that hacking in this way is the early part of a journey that, if it escalates into a pattern of more damaging criminal behaviour, would ultimately end in either prison or death. Still, not a terribly empathetic attitude.

EDIT: I assumed good faith, according to the Hacker News guidelines. Apparently in this case I was wrong. I just read the GP's second, more in-depth, comment further down: he's absolutely in favour of prison and thinks that in some cases death may be warranted.

Hackernews is soft on hacking crimes and I’m not. It’s as simple as that.

I am not any kind of hacker or even a terrible programmer. Just a noob. I am mostly a lurker here. I am not influenced by HN.

But I still don't understand how hacking is such a serious crime to be punished by death sentence.

In fact, there are very very few crimes which deserve death penalty.

There is a large gap between "we should be tougher on hacking crimes" and "hackers should be killed."

Do you maybe want to rephrase that last sentence? It looks like you just said unauthorized hackers deserve to die.

I too was shocked. Then I thought may be I didn't get it because english isn't my first language.

Unfortunately, there is one otherwise-modern country with mostly native English speakers which retains the death penalty.

The language was clear, its America that's at fault.


It's not stating your opinion that's taken badly, it's your opinion that's taken badly.

I think everyone in their right mind can agree that in most cases it's bad for society if you break into someone else's system.

If you take it on a case-by-case basis, it's a little hard to make that statement. E.g. would it be bad if someone broke into a Chinese network and use the information to help/warn human rights activists? To break into a company that's conducting unauthorized experiments on unwilling or uninformed subjects and leak that to the press? It's easy to say that vigilante justice is never a good idea, but the victims who can't get any other kind of justice might very rightfully disagree.

It's hard to even agree that it's always wrong to break into a computer system. To pronounce a minimum acceptable sentence of jailtime, and maybe even suggest that death penalty would be a good idea, too, is not something that's going to be taken well in the civilized world.

> Death is debatable, but in some cases fully warranted.

Myself and a lot of other people don’t believe in death sentence no matter the severity of the crime.


The two main reasons why I don’t support a death sentence in any case are:

1. People sometimes get sentenced for crimes they did not commit. By at least letting them live in prison rather than killing them we give them a chance to fight the sentence.

2. The law is not objectively “correct” because there is no such thing as a single “true” morality. Multiple moral stances exist, and we should be somewhat tolerant of that.

Amnesty International has some more arguments against death penalty as well. https://www.amnesty.org/en/what-we-do/death-penalty/

Finally I believe that the justice system should to the greatest extent possible exist to prevent crime and reform criminals so that they can be productive members of society, not primarily exist to punish criminals.

In my country — Norway — this is reflected in how the police handle confrontational situations. The Norwegian police force always tries to deescalate, whereas in the US the police are very aggressive in a lot of situations that should not call for that sort of reaction.

There are very many people that do bad things not because they are fundamentally bad people but because of their circumstances. Everyone deserves a chance.

Some people cannot be helped and need to remain locked up because they pose a threat to the rest of society, but that should be what we do when we see that we cannot reform them, not how we treat everyone who breaks the current set of laws.

I agree.

Laymen jury is a very disputed system in Europe. To have laymen scentencing someone is very, very questionable.

The US judicial system is more about revenge. Why have parole hearing with relatives?

The system in Europe is more about rehabilitation.

It's a bit rich for you to hold up Norway as a model for sensible attitudes towards punishment. This is the same country that sentenced a man who killed 77 people to 21 years in a resort-like prison. Regardless of your own philosophy, most people (even opponents of the death penalty) would view this sentence as so absurdly lenient that it verges on psychopathy towards the victims and their families.

(I strongly disagree with the original commenter, by the way. I do think capital punishment is warranted in extreme cases.)

The goal is rehab in Norway. Not punishment. There's still a loss of freedom... But with the goal of changing the person's behavior.

This from someone who is theoretically ok with capital punishment, but in practice opposed. I do not trust that the state gets the right people all the time. I also think it's too slow and burocratic a process to work as anything other than revenge.

A few thoughts:

(1.) In high profile federal cases executions occur relatively swiftly. The reason it's slow in many cases is due to all of the procedural safeguards that we have in place to protect defendants.

(2.) People often dismiss retribution without explaining why it's not a valid basis for punishment. Personally, I believe Norway is morally bankrupt for viewing rehab as the only acceptable goal of punishment, as the Breivik case vividly illustrates. You may not find the Breivik sentence appalling, but you should recognize that you are in the minority. And if this guy is going to lecture Americans about the ethics of punishment, I have a right to criticize the Norwegian approach.

(3.) Alex Kozinski made an interesting observation about the possibility of wrongfully executing someone: due to all of the procedural protections in place and all of the resources devoted to capital cases, the odds of being wrongfully executed are an order of magnitude lower than the odds of being wrongfully dealt a life sentence.

Given how awful life imprisonment is, I totally reject the premise that capital punishment can only be justified if it is infallible.

Yeah. Isolation cells are "resort like" now. Maybe you want to check in into such a resort for a few years? I mean it seems to be a great deal according to you.

If I had to be incarcerated, I would choose a Norwegian prison over almost any other country's.

> I knew that stating my opinion was going to be taken badly, but then I thought why censor myself? I should say what I mean and mean what I say.

No, it's not being 'taken badly'. It's on you. What you're saying is an outrage. HackerNews isn't a YouTube comment thread; we expect better.

Rather than complaining about how your readers misunderstood you, you might think to at least explain yourself when you go ahead and say that teenaged hackers deserve death.

Death is not "debatable" in any reasonable sense. If you'd just said "that road leads to prison, as it should" I could totally understand that, but there is no coherent moral framework in which death is an appropriate penalty for malicious hacking that doesn't kill anybody.

What about bug bounty programs?

It could be said that a non-zero percentage of bug bounty hackers are not actually white hats, but rather blackhats with poor connections or limited ability to fence their vulnerability.

Intent matters. Hacking systems for the purpose of finding vulnerabilities to report is within the spirit of authorized edge cases.

This is one of the best reads in a long time. Awesome article and extremely interesting.

I have friends a long time ago that used to buy CoD modded lobbies from these guys. Crazy to see how their lives unfolded.

It is quite a good read, but its sad to see how computing has continued to be locked away from the end user, affording them access to a walled garden of the manufacturers choosing, with no ability to change OSes or even install basic security updates without the hardware manufacturers consent and involvement.

I interned in the Graphics kernel team at Microsoft and we worked quite a lot with xbox. None of those people like DRM and copy protection bullshit but the studios (both gaming and media) demand it and not having them could mean losing market share to others that are willing.

Cheat prevention is another big reason that often came up for the hardened environment.


It's also your choice to not write your own gaming console that is DRM-free. What's stopping you? If you need money, go to venture capital and make your pitch about a gaming console that asks people to pay, but allows trivial copying and sharing of titles.

> It's also your choice to not write your own gaming console that is DRM-free. What's stopping you?

Slightly OT: Michael Mrozek (EvilDragon1717) indeed attempts to create a handheld gaming console that is as free as commercially possible: the Pyra, which hopefully comes out this year:

> https://pyra-handheld.com/

It was already released in 2010 as the Pandora, which is the predecessor to the Pyra.

Is this comment for real or we witness a twisted joke here?

Anyone capable of putting together ikea furniture is also capable of building their very own gaming console.

So you think the current copyright system in the US is perfect, then? You’re part of the problem if you support overaggressive copyright enforcement. It’s my device, I paid for it, I should be allowed to do WHATEVER the hell I want with it.

I'm not sure what about the OPs post would make you think they consider the copyright system to be perfect. They merely suggested that there is nothing stopping you creating a DRM-free console.

"Nothing stopping you from creating your own" is quite a trivialization of how difficult it actually is to break into the, rather entrenched, video game console market.

Having to compete with companies that haven't just been around and known for decades, but have massive resources and synergies due to their sheer size, is a pretty daunting task, and that's just the hardware side.

Trying to convince major developers, and especially publishers, to get on board with such a project is also no small feat, you'd pretty have to convince publishers to do a 180° on how they've handled a lot of things so far because publishers are also known to be quite big fans of draconian copyright laws.

>"Nothing stopping you from creating your own" is quite a trivialization of how difficult it actually is to break into the, rather entrenched, video game console market.

No, "nothing stopping you from selling your own" would be a trivialization (because there are things). It's easy enough (~20 hours of effort, including research) to build a computer, install Linux, and start playing DRM free games. If you want to distribute it, that's another story.

But it's not your right to reduce other people's enjoyment of it by cheating. It's also not your right to steal software to run on it. This argument is correct, but only addresses about a quarter of the interesting issues at hand.

I guess that is why Ouya, GP32, GP2 are such a big market success.

> I guess that is why Ouya, GP32, GP2 are such a big market success.

The Pandora

> https://en.wikipedia.org/wiki/Pandora_(console)

was at least in Germany, where the main developer Michael Mrozek lives, somewhat popular in nerd circles despite the high price.

At the same time there has never been another point in history where so much open source software is freely available to everyone.

Yet at the other end you will find people that in full earnestness argues for further locking down, because "owners" can't trusted with proper maintenance. This is why the "home" PC varaiants of Windows 10 force reboots and removed the group policy tool that could have made disabling it easy.

I think I used Pokora's utility for adding water to Halo 2 levels. I remember when it came out and it seemed like all of the new custom Halo 2 levels people were making on halomods.com had customized water immediately.

Physical security is so important. I was really surprised when the Xbox team moved from the RedWest campus to Studio A.

In RedWest, we had a building that was pretty much all Xbox employees, and other Microsoft employees couldn't just badge in. In Studio A, if I remember correctly, it was all just public access.

The consoles are everywhere, and people's offices weren't normally locked (before most people moved into to bullpens, which didn't even have doors).

For the most part, you can trust the employees. We had take home consoles that were signed with the proper keys to run retail games, but could also be debugged and get crash logs, and those were fairly safe and well tracked. (You were told, don't let your friends see/play them) But you can't trust anyone else who just randomly enters the building, and with teams so big that you don't know everyone, politely holding the door open for someone is just asking for it.

Source: I worked on the Xbox 360 team.

Really great article. As someone who first became interested in computer science from Xbox “hacking” and JTAGing 360s this shows an alternative path that would have been easy to go down. When you become enveloped by the status you attain in forums, meet sketchy “friends” online, and start getting easy money, then the path of least resistance becomes the one in this article.

> When you become enveloped by the status you attain in forums, meet sketchy “friends” online, and start getting easy money, then the path of least resistance becomes the one in this article.

I rather believe that most such people (including adolescents) are not that willing to go down the path of easy money. The problem rather is in my opinion: The other side is simply not there to make counteroffers (i.e. less money, but perfectly legal etc.). So it is not a choice between "going on the dark side vs light side" (which is a serious decision to make, and confronted with this decision, I believe, most people (again including adolescents) would indeed choose the "light side"), but rather a situation of "only the dark side makes an offer: will you go into it or not - 'we have lots of money to offer'". Confronted with this, I can understand quite well that there exist people (in particular adolescents might be prone to that because they have less life experience) who will go into it.

So provocatively one could even state that the problem rather is that "the other side is at fault", since they make no serious legal offers to prevent such people from "turning much into the dark side".

The lure of making money as a child is a temptation far stronger than most can resist. If I had access to the things these guys had, I can totally see myself going down the exact same path.

Now, a little older, the prospect of fines that will take a lifetime to repay and/or prison is way more deterring. As a kid, you just never think about it.

> Now, a little older, the prospect of fines that will take a lifetime to repay and/or prison is way more deterring. As a kid, you just never think about it.

I believe one does think about that, but concludes that the risk to get rich is worth it (because one has few such chances in life) and if all things go bad, there is still the suicide option.

Actually this subject is taken up directly in a chapter of Robert Sapolsky's Behave that I just read titled, appropriately enough, "Adolescence; or, Dude, Where's My Frontal Cortex?"

Some interesting stuff in there, some of which you're probably already familiar with. You could argue that a kid does "think" about it. But to use the word "concludes" may be a stretch.

I found this passage by Sapolsky on the neurobiology of risk/reward assessment in adolescents especially interesting and relevant here:

Age differences in absolute levels of dopamine are less interesting than differences in patterns of release. In a great study, children, adolescents, and adults in brain scanners did some task where correct responses produced monetary rewards of varying sizes. During this, prefrontal activation in both children and adolescents was diffuse and unfocused. However, activation in the nucleus accumbens in adolescents was distinctive. In children, a correct answer produced roughly the same increase in activity regardless of size of reward. In adults, small, medium, and large rewards caused small, medium, and large increases in accumbens activity. And adolescents? After a medium reward things looked the same as in kids and adults. A large reward produce a humongous increase, much bigger than in adults. And the small reward? Accumbens activity declined. In other words, adolescents experienced bigger-than-expected rewards more positively than do adults and smaller-than-expected rewards as aversive. A gyrating top, nearly skittering out of control.

This suggests that in adolescents strong rewards produce exaggerated dopaminergic signaling, and nice sensible rewards for prudent actions feel lousy.

That's not the whole story when it comes to kids' decision making, but it's of a piece with the rest of the chapter and shows that most kids are literally -- anatomically -- unable to think about things like this in a way they will be able to a few years later.

That particular tidbit of information is what makes me terrified of raising children and dovetails into the best description of the tragedy of being a teenager: you're exactly old enough to get into real trouble, and exactly young enough not to realize you shouldn't.

It starts as fun

Then profit

Then greed!

Really really great article! Hopefully, this sheds some light on people who are in similar situations to ask themselves if it's worth it.

Interesting article, I think it represents the trials and tribulations of underground adolescent hacking cultures quite well. For people who currently find themselves in similar situations I'm sure it's inspiring and very confronting.

This could honestly be turned into a movie.

Yeah, much more interesting than the Facebook movie.


Lol I used to talk to Anthony back in the Halo 3 era. I never did anything nefarious/illegal, but it's interesting to know that some of my IMs were probably read by an FBI agent at one point.

What a fantastic article – technical, interesting and well written. Kudos!

Fantastic article. It reminds me of the story of Paul Le Roux, a man who also took his love of programming too far. Although he had more malicious intentions.


HN Discussion:


And herein you see evidence to why the industry is growing more interested in SaaS and doubling-down on DRM; they face an endless army of thrill-seeking adolescents without a care for the side-effects of their actions.

Software security is hard; placing any trust whatsoever in software you cannot completely control is a recipe for insecurity. Game development security is a nightmare.

How then do you explain the success of CDPR? No, I believe it's the monetization schemes and exploitation of younger people and addictive behaviors that is the true reason.

They don't make any hugely successful competitive multiplayer games. They have the luxury to not care if their players cheat.

Sorry I thought "security" in this context was related to DRM. I do not think anti-cheat as a reason that companies are moving to SaaS is reasonable at all. They are moving to SaaS for a monthly payment model. There are very few games that get anti-cheat even close to right (including SaaS style offerings).

I have personally created SaaS solutions for anti-cheat. It is definitely a driving reason to push towards SaaS; publishers only concern themselves with DRM to _delay_ the release on piracy sites, but do concern themselves with DRM to _frustrate_ ongoing efforts.

Obfuscated and protected binaries are moving targets. Targets that can be overcome, absolutely; but they remain in motion so long as they are rebuilt.

Utter rubbish.

If thrill-seeking adolescents can compromise your systems, you deserve to be out of business.

Yes, security is hard, but it is an spectrum, from compromisable by adolescent thrill-seekers to state-nation actors.

Most systems are there to facilitate business, personal, or even more critical, industrial or military operation, none of which you want to be easy to compromise.

And as for SaaS, it does nothing to security but increase the attack surface by requiring more components in your system and requiring the system to be always online, in 99% of cases anyways. On top of that, with SaaS you not only have to secure your systems but also safeguard your clients' data, which only reinforces the idea that: if you can't do basic security, you should be out of business.

And in what world does DRM helps with security? DRM is nothing short of a device of enforcing draconian copyright laws.

This is not how most of the law works, though.

If you are a weak person, does that justify the actions of a few armed robbers that are going to mug you on the street? Do you mean I had to take care of my own security by hiring someone all the time? Then why am I paying my taxes to support the police force?

Most of the businesses in the real world operate on a combination of trust and optimism. The moment you take away that stability, businesses suddenly become way less efficient.

Let’s be honest: security in IT is just like security in the physical world. Stealing a car that had an open door is as illegal as stealing a car by picking it’s lock. In such a scenario hacking is just another dimension to physical warfare - and frankly warfare belongs to the military.

The fact that most of the bigger companies had to deal with security themselves is just another matter: they had to operate in the world where the authorities were yet not good enough at tracking hackers. Today though - I can see where businesses that don’t think their security matters would just not bother. It’s not their area of responsibility and I would rather they did what they do well - make money.

The objective of law is not to emulate but rather constrain and govern society.

It is not hard to argue that the subject matter of each and every law and code is based on immediate or at least likely, if not precedent, events rather than to naively assume that, that which is illegal should not happen and leave your car unlocked.

Besides, my argument and criticism is not concerned with sanctioning of unfavorable behavior but rather holding accountable those who make promises and sales you products.

> It’s not their area of responsibility and I would rather they did what they do well - make money.

But why not? the car maker is not in the business of providing security guards, but I bet you wouldn't be happy if they made cars that were easy to pick, why would this not apply to other business?

Most online business make a big deal of security in their sales, why not holding accountable for those promises?

> Let’s be honest: security in IT is just like security in the physical world.

No, it is completely different: In the internet

- the culprit can be anywhere in the world

- the computer/network, where the attack comes from is usually just a node in a botnet

- So you do not have to just deal with the judicial system of your own country, but with any possible judicial system in the world.

- You can hardly ever find out, where the real origin of the attack is - so you cannot even know which judicial system you have to call to.

> If thrill-seeking adolescents can compromise your systems, you deserve to be out of business.

So, literally everyone deserves to be out of business? I am not aware of any major software company that has at all times been invulnerable to thrill-seeking adolescents.

Perhaps we should coin a new law. The law concerns a statement of the form: "If X, you deserve to be out of business." The law is that the statement is generally false.

> So, literally everyone deserves to be out of business?


"If X, you deserve Y" is a figure of speech which means Y is a reasonable consequence of X. Just Desert.[0]

However, "if you can't do _basic security_, you should be out of business", I mean that one in the literal sense of it.

[0] https://en.wikipedia.org/wiki/Desert_(philosophy)

>However, "if you can't do _basic security_, you should be out of business", I mean that one in the literal sense of it.

Tell that to Equifax.

Are you saying they shouldn't go out of business? Because they should -- they just won't, because we have a system that enables them.

No, I agree with you.

Game security is not simply securing channels from eavesdropping or validating identity; it's about realtime distributed systems with eventual consistency and untrustworthy agents.

At some level, it is a matter of either validating all behaviour suggested by remote clients, not accepting anything more than controller inputs from remote clients, or throwing caution to the wind and letting them have at it. Each have their benefits and caveats.

And once you're hosting dedicated servers, why not go one farther and treat it as the SaaS it is?

Haha, spoken like someone who knows nothing about security in real world companies.

In your world, there are no companies that use computers left.

I have to mostly agree here. There are many things that are full-on egregious.

There are other things that are convenient and fairly vulnerable. I don't think these things are discussed enough, but they ought to be. Many things in SaaS or PaaS are convenient, but you sacrifice a class of security. I'm not sure if the script is changed across the board enough to compensate.

it oughta be illegal that we can't run the software we want and the software we write on the devices we buy.

Yeah, I mean; stealing things from a campus and breaking into networks aside; people shouldn’t charged for anything illegal for hacking devices they buy and passing on that info. It’s crazy it’s not allowed in the first place. There is a perfectly fine way of preventing that; just say the device is not yours but you paid to rent it for a period (say 10 years); the device does not belong to you. Then you can say it’s illegal to mod, but if it’s yours I find it absolutely insane you cannot reverse engineer, repair or mod it.

It is no less insane if they "just say the device is not yours but you paid to lease it".

Why? If it’s not your property... If you rent a car, you cannot remove the doors, if you buy it you can, that’s accepted. What’s the difference? In return, when it’s broken, the owner (the one you rent it from) needs to repair it. Unlike when it’s bought and out of (some kind of) warranty.

Because it's essentially a lie. As revealed by your formulation "just say" -- your experience is no different if everything in your possession is 'owned' by you and illegal to modify, or if they change their mind and "just say" everything in your possession that matters with regard to this isn't really 'owned' by you at all. It's not a step forward, it leaves you in exactly the same position. If it is insane, then "just saying" something doesn't make it more sane.

My concern is the experience of not having control over our equipment (not a good experience or way to live), not a semantic technicality.

It is not a technicality; it is a way of legally doing it. I see your point though; buying is, with the added burden of patents and copyright on top, a wrong term. You cannot buy anything in the sense we would like to buy it.

Whether it's legal or not to prevent you from running the software you want and the software you write on your xbox, IMO it _oughta_ be illegal, whether they just say you are leasing it or not.

Cant have millions of people leading consoles. That leave the onus of disposal with the owner. In 10 years time Microsoft have a million Xbox to cleanly dispose of.

No, the other way around: It shouldn't be possible to forbid this. The government allows and actually enables companies to forbid this (and a lot of other IP related stuff) in the first place.

Agreed except the modified devices should be restricted from joining the online community of non-modified devices

> Clark had just turned 27 and left behind an estate valued at more than $4 million.

He got to keep the money even though he got convicted for wire fraud?

I think the wire fraud was probably something aside from their main activities -- like how Al Capone got put away for tax evasion.

Also the estate is presumably still open to civil suits.

How do you think most estates started? Profiting off crime and leaving it to their family. The fundamental problems of capitalism include exactly this scenario.

Awesome article. Reminded me of Albus Dumbaldore dialogue to Harry. "Curiosity must be handled with care".

TL:DR but it befuddles me how corporate expects people to sit in front of a shiny toy and just use it as instructed rather than take it apart and mess around to understand how the damn thing works. That’s how we evolved as bloody apes, checking out the other monkeys’ sticks and stones and learning by example.

They’re literally trying to lawyer out evolution..

I guess this a lecture for all those script-kiddies- leave the actually exploiting to the pros- sell your zero-days on the black market.

Obviously investing in secure software is more costly then having a lobbyist for prison sentences in Washington and a good PR-Department.

The problem is, that way, the whole stack from the metal up is basically crumble, untested and very frail - should one big time agent release a autonomous attack into the wild. But hey, we saved a dime today. Tomorrow there might be no more dimes, so if it were not for those meddling kids, the bookies would have gotten away with it.

FYI, script kiddies don’t have 0days by definition.

Great article, I enjoyed reading it! Also, the illustrations are great, they perfectly fit the vibe of the article.

Great article, and was happy to see they got reasonable prison sentences.

anyone mind giving a tl;dr version of this article? I find the text really strenuous to look at.

Some kids started hacking game companies and finding ways to cheat and download pre-release versions of games. This turned into a business, they got were thrill seeking and coveted more money, and got caught.

"Pokora had long been aware that his misdeeds had angered some powerful interests, and not just within the gaming industry; in the course of seeking out all things Xbox, he and his associates had wormed into American military networks too. But in those early hours after his arrest, Pokora had no clue just how much legal wrath he’d brought upon his head: For eight months he’d been under sealed indictment for conspiring to steal as much as $1 billion worth of intellectual property, and federal prosecutors were intent on making him the first foreign hacker to be convicted for the theft of American trade secrets. Several of his friends and colleagues would end up being pulled into the vortex of trouble he’d helped create; one would become an informant, one would become a fugitive, and one would end up dead."

Awesome read!

> After finishing his prison sentence, Pokora spent several more months awaiting deportation to Canada in an immigration detention facility in Newark, New Jersey

So I've never done anything that would result in my being deported, but man does this scare me. The current climate, if I fuck up in some minor way, I still feel like I could end up in prison for months waiting for them to send me back north.

It's just scary.

> The Gears of War 3 leak triggered a federal investigation, and Epic began working with the FBI to determine how its security had been breached

Ugh. Why do even supposedly "cool" companies go to the cops when they get pwned? Own up to your mistakes, change your passwords, fix your security. Don't report anything to the fucking authorities. What would punishing a kid even give you?

Most organizations don't have the resources to find out where the way the crackers got in. Once someone is in, changing the passwords and fixing the security may not be sufficient to prevent them from getting in again. Until that someone is tracked down and identified, there is no way to know if this is some kid doing it for fun or industrial espionage from a competitor. Furthermore, there's no way to know what they actually got - source code to a product? plans to some hardware? Payroll and identity information?

It isn't practical for each organization to maintain a staff of forensic security specialists. When one does need them, they can be found rather inexpensively in law enforcement given that a crime (likely) has been committed.

You don’t act “cool” when someone attacks core of your multi billion dollar business. This isn’t high school popularity contest.

They don't know it's some kid.

Millions of dollars in IP and potential liability depending on what was taken.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact