Today we learn several lessons:
1) Don't break in to computers of American corporations while living in a country that has historically been very friendly with US law enforcement.
2) Don't break in to computers and boast about it to video game bloggers while using your real identity.
3) Pirating games and using stolen credit card numbers are both crimes, yes, but not doing them doesn't mean that breaking into computers isn't a crime.
4) If you don't want to be treated like a criminal, maybe don't commit crimes.
On one hand, you have a person who seems to genuinely care about the security of your company (since he gave you details), who had both the chance and the opportunity to use the access to leak stuff that could have been quite damaging to the company - yet didn't, and willfully meets the companies representatives and corporate enquirer.
On the other hand, you have a company who seems to have real problem with its security procedures, an improving but frail image as game platform (not so many dead xbox memes at the moment), and a way to manage problems like an elephant in a porcelain shop.
What exactly did anyone in his right mind hoped such a raid would do??? Let's see, for the potential "benefit" effects of frightening other hackers, it further damaged microsoft reputation and it will turn a cooperative hacker group into a revenge-seeking foe. What did they got??? In the day and age of cloud storage, what they took during the raid was at best zeroed harddrives previously containing a copy of the information they wanted that could now be anywhere - and they pissed off the guy who put that information out of they reach.
Strategically, all I see just looks like a terrible move.
Now think for a second - what if the guy puts everything he downloaded (sourcecode, etc) in a torrent, or pass the pdfs they were so willing to protect on wikileaks? What if he start using his knowledge to create not "giant hacks", but small hacks that could masquerade as bugs ? (say randomly turn off live access, hijack random xbox live accounts, etc)
What if he commits suicide ? After all, he said he lost everything! Seriously all this is at best a PR nightmare, and at worst the first step into a Sony PSN style catastrophy. Some people should be fired, they forgot the basic axiom :
DO NOT TAUNT THOSE WHO CAN DAMAGE YOU.
It will be fun watching anonymous attack xbox live in the following days, then the various bad things that will happen - no, not fun, sad. What will happen is so evident it's a tragedy.
Critics are easy, so I'll offer my 5 cents suggestion too. The right move in this case? Give the hackers a psychological assessment, a background check, then a big fat check to replace the bozos who were in charge of your security and failed. Give them more to loose- money, their dream job, reputation.
Just don't turn them into enemies who have nothing to lose.
Wouldn't that also apply to revenge-seeking hackers who might end up finding themselves in jail or being chased down?
I.e., "might makes right" doesn't last very long as a basis for a good society.
Made people think the company in question was doing what it needed to do to protect its users.
The group of people that would see that move as a negative is small. Gamers, by and large are not technically savvy people. They sat and worried about their characters being broken into and people cheating. Basically there is no action too drastic to protect them. The general public is basically the same. A 'hacker' did something, the company targeted brought the hammer down on him. All is well with the world.
Raid the hacker and nothing comes to light from what he did? The company protected its users. Raid and the material is released? This is why we have to be harder and harder on them until they get the message this won't be tolerated. Commits suicide? It just shows how unstable these people are.
So raiding hacker's houses is the IP equivalent of the TSA?
"Look at us, we're doing something!"
According to the article, he'd leaked "troves" of development documents to the writer of the article. It appears he may be the source, or one of the sources, behind the unprecedented amount of detail that has been leaked ahead of the console announcements.
From the article:
> Dylan wanted to know about next-gen systems, and somehow he learned plenty. He got development documentation for the next PlayStation and Xbox. Long before I'd sized him up as a hacker, he'd sent me troves of PDFs and white papers describing the functionality of both the code-named Orbis and Durango. The documentation was loaded with programming code—and with details.
What if he clandestinely does this after he appeared to "genuinely care about the security of your company?" What if he does this after failing the background check or turning down the job?
> Some people should be fired, they forgot the basic axiom :
> DO NOT TAUNT THOSE WHO CAN DAMAGE YOU.
I don't think you can fire somebody from illegal computer intrusion. Microsoft and Epic have probably done some expensive security audits, while the suspected hacker is whining to Kotaku about how law enforcement has searched and seized all his stuff.
>"Microsoft did not initiate this FBI investigation with this individual, as has been asserted in some of the articles in the media," a Microsoft spokesperson told me.
I agree with your last line though. He should be given a punishment like just community service.
This part is puzzling to me. I think that at that point they had proved themselves capable enough to ask Microsoft to straight up hire/contract them, and not just for a resume quote. Establishing this kind of relationship with Microsoft could have also prevented the seizure.
>Dylan told me that he was polite and helpful during the raid, but that "they didn't allow me a lawyer...that's probably the biggest right they took from me."
Does anyone here know Australian law? I certainly don't but at first glance it looks like Dylan was intimidated into not doing what was legally the right thing.
So I don't really think in that particular example any 'right' was taken from him.
The marketplace issue is somewhat common knowledge amongst people deeply involved in the Xbox scene. The issue here, to me, is that the "fellow hacker" reported something that he himself didn't discover relating to content security. DaE is also a psychopath, and shouldn't be hired by Microsoft.
They raided his home and took all of his stuff, but didn't arrest him? How is that legal? Shouldn't he get his stuff back if they don't have any case within X hours for prosecution?
I'm sure he's playing the victim here pretty hard because he states that he doesn't believe he has done anything wrong and yet has tried selling a Durango development kit on eBay in the past. He's probably done a lot more than that to prompt an FBI agent across the world to his doorstep.
Usually there are outlet groups or such that can be controlled from an interface like the one in the screencap.
The servers will talk to and trust the power system so that if there is a problem or outage they can be turned off. Being able to reboot is useful remote admin option.
So like a lot hacks, primary access has been secured but someone forgot about the trusted secondary.
In this case it would be easy to establish probable cause given how open this guy has been with his hacking.
What I'm not sure of is how long its reasonable for the police to retain the seized equipment. Although the guy said he was unemployed, I think most IT people could make a case that the seizure of all computing equipment impedes their ability to earn a living. That doesnt seem fair if no charge s have been laid.
If the ownership of devkits remains at MS then somebody who has one without MS authorization is in possession of stolen property, this answers the question "what did I do wrong?".
(Don't get me wrong I have nothing against people on welfare - Ive been a beneficiary when I was growing up but he sounds like the kind of person who choses not to work and will use any excuse not to.)