A lot of hackers are just kids that make a stupid mistake. During their time in jail, their skills get soft or they'll get hardened by their time there. My hope is to let them know that people on the outside still are thinking of them and to help them keep their skills up-to-date.
I'm a bit overwhelmed with a startup at the moment, but I anticipate the non-profit to be formed and to launch sometime in the fall.
The judge sentenced him to two years' probation, citing his
rough childhood and the way he had worked to turn his life
around as considerations when it came to deciding on the
relatively lenient punishment.
I was cringing the whole time reading about the interrogation. I can imagine this whole thing would have ended so much worse for Gembe if he had actually gone for that job interview. Just try and compare Gembe to Weev, you might start pining for good ol Schönau im Schwarzwald.
It is justified what you did was illegal and not cool but they had the chance to turn it into something positive.
Plus, there was no way Gabe could have known that Axel was 1) truly apologetic or 2) wasn't the one who also published the code publicly. And even if it was known, the fact that he shared it with friends showed that he didn't seem to care that much about protecting it.
That being said, I do work in the security industry and understand that Axel's motivations weren't evil or anything. Gabe still did what he should have done.
Then again I'm sure he was really pissed so I can't blame him for doing what he did.
Maybe the kid who did it wasn't actually sorry; maybe he was hoping to get more access so he could steal more stuff. That's a way it could hurt.
Maybe bringing the kid who stole your team's work and demoralized everybody isn't going to do great things for the company morale; that's another way it could hurt.
Giving people second chances is great and all, but it seems silly to say "[it] wouldn't have hurt"; it could have very easily gone wrong.
That presumes you are 100% confident that the guy is completely remorseful and will no longer do anything wrong. Given past behavior, why should Valve have had that confidence?
'prison' and 'punishment' aren't synonyms. Make someone work their ass off to repay a crime IS punishment. As is locking them up, but by doing that, you severely decrease the chances of that person ever being a productive member of the society again.
Of course, should that person break the terms agreed upon, then I guess prison time is warranted as an additional punishment. And even in this case, with non violent criminals, in a setting where they can still work.
Prison is fantastically expensive, not particularly effective, and severely degrades the offender's life.
Restorative justice is much cheaper and more effective at fixing the offending behaviour, and the results of that behaviour.
Prison should be left for violent or unrepentant recidivists.
Nobody knew everything would turn out OK back before HL2 was released.
There are no buts here. Non-violent offenders shouldn't be arrested at gun point. And it's not just a matter of scaring someone, it's a matter of public safety. I don't get why whenever an issue like that comes out, there is always someone jumping to defend dangerous practices like that.
And this guy also stole people's software keys.
If they were talented coders, they could've found less destructive ways to make money. But he decided to go the greedy route.
Let me guess: you are a US citizen, or anyway live in a country where developer positions abound. Well, not everyone is. Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.
Also this was before Freelancer.com, before code.org. And he was a boy, he couldn't just relocate. Also, before the App Store.
This is exactly the curiosity that people who enter the InfoSec world feel, coupled with real skills. Often too much skills and too little to do to start.
Then you stumble upon a IRC channel and a world of challenges opens in front of you.
By the way, he asked Valve to hire him. Maybe he just didn't find "less destructive ways to make money" yet.
Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.
That's a legitimate programming job. Cool software rarely makes money. Cool software that makes money (game development) doesn't pay very much.
A book is far more challenging, because in an IRC channel you're a fish in a small pond. Eventually you grow to be the biggest fish, or forever limit yourself to being small. What a book can't give is peer recognition. But peer recognition is a vain motive, and vanity is rarely lucrative. A book also can't answer questions, but you can use IRC or a website like stackexchange for that.
If anyone reading this has personal experience flirting with blackhattery, please carefully consider what you're doing and why you're doing it. (And if you'd like someone to talk to, please feel free to shoot me an email. I'd like hearing about your experiences and your thoughts.)
Peer recognition is critical when starting at that age. Also careful consideration is not exactly common.
I'm in no way alleging that it is a reasonable way to go for a mature professional, but I acknowledge the charm it has for the young high-schooler that is being "taught" Excel at school and being told not to fiddle with that weird black terminal.
These boys and girls should not have their lives destroyed by a harsh punishment for their curiosity, that in a different setting would have been highly rewarded. I can totally picture myself doing the same errors in different conditions.
Btw, management software is a legitimate programming job of zero interest to security people. Just different curiosity fields.
* Hack into a remove computer server/friends PC.
* Broke a WEP/WPA wifi network to gain access
* Performed MiTM to see what kind of data can sniff
* Performed brute-force dictionary attack without being asked.
* Shared illegal digital material with friends
* Scraped website and used the data for some other opportunity
The difference is not access, it's the inherently nonviolent nature of digital. It's easier to get a kid to care about not hurting others than about not hurting an abstract legal entity like a company.
Your thinking must be stuck in the last century. By the time I entered the game industry 13 years ago, salaries were already on par with the software industry at large. My first full-time position was in 2003 and paid $85,000/year. Based on the numbers I've seen, game programmers currently earn significantly more than web developers with an equivalent amount of experience, despite the wage-inflationary effect of the VC money faucet.
The coolness factor used to play a greater role. I would say it still affects the supply side for QA, design and very entry-level positions in programming. For programmers with any level of competency and experience, its role is negligible.
The consensus amongst my friends in game development is that it doesn't pay well for the amount of work they're doing, but it's what they enjoy doing so they're willing to tolerate it.
I should also mention that I am a bit of an anomaly - I'm an AngularJS expert, which seems to be in extremely high demand right now. I'm making around $160k (including stock compensation), and I may have even lowballed myself in salary negotiations.
To be honest, I had no idea such salaries were to be found in web dev, especially by specializing in popular JS frameworks. Thanks for sharing! I'd be curious to know your location and how much experience you have in Angular. [update: Oh, I see you posted 1.5 years in web dev.... wow, maybe I should reevaluate things]
It seems easy to justify paying well given that immediacy as opposed to a developer spending much more time/money optimizing GPU physics engines whose benefits would not be felt until the game was slightly better than its competition when it is released in a year.
Not necessarily total compensation but defiantly pay / hour.
I know your personal network is extremely large. If you have a lot of knowledge about the topic of gamedev salaries, I'd love to hear more. Since talking about salaries with colleagues is typically verboten, I'm curious how you collected your salary datapoints and what your sample size is.
There's a lot of anecdotal evidence of studios underpaying interns and programmers who are straight out of college, and regularly working people 60 or 80 hours a week. The anecdotal evidence fits my own personal experience, but perhaps my experience isn't representative of the whole industry; maybe I was just unlucky with my first couple studios.
I appended a paragraph to the original post explaining the effect of coolness on first-job salaries. I do think it plays a role there. Companies like EA are notorious for using fresh graduates as a revolving source of underpaid labor. As for long hours, my impression (here I have no survey data) is that it's become much rarer.
I think what happened economically is that by the early to mid 2000s, the main technical challenges of game development had almost nothing to do with anything specific to games. Compare that to the impression of game development you might have gotten from reading Abrash's articles on Quake. Because of that, good game programmers were able to easily get jobs outside of games, and good non-game programmers were able to quickly get up to speed on gamedev specifics. Hence wages equalized. That also explains why wages for designer and artists are still relatively lower.
It's from 2012. Average salary for devs with less than 3 years experience: $66,116. The average for 6+ years experience is $103,000.
Here's a survey from 2001 with 1,801 datapoints: http://www.gamasutra.com/features/20010715/Salary_Survey_200...
Average salary in 2001 for the same position: about $55,000. For those with 6+ years, it was about $70,000.
It seems like a webdev outside the Valley who has 6+ years experience should be making more than $103,000.
If those surveys are to be trusted, it sounds like your $85k starting salary was about 50% higher than average at the time.
It puts the US average at $84,337. The 2012 averages I can find for web developers are significantly less than that ($60,000-80,000). Part of the problem with these comparisons is that "web developer" is a much wider category.
> It seems like a webdev outside the Valley who has 6+ years experience should be making more than $103,000.
I don't see why, unless you are in a special high-demand bracket of web development. That's a very respectable salary in most areas!
This was in 2004, 3 years after the dot com bubble burst and was getting rosy again. Everyone and their mother's with a blog were making hundreds a month.
Programmers have been peddling shareware since BBS days.
Are you really calling Germany a 3rd world country?
> Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.
So why is this not legitimate work?
> Often too much skills and too little to do to start. Then you stumble upon a IRC channel and a world of challenges opens in front of you. Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.
This is a pretty arrogant statement. Many programmers don't program malware not because they aren't smart enough, they don't do it because it is socially unacceptable and they don't have a criminal mind.
If you feel the need to "learn" about security, don't exploit, trojan, or ddos my server. Do it to your own computer.
I'm about four years older than Gembe, when I was 18 I endured:
Threats of violence, death threats, constant insults (such as 'paedophile', 'baby rapist', 'retard', 'cunt', 'fat cunt', 'queer'), people spitting in my face, prank calls at two in the morning, false accusations (eg. being accused of threatening someone, said someone would regularly say to me "I'm going to kick your fucking head in"). Being called 'cunt' every other day tends to become a drag after twenty years or so.
My 33rd birthday is fast approaching, I still have trouble with other members of society treating me poorly. When most people go to work, they don't expect to put up with threats of being punched in the face. When you complain about your treatment at work, you don't expect to lose your job a week later.
I've spent the last two years learning programming, ten years ago I decided to learn a load of maths (my education wasn't that good). On both occasions the response often was "stick to what you are capable of" or "go and learn something useful instead". Or how about the time someone at the Job Centre decided I was incapable of filling out forms by myself, then filled it on my behalf without my permission, complete with a few silly spelling mistakes.
Gembe sounds to me like he has had it easy.
Nice justification of criminality. "But I was bored and talented!"
Oh dear, who are we to stand in the way of your genius then?
Especially in the case of juveniles, we (as a society) should be understanding of minor indiscretions, and look to guide kids onto a better path. Thankfully the German justice system seemed to get that.
I don't have a black and white view, I just don't buy "I was bored and clever" as a justification for breaking the law.
What is "the law", for who and by whom they are created for?
We need to first realize that there are no such a thing as "The law", and the limits of right and wrong are pretty shady if you think we live in a world that is multicultural and multi-subjective with several different realities and values, all of them valid in their own context..
For me "The law" here, which we supposed that are controlled by the state in our own interests, are actually serving corporate interests.. the same ones the US(at least the people) now are fighting against in cases like the net neutrality..
Whatever "The Law" is, it must serve their own people, and care if the execution of the law are being effective not only for the society in general, but also for the people being convicted by it..
In that context, we need to ask, why "the american society" represented by "the law" thought that kid was a risk to them, in a way he should be in prison for it..
The other aspect is , the culture and the companies created in american soil have to right to use the american law to put a german kid in jail
What values are you defending, when you put a kid the way they did in prison? what this gonna do with the kid? destroy his life? sure!! for what? this kid did marketing to HL2 for free!! Valve made millions of it!!
I think it didnt work for the society in general and less so for the kid.. really America scares me(as a outsider), sometimes the same way a country where i would be in doubt about my human rights being respected.. because of things like this...
I think this is not something to be proud of, but ashamed
I'm merely commenting on how intelligence doesn't lift one above the legal system you reside within.
That's been essentially my entire (for money) programming career and I adore it, taking a crappy manual/outdated process and refining it to create a tool that becomes a core part of a customers business is vastly rewarding to me.
I don't think it's particularly farfetched to expect relatively socially ostracised teenaged boys to not make the best judgement decisions right as they are developing their computer science skills. Most of them end up becoming relatively well-adjusted (within the scope of an introverted computer nerd) people so why not help them in that development?
The fact that you throw the race card down so quickly when it comes to a discussion about crime concerns me.
"What about the people wrongfully on death row?"
some people are past the point of rehabilitation and should be in prison.
If we made a serious effort of rehabilitation in the US penal system, then this might be fair. We don't. Prisoners, especially those who commit the crimes in their youth, are screwed under our current system. The younger criminals, like their non-criminal youth counterparts, just don't know or don't appreciate the options available to them regarding education and learning trade skills. We put them into an environment with other people we've given up on and somehow expect that when they get out a year or a decade later they'll be ready to reintegrate into society. They didn't have the skill set going in, and they won't have it coming out. Many of them will continue to live on the fringes of our society, perhaps making a meager living as unskilled laborers. Others will fall into a crowd that keeps them involved in crime or other "antisocial", or however you want to describe it, behavior.
The only good thing that came from him was my nieces and even they didn't really turn out that great due to probably a twisted childhood and weird relation with dad.
"I felt for this guy, because it could easily have happened to me,"
This doesn't explain why we ought treat these crimes as different. But it does explain why we do treat them different. I think.
What have you been up to over the years? It'd be cool to hear about your career and life in general.
Few people in US prisons  deserve what they're getting. It takes a cold-hearted prick to honestly believe what you've written.
 While this guy wasn't, the sort of people deftnerd is talking about are.
By the time I was 21, I certainly wouldn't have done something like what he did. But, just a few years earlier, say at 18, yes, I did stupid things. In his position I probably could have done what he did. At that age many "boys" brains just aren't developed enough to truly understand right and wrong.
I'm not saying they shouldn't be punished. But I am saying they definitely shouldn't be punished harshly. In this case he was lucky to receive two years of probation as punishment. Something like that, or perhaps what we call "community service", is certainly more appropriate than throwing him in adult jail with hardened criminals.
Depends what you mean by that. In this guy's case, had he boarded the plane he would have gotten two decades in an American jail, versus two years of probation in Germany. I think he should be held accountable, but somehow, given the nature of the crime and the surrounding context, I think Germany got it right.
morally right but not condoned by the government.
Not everybody does it for money actually his motivation was quite clear he liked the games but couldn't afford to buy them legit.
A situation i can relate with given I've been in a similar one.
Nowhere in this article was there a mention of hacking in order to make money.
Fortunately he was apprehended by the German Police, but things would've been way different had took that plane.
 There's a great presentation from him on video, including analysis of OPSEC failures from other hacker groups: https://www.youtube.com/watch?v=9XaYdCdwiWU
 Another timeless classic: "Don't talk to [the] police", which explains why it is never in your interest to talk to the police when you are suspected of a crime (even if you are innocent): https://www.youtube.com/watch?v=6wXkI4t7nuc
Not allowed to send books for UK prisoners as it contravenes their new "incentives and earned privileges scheme". Books are a luxury to be earned, apparently. http://www.theguardian.com/society/2014/mar/24/ban-books-pri...
I was lucky and got a slot that provided the full 80kbyte/s. I finished the download first, but my PC was pretty old back then so I didn't even bother trying to run it. Instead, I removed my hard drive (my system drive!), picked up a friend and we drove to another friend who had the fastest PC at the time. About 30 mins later all of us (I believe 5 or 6 guys) gathered in a tiny dorm and just stood in awe as we booted up HL2.
There was barely any gameplay present. You could just walk around in some maps and admire the graphics. It didn't matter. If we hadn't been stoked before, we were now.
In hindsight, this all was just an amazing PR stunt. Fun times.
That Valve worked with the FBI to get him sufficient permission to enter the US with the false pretense of getting a job seems to make this feel like much more personal than anything else.
And I'm left scratching my head as to what it really would have accomplished...
Of course, when the game finally came out to rave reviews, all was forgiven.
The Source engine is also licensed to other games. If the code is public, other engines could copy their features.
Also it is very annoying to re-secure all your computers after you have been breached. Every single person has to change their password and you don't know what backdoors the guy has installed without a full wipe sometimes.
Like other commenters said, they used him as a scapegoat; he did zero damage except make poor ol' Gabe worry.
Also, can't say I buy the hypothetical piracy cost. Does anyone have any examples of other engines copying Source features from the source code?
I think the suggestion was that the time taken to secure their networks shouldn't be counted as "damages", just something that needed to be done regardless.
My point is that re-securing their network does not seems like a financial damage to me. If they had known about their vulnerability beforehand, I'm sure they would've spent the time and money to fix it then.
Plus it's something they needed to do anyway.
Also, who else had access to their network? This kid getting caught may have saved Valve from other breaches...
Seems more likely that it was a convenient excuse.
If the hackers would have the source, they would not even need to reverse engineer the engine to build their aimbots/wallhacks.
Gosh, Valve must hire great PR. I had completely forgotten their overt evil actions around this incident.
"Valve time" was already universally accepted. Between Half-Life, TFC, and Counterstrike, there was an enormous amount of good will towards this company even back then. Plus, we were already used to "Valve time" because it was actually "id time." Id had been doing it for nearly a decade before HL2 game out.
>Additionally they had demo'd at E3 and claimed the demo was not scripted, whereas the leak showed it was almost entirely so.
The guy who obtained the source code himself said that there were so many builds on valve's servers he had no way of knowing whether or not he had the most current build.
I think that if he wasn't German, but from another 'major' or 'minor' EU country, Austrilia and many others he would have been extradited at no time to the US.
I don't know where the cycle goes from here. Maybe the real wisdom is feeling bad for both?
What was done, is done. Wish you all the best in your life.
"This was actually one of the interview questions, don't know why they didn't use the answer. I work as a software developer and a bit of a system administrator. I work in a company that does physical security, like fire alarms and such. Most of the work I do is programming PC control software for our systems and also quite some firmware development for various uCs. I know quite a bit of different assemblers. Measurement and automation is another field that I'm currently learning more and more."
I think the German police officer was right. If you got arrested on US soil, (your side of) the story could have been very, very different.
Valve's use of SourceSafe at the time is another black mark, though not related to the security breach.
Developers != System Administrators != Security Experts
ps. The most important part however, are the developers, without them the other two groups wouldn't exist. :-)
The difference in the way he was treated by police and the justice system (and how different it is than what we've come to expect in America) is what struck me the most about this story.
Swartz was NOT facing anywhere near 35 years in prison. He was facing, if he went to trail and lost on all charges, and the court decided that he had caused a large amount of monetary damage, around 7 years. If he had taken the plea bargain that was on the table, he was facing a few months.
Prior discussion with more detail: https://news.ycombinator.com/item?id=7004640
>Swartz was NOT facing anywhere near 35 years in prison.
You know why people keep using that number? Because that's the number the attorney's office itself used in its own press release. That's why. But OK, let's be reasonable here. I'll fix it:
>"Compare that to the $1 million fine, up to 35 years in prison (followed by 3 years of supervised release) Aaron Swartz was facing"
There fixed it. Happy??
I'm sure from your armchair perspective, you can find nuance in saying that he wasn't __likely__ going to get 35 years, instead, he'd get a quick 7. Yet, I think if you're in that position, you may still be looking at that 35 or 50 year number. The sentencing judge could have made an example out of him as well, no? It's not like never happens. And of course, the best outcome is that he's looking at 7 + . Justice!
Of course this raises another relevant question. Why is it that prosecutors like to load-up on charges to get their nice maximums? Is it so that their office can do those great press releases extolling how tough on crime they are? Or maybe to bully the defendants into taking whatever deal they cook-up in order to get another notch on their conviction belt? If you think 7 years (here's your nice, reasonable almost-a-decade number, happy?) is what the law calls for, why not charge him for 7 years?
>If he had taken the plea bargain that was on the table, he was facing a few months.
That's right, he didn't, and then the prosecutor loaded up 35 years of charges and pulled the plea bargain off the table. Because why? To teach the next guy to not be so uppity and force them to cow-tow to prosecutor demands?
You know why people keep using that number? Because
that's the number the attorney's office itself used
in its own press release. That's why. But OK, let's
be reasonable here. I'll fix it:
"Compare that to the $1 million fine, up to 35 years
in prison (followed by 3 years of supervised
release) Aaron Swartz was facing"
There fixed it. Happy??
years = 0
foreach charge as c
years += maximum_sentence_someone_can_get_for(c)
Note also that the press release algorithm just adds these up for all charges. In reality, related charges are grouped together under the Federal Sentencing Guidelines. If you are convicted on more than one charge in the same sentencing group, you are only actually sentenced for whichever one gives the longest sentence.
I'm sure from your armchair perspective, you can
find nuance in saying that he wasn't __likely__
going to get 35 years, instead, he'd get a quick 7.
Yet, I think if you're in that position, you may
still be looking at that 35 or 50 year number. The
sentencing judge could have made an example out of
him as well, no? It's not like never happens. And of
course, the best outcome is that he's looking at 7 +
You could have been one of those people, if you had bothered to read Orin Kerr's incredibly detailed analysis of the law in this case that was cited in the comment I linked to.
Of course this raises another relevant question. Why
is it that prosecutors like to load-up on charges to
get their nice maximums? Is it so that their office
can do those great press releases extolling how
tough on crime they are?
Or maybe to bully the defendants into taking
whatever deal they cook-up in order to get another
notch on their conviction belt? If you think 7 years
(here's your nice, reasonable almost-a-decade
number, happy?) is what the law calls for, why not
charge him for 7 years?
If he had taken the plea bargain that was on the
table, he was facing a few months.
That's right, he didn't, and then the prosecutor
loaded up 35 years of charges and pulled the plea
bargain off the table. Because why? To teach the
next guy to not be so uppity and force them to
cow-tow to prosecutor demands?
It's almost as though, by treating criminals so harshly as we do here ("tough on crime" is a popular slogan for politicians), that instead of reducing crime, we reduce our society's recognition of each individual's humanity and value, and thus cause crime to rise.
The fact that they were setting a trap for him was also relatively shocking. Don't they have to follow due process?
Second: Let's not forget what you were originally complaining about. "The fact that they were setting a trap for him" is what you said.
But it's not really the same sort of trap, is it? In one scenario, you think the police are tricking somebody into committing a crime, so they can be arrested. Sure, that's a valid and interesting discussion to have. But in the other scenario, you're complaining that somebody who has ALREADY committed a crime, and confessed to it on the phone, with no duress, is being tricked into being arrested. That's a very different situation, and I'd be very interested to know why you think that this situation in particular is objectionable. The kid committed a crime; he confessed to it freely. The police got busy catching him; isn't that exactly what you think they should be doing? He's not an innocent person being tricked into a criminal act.
Its Valve's fault for letting a 16 y/o install malwares on their computers... When you are developing something you got to be serious about its security as well if you want it to remain a secret. It feels to me like their employees and IT department had no actual sense of what security was (Employees going off installing whatever on their computer, and IT team not being able to track down malware and outgoing packets to unknown sources...)