Sophos Cloud Optix
A 23-year-old man, suspected of being a member of the LulzSec hacking gang, has pleaded not guilty to an attack on the Sony Pictures website.
Cody Kretsinger, from Phoenix, Arizona, pleaded not guilty to conspiracy and unauthorized impairment of a protected computer during a hearing at Los Angeles District Court.
Kretsinger is alleged to be the LulzSec member known as “Recursion”, and is accused of being involved in an SQL injection attack that stole information from Sony Pictures in June, exposing users email addresses and passwords.
Approximately 150,000 confidential records were subsequently published online by LulzSec who mocked Sony’s weak security:
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"
Prosecutors claim that Kretsinger used the HideMyAss.com proxy server website to disguise his IP address as he allegedly probed Sony Pictures’ computer systems in May 2011, hunting for vulnerabilities.
HideMyAss.com’s terms and conditions stipulate that their service is not to be used for illegal activity, however, and they co-operated with the authorities when a court order was received requesting information.
Kretsinger’s trial is scheduled to begin on December 13th. If convicted he faces up to 15 years in prison.
Image credit: CNN/KTVK
There is an assumption that HMA released information after receiving a court order – however, there was never any evidence for this. They are a UK based company and it is debatable that the US authorities would have been able to get a UK court to issue a court order. I suspect they were just asked and the rolled-over – providing the story that they were forced to when the ensuing backlash happened. Also, the crimes are "alleged" – so HMA would have made a decision relating to the criminality – all-in-all a "bad show" for a provider of VPN services.
That is a big assumption your making by suspecting that they did not get a court order, despite so many articles on the internet elsewhere stating it.
Oh and yes all crimes are referred to as "alleged" until the trial is over because that is the purpose of the trial to determine guilt. (innocent until proven guilty and all that)
Fact of the matter is in UK computer law it is forbidden to hack another system regardless of where in the world it is located. Also HMA terms of service (to which he must have agreed to use the service) state you will not use the service to break the law.
A privacy VPN service is intended for personal data security not for cover for hacking attacks.
Sony's fault. This guy doesn't deserve 15 years for this, even though publishing all the accounts details online was attention seeking idiocy.
Sony's fault? Do you mean it's ALL Sony's fault? What rubbish. By your reasoning, if you leave your front door unlocked and I come in and steal everything you own, it's your fault. I have no moral culpability.
It's pure nonsense. Having inadequate security IS Sony's fault; that's not in dispute. But to say it's all Sony's fault is absurd. Publishing the data he stole is more than mere idiocy. It wasn't his to publish.
Whether he deserves imprisonment for any length of time is a separate issue. Punishment of the thief doesn't undo any of the harm he has done. If there were anything like real justice, the criminal (assuming this guy is found guilty) would have to make restitution for his crime. Not only would that serve as a far more effective deterrent by example, but it would actually accomplish something far more positive than the infantile punishment-and-revenge system now provides.
Sony might be at fault for the terrible security, although there is something terribly ironic about LulzSec mocking Sony's level security, then using a single public proxy service that is known to cooperate with the authorities with a court order, in order to attempt to hide their identities. The pot is definitely calling the kettle black here.
15 years does seem like an excessive sentence, but it is a case of 'up to 15 years', so I guess we'll see how the court case continues.
15 years. & what do Sony execs get for their breach of explicit or implied privacy contract via blatant mishandling of 150,000 clients’ personal data that lead to this? big fat bonuses.
something’s f*cked.