Sophos Cloud Optix
A British student who breached security at Facebook last year has been sentenced to eight months in jail, despite arguing that his intentions were not malicious.
Glenn Mangham, who had previously been rewarded by Yahoo for finding vulnerabilities in its systems, unlawfully accessed and hacked into Facebook’s computer systems between April and May last year from his bedroom in York.
Specifically, Mangham breached a webserver used by Facebook to set puzzles to software engineers who might be interested in working for the social network.
Mangham then gained access to the account of Facebook employee Stefan Parker, and used the staff member’s privileges to access Facebook’s Mailman server (used to run internal and external email lists), and the Facebook Phabricator server used by internal developers.
Prosecutors claimed that Facebook spent US $200,000 (£126,400) dealing with the aftermath of Mangham’s hack, which prompted a “concerted, time-consuming and costly investigation” by the FBI and British law enforcement.
Mangham’s defence team argued that he was an “ethical” or “white-hat” hacker, whose intentions – rather than being malicious – were to uncover security vulnerabilities at Facebook with the intention of getting them fixed.
Southwark Crown Court heard that Mangham thought Facebook would respond positively to having its security flaws brought to its attention. The York student explained:
"It was to identify vulnerabilities in the system so I could compile a report for lack of a better word that I could then bundle off to Facebook and show them what was wrong with their systems."
Judge Alistair McCreath, however, showed little sympathy for the argument that Mangham was attempting to uncover security holes:
"This was not just a bit of harmless experimentation - you accessed the very heart of the system of an international business of massive size."
"This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled... Potentially what you did could have been utterly disastrous to Facebook."
Others who are interested in uncovering security holes in Facebook’s systems might be wise to take heed of Mangham’s story. If you illegally access Facebook’s computers while investigating a potential vulnerability, the social network may take a very dim view of your actions.
According to a Daily Mail report, Mangham is believed to have Asperger’s Sydrome, which puts him in common with other notable hackers who have wrestled with law enforcement.
"This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled… Potentially what you did could have been utterly disastrous to Facebook."
It would have been OK if he had hacked his local carpet retailer? Really? Do big companies deserve more protection? Really?
Well said!
My thoughts exactly…and to answer your rhetorial question about big companies deserving more protection, "No. I'm not sure they do."
(Local businesses, you can argue, are much more important to our long-term economic well-being that the sort of global behemoths which are, almost without doubt, better placed to defend themselves against hackers anyway.)
Of course, the converse isn't true either – big companies don't deserve _less_ protection by virtue of their size.
When it comes to this sort of digital breaking and entering, I think it's fair to say that an injury to one is an injury to all…
I'm interested to hear what you consider 'breaking', in your 'breaking and entering' analogy. What was broken in this case, specifically? It could be argued that Facebook's security was already 'broken' in the sense that an unauthorized person was able to gain access to sensitive information.
To extend the analogy, if your front door lock is broken in the sense that it doesn't work as you expect it and someone can just walk up and open the door, wouldn't that merely be 'trespass' rather than 'breaking and entering'?
I propose we use the term 'digital trespass' rather than 'digital breaking and entering' in future.
It is only broken when someone exploits it!
I have heard that even for unlocked physical doors, it is still “breaking and entering”. E.g.,
https://www.law.cornell.edu/wex/breaking_and_entering
I do think that intent is obviously important in analogy to physical breaking and entering. I am having a hard time seeing more than trespass here.
That's the first thing I noticed too. One law for huge rich companies and another for ordinary companies.
That’s because large companies can pay more for the privilege of being “special”.
Exactly what I thought Rob. Judges are no more immune from being brainless than the rest of us.
VERY TRUE !!! Large Companies don't deserve more protection than small companies. Small companies are so very important, and probably should be protected a bit more only due to the fact that they usually can't afford the talent and budget that it takes to keep themselves protected.
However I believe the intent of the Judges comment was that the data that the large company possesses obviously impacts more victims in a single attack.
One might well argue that the millions of users who place their private information at risk on Facebook lack good judgment and deserve whatever they get.
if yahoo paid him previously why didn't facebook do the same?
Hmmm. I find the judge's comments particularly revealing – "This was not just fiddling about in the business records of some tiny business of no great importance". So I guess it's not about what the law does and doesn't allow, but how powerful the people you crossed are. Well, nice to see what we all knew anyway stated so clearly.
I think I might go into my local corner shop, nick a load of sweets, eat them and then go back in the shop, tell them what I did and advise them that they need better security controls.
As long as you paid for them after I dont see the problem
So if someone hacks Facebook and stuffs things up for the whole Fb community, it is ok if that person is not caught. But get caught doing a good deed (supposedly) and be prepared fr prison, because some people cannot handle failure. It seems to me that Zuckerberg should learn from the banks, and their many security breaches, and offer the man a job, not jail him. But in defense of fb if he thought their were problems with security he could easily have contacted Fb (no easy feat really) and outlined the shortcomings.
Maybe then they would have hired him not jailed him.
Are you kidding? Send Facebook a message? Have you tried contacting the clowns at FB? You go around in circles getting nowhere, and if you do find a way through the labyrinth and you do send them a message, they NEVER reply anyway. They don’t want to be contacted, and they don’t listen to anyone, especially to those who use Facebook. That's my experience. I use FB, and yet I despise it at the same time. As for ZUK? He seems to wear two hats doesn’t he? The one where it would appear to be OK to screw your friends, and the other one where it’s not OK for people to screw with him like in this case. That said, hackers should expect to get their asses kicked if they unlawfully hack into anyone's, or any company's servers or computers, regardless of how big or small they are. I have had my website hacked three times by scum of the universe hackers, who uploaded malicious code which I had to delete. My ftp password is now so long and convoluted, it is virtually impregnable to hackers, kind of like Facebook’s messaging system!
If he had hacked into a bank and stolen a load of customers money, or something similar, then yes by all means send him to jail. He didn't really do great harm and considering my local newspaper reported today that a serial sex offender had been spared jail then yes, jail in this instance is a little bit harsh.
seems to me i remember that there was a question as to what the young man did was illegal IN the UK, where he resides… was that resolved? does anyone know whether his hacking was an illegal act in the UK?
am i mixing this case up with another, similar one?
or did the UK agree to prosecute under US laws?
this is the bigger story, imho… the corporate oligarchy in the US extending it's reach into other countries' judicial systems…
I think you're mixing this case with that of Richard O'Dwyer.
This case was handled in the correct manner by the US authorities in that, having obtained evidence giving grounds for suspicion that an act had been committed under the laws of and within the jurisdiction of England and Wales, they made a complaint to the appropriate authorities.
As I understand it the computer misuse act covers all forms of hacking undertaken from the UK regardless of where the target machine is located in the world. (and it also applies to any UK system attacked from outside the UK)
Ultimately the "I hacked to expose vulnerabilities" defence has been overused now and I can see why they would stamp out on it, if they didn't every malicious hacker under the sun would be claiming to do it to "highlight vulnerabilities".
Didn't Mark Zuckerman do exactly the same thing, hacking into Harvard's server, just before he thought up the idea of facebook. He should have welcomed this guy into the fold!
And is $200,000 (£126,400) such a great deal of money to a company worth billions.
Shame on facebook
I have a huge problem with the fact that a single company that is entrusted to secure the personal data of " 845 million monthly active users at the end of December 2011" Was hacked by a student from his bedroom.. and was able to penetrate so deeply to be able to access "sensitive and confidential information" without being detected.
Maybe they should investigate whether facebook is adequately protecting the personal data of the Billions of active accounts they have. I'm sure that investigation would cost facebook MUCH more than $200K
"Prosecutors claimed that Facebook spent US $200,000 (£126,400) dealing with the aftermath of Mangham's hack, which prompted a "concerted, time-consuming and costly investigation" by the FBI and British law enforcement."
Dealing with the Aftermath: how vague. Do they mean fixing their own vulnerability, or repairing something that was done by this hacker? If it's just fixing their own problem (that the hacker did not create), then the amount is irrelevant to the case. It took them whatever it took them to make things right, and that cost is on them. If this number reflects the overreaction of overcomplicated agencies to work in concert to find a small player without criminal ties nor record, then that has no impact at all on the damage done or not.
As far as I can tell from this story, he "used the staff member's privileges to access" things. Did he damage things? Did he delete things? Did he reconfigure things? Or did he read a few emails to see that he could do so? Oh NOES!
@PDucklin:
"From the details of this case, it doesn't seem that this hacker followed those guidelines at all…" from a thread further up on the page
Really? What details? Which of those lines did he cross? Was that information available at the time, or posted in response to the apparent crime?
The more I learn about case, the less rational it all seems. Way to teach the good guys to shut up, judge. That will (not) keep us all safer.
So, what subject did Mangham study? If it was computing or security-related, didn't his university lecturers teach him to never, ever break into any network without its owner's permission (and in writing)? He could easily have screwed up a business-critical network during one of his 'ethical hacking' adventures, and he would have been held liable for that. The consequences would have been far more severe for both Mangham and the target. He got off lightly this time.
Yes and in that situation he would have been held fully liable. However, in this situation, nothing was damaged, beyond Facebook damaging their own reputation by making this hack public through a lawsuit.
Ad quod damnum. This person deserves nothing more than some sound advice that if he had accidentally broke anything, or inadvertently disclosed any sensitive information, he would have been in a world of hurt, so it's probably not wise to do it again.
My thoughts exactly!
Makes you wonder if its worth reporting vulns, if they end up with a court case.
This case seems to go against facebooks policy's on vuln reporting
I don't think you'll find Facebook inviting you to "report" vulnerabilities by breaking into their (or anyone else's) servers.
Their bounty page expressly reminds you that if you "make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
From the details of this case, it doesn't seem that this hacker followed those guidelines at all…
Note that the bounty policy did not exist back then.
From : http://gmangham.blogspot.co.uk/2012/04/facebook-h…
"I am willing to bet that it became a higher priority afterwards though."
I know nothing about computers or hacking, but I think what the judge might have been talking about was the amount of people who are on FB – millions – while a tiny business would not have that many people nor that much info available to a hacker. I don't think powerful has anything to do with it – just the amount of accessible information available from FB as compared to a tiny business. I may have interpreted the judge's comment wrong…………………
The justification is just plain wrong. Bad call judge..
let the black hatters at face book and see how nice they'll be about what the do with the info they get. I'm positive they can hack into FB just as easily as this young man did.
"No officer, I swear, was just breaking into these houses to demonstrate their lack of security. I didn't take anything! Honestly!"
"It's still breaking and entering, son. You're nicked!"
I only have 2 things to say. First is that I hope this guy gets out and finds a way of not being caught next time and secondly, that he does it again and screws Facebook over.
Really what company is going to offer you money up front to begin hacking for vulerabilities. I mean with this point they could pay you and you respond there are none found. By already having the data, you can prove the vulnerabilites, and sell the report as it's meant to be.
Well at least while in Jail he can document his findings, and post other possible vulerabilities he found in Facebook that he didn't exploit yet, and no need to ship them off to Facebook, but leave them wide open, since he can't further investigate these. This is pretty much stating that their is no ethnical hacking guidlines. Might as well not find and correct these, but leave the vulerabilities for someone who will bring malicious intent, and not get caught. Do you really think that a malicious hacker will be attempting to hack a small business over one with thousands of users?
Here in America we pay lip service to the concept of equality under the law, but in 'practice' and in most 'cases' you get the justice you can afford, puns intended.
So, it is with a benefit of the doubt for his Grace, Judge Alistair McCreath, and all due derision for the hapless hacker that I mention FB's pending IPO – worth a kingly sum to be sure. That the scope of an international business by its very presence has consequences whose ramifications extend far beyond the realm of, shall we say, a mom and pop store is also to be sure. Still, his Grace could have made the point more delicately; and in retrospect one wonders if he now wishes he had.
At the end of the proverbial day, the bottom line, and the judges comments notwithstanding, remains this basic concept:
What thief in the night couldn't claim the same well intentioned motives once he or she is caught breaking and entering. (sniff 🙂
Aspergers, what a wonderful excuse. I wonder how long I have before I get registered as disabled because I am better with numbers than names? Americans always over state the cost of dealing with things like this, all they are interested in is how they can make a bit of cash out of any situation. Chances are that what he did cost about $100 to clean up and if there was another $199,900 spent then it was on what they should have done in the first place. Facebook makes a business out of using and abusing our data then gets all self righteous when an idiot kid gets in to their poorly secured system.
What he should have got is something like a first time car thief, bound over to keep the peace and sent away to sin no more. What he would probably have got in the US is nothing. Heck, he could have conned ten million people out of their pensions and he'd only have got invited to every Republican party fund raiser for the next decade.
he has hacker face , by the way.
Like all law & order stories, there's usually more to the story then reported.
But this bit rings alarm bells "Mangham then gained access to the account of Facebook employee……and used the staff member's privileges to access Facebook's Mailman server [and] Phabricator server".
That is not the work of a whitehat, that's stealing someone's login to gain access to server. That's like someone stealing your credit card and using it to prove that credit card fraud exists.
Waste of taxpayers money to send him to jail just remove the computer
I think the judge responded appropriately. There is an important part of the story not being considered here. Over two weeks ago the Anonymous hacking group had publicly stated a specific date that FB would be taken down by DDOS. I've got it posted somewhere on my Timeline. ( I commented that they don't really have sufficient resources to carry out the attack.) I watched for the date and the supposed attack. When it arrived, nothing out of the ordinary happened on FB that day. DDOS either failed them or they backed down and cowardly gave up. But FB obviously has a better response as witnessed here.
Why not allow a known vulnerability to exist and trap the would-be hackers one-by-one. That way at least a few un-suspecting pawns of Anonymous will get what's coming based on their own stupidity… jail time.
I'm not sure why Sophos refers to this convicted criminal as an "ethical" hacker, but that headline seems to be misleading most of the people who are posting here. In fact, there is no evidence of ethical hacking in this case other than the unsubstantiated claim of the defendant after he got caught. The judge rejected that defense because the evidence showed the defendant had malicious intent, stole another's identity, engaged in extensive and destructive efforts to remain undiscovered and anonymous, made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned.
His attempt to claim he intended responsible disclosure only after faced with criminal action is insulting to the community of responsible security researchers. Facebook has a really ambitious whitehat program that not only gives immunity to ethical hackers who practice responsible disclosure but also rewards them with cash. The company has paid out hundreds of thousands of dollars to ethical hackers in the last six months alone. You can read about that program here: https://www.facebook.com/whitehat.
It is disappointing that Sophos is running an article that reflects an unawareness of the actual facts, suggests Facebook supports prosecution of whitehat hackers, and doesn’t even reference the Facebook whitehat program.
Joe Sullivan
Facebook CSO
Hi Joe
Thanks for the leaving the message. You'll note that our headline uses the word "ethical" in quotes. That's because Mangham himself tried to describe himself as that as a defence.
Which, as you rightly say, got rejected.
If we had intended to imply that his actions were ethical, we wouldn't have used the quotes. 🙂
And of course we don't believe that Facebook supports the prosecution of whitehats and people who responsibly discover and disclose vulnerabilities to you. That would be ridiculous.
We make clear that the punishment comes to those who break the law and act illegally, as Mangham did. Others would be wise not to break the law too.
I think we're on the same side here!
I don't think that Sophos is attempting to put this boy in a positive light. Like Graham said, " 'Ethical' " is in quotes– a questionable claim by the defence. Also, as a reader, I did not find anything that suggests that Sophos personally was attempting to promote Mangham's case. The "prosecutors claimed", "Mangham's defence team argued," "Southwark Crown Court heard. . ." — where does it say "Sophos believes . . "?
Looks like reporting to me.
And maybe you should read the comments again, because I see some posters that disapprove of this case of "ethical" hacking.
"This was not just fiddling about in the business records of some tiny business of no great importance…"
This statement isn't very convincing. is it? As previous messages point out: it looks like a main reason is Facebook is not a tiny business.
"Facebook has a really ambitious whitehat program that not only gives immunity to ethical hackers who practice responsible disclosure but also rewards them with cash"
Such a spin master.
"…doesn’t even reference the Facebook whitehat program"
Probably, because it DID NOT existed ?
———————————–
I suspect some people are wondering why I didn’t use it to submit my findings, well the answer to that is that the bug bounty programme DID NOT EXIST when I was working on my audit, therefore it was not an option that I could take.
I am willing to bet that it became a higher priority afterwards though.
———————————–
From : http://gmangham.blogspot.co.uk/2012/04/facebook-h…
Joe probably thought it would be easy to attack a helpless, jailed hacker.
He probably didn't expect the hacker to be released so soon, AND started telling the story from his side. Ha.
he gained access by using a stolen identity.. hence theft..
Why did the judge not refer Facebook to the Data Protection Registrar as they seem not to be keeping individuals data safe on-line?
The Data Protection Act would insist that UK data in the US is stored with a ‘safe haven’ clause. I am surprised that the defence team did not say that he was investigating such a breach of the act, as without people like him our businesses we will be wiped out in a Cyberwar (That is a Nation state backed Cyberwar.) You can run out of money in a war, as Charles II found out to our nations cost.
It is disappointing that Sophos is running an article that reflects an unawareness of the actual facts, suggests Facebook supports prosecution of whitehat hackers, and doesn’t even reference the Facebook whitehat program.
Pity you don’t know the actual facts Joe. Your Facebook whitehat program didn’t start until after you were hacked. Check the dates!
I would argue that I am ethical…
http://gmangham.blogspot.co.uk/
And I would argue that facebook has some questionable ethics, starting from their inception day, as we all know from the movie, but here’s an interesting quote that questions the legality of facebook’s actions:
I look forward to continued improvement in this area.
Wow, goot catch Jason, this is ridiculous!
So, if a prime minister's car is burning whiles he is trapped inside, you should look on while his body gets charred? This is absolutely not fair. This is in-justice; he could as well have made the vulnerability public so that people took advantage of the situation but he didn't. I think organisations that keep access to confidential information should be sued for negligence and for putting its subscribers at risk.You should be thanking people like this guy who have put their skills to good use.
The guy has been rewarded by yahoo for the same thing…what shows that he wasn't trying to do same this time around?
Facebook’s a sketchy bunch anyway. One rule for them Another one for us.
Or is it skezzey, or skuzzy? Well anyway Facebook is a lot of things, Up Front however is not one of them.