(Mis)Uses of Technology

by Tim Cushing


Filed Under:
hacker, patch, police, uk



UK Cops Punish Suspected Hacker By Having Him Work With The Organization He Hacked To Patch Up Security Holes

from the a-better-way-to-handle-minor-breaches dept

We've seen lots of companies (and prosecutors) go after researchers and hobbyists who have exposed security holes in websites and software. Rather than simply fix the problem and alert those who might be affected, too many see fit to shoot the messenger as well.

We've also seen some disturbing over-prosecution of less well-intentioned hackers, presumably meant to act as a deterrent toward others who might feel like taking a poke at a company's firewall. This tends to result in sentences completely divorced from the reality of the situation. So, it's somewhat refreshing to see law enforcement officials handle a hacking case in a much more proactively positive way. (via the Office of Inadequate Security)

Following an investigation, a 24-year-old man from London was arrested for computer misuse by the Metropolitan Police. The man admitted accessing email accounts by using information found on social media sites such as LinkedIn and Facebook to identify targets, and bypass their security questions.

It's unclear if the man did anything with the information he'd obtained. The man admitted to accessing the accounts and claimed he didn't know his actions were illegal. After some discussion with the suspect and the organization affected (which has asked not to be named), both aggrieved parties agreed to let the enterprising hacker work it off.

Instead of pursuing a prosecution, the victims agreed to a 'restorative justice' option, whereby the hacker will now be giving advice to the organisation about cyber security and some of the methods used to breach networks.

The 24-year-old will now be strengthening the security of the organization whose system he'd breached. This is a much better outcome for everyone involved than the alternative. A prosecution would likely have kept the suspect on the wrong side of the law. Spending time in jail tends to decrease the chances of rehabilitation and a criminal record can often serve as an inadvertent deterrent to making an honest living. A chance to work with those he's negatively affected will disabuse the man of any "victimless crime" notions and give the organization a chance to learn cybersecurity skills from someone who knows a thing or two about working around the minimal security roadblocks erected with a "will this do" shrug by far too many entities.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 6 Jan 2017 @ 1:14pm

    How the hell did this happen?!

    "Thermodynamic miracles... events with odds against so astronomical they're effectively impossible, like oxygen spontaneously becoming gold."

    I guess every so often they can do something that makes sense.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jan 2017 @ 1:19pm

    Reporting issues

    The very rare times I feel moved to let someone know they have their database hanging out on the Internet with no or default passwords, I generally go to a public library (often when I'm not in my home city), set up a free email account, and send an email to them with a CC to Cert and sometimes MITRE along with a proof of concept.

    I'm not at all stupid. I don't care to be enmeshed in someone's overheated imagination and prosecution.

    But mostly, if I see something, I just make sure nothing of mine is there and simply move on. I only look when I have a personal stake in it. I don't go wild hare hunting.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jan 2017 @ 1:30pm

    Instead of pursuing a prosecution, the victims agreed to a 'restorative justice' option, whereby the hacker will now be giving advice to the organisation about cyber security and some of the methods used to breach networks.

    On one hand I view this as a win, since someone who exposed a flaw didn't end up going to jail.

    On the other hand I wonder what the potential is for misuse of this where someone exposes a flaw, alerts the company, and instead of the company fixing it (or contracting to fix it), they threaten prosecution unless the person helps fix it.

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 6 Jan 2017 @ 2:25pm

    Trump Could Learn From This

    When the CEO of a bank known for mass fraud gets appointed to run the treasury, a racist is appointed as attorney general or a climate change denier and long-time enemy of the EPA gets appointed to run the EPA, some might declare it to be corruption.

    Trump could simply declare it to be a "restorative justice" option. Rehabilitation.

    reply to this | link to this | view in chronology ]

  • icon
    kenichi tanaka (profile), 6 Jan 2017 @ 4:37pm

    If I had ever been caught doing something like that and the police offered me a deal like that, I would agree to it but only after it was placed in a written agreement, signed by the police department, the company that got hacked, witnessed by a lawyer and approved by the courts.

    There's no way I would just trust the police to abide by the agreement.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jan 2017 @ 5:42pm

      Re:

      There is actually a procedure that must be followed for restorative justice, which can be either before prosecution, pre-sentence, or post-sentence. It's not something that the polica can just make up as they go along, it's a regulated part of the criminal justice system in the UK. So, yes, it will be documented and recorded in the system in order to record whether the agreement is fulfilled. If not then a prosecution would probably be next (that is on the assumption that this agreement was made pre=sentence).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jan 2017 @ 7:56pm

    "The man admitted accessing email accounts by using information found on social media sites such as LinkedIn and Facebook to identify targets, and bypass their security questions."

    I realize various media uses the term rather loosely, but that is not hacking.

    reply to this | link to this | view in chronology ]

    • icon
      Animedude5555 (profile), 9 Jan 2017 @ 6:24pm

      Re:

      Actually it is. The definition of hacking (under the law) is to gain accesses to a computer system without permission of, or against the will of, that computer system's owner.

      reply to this | link to this | view in chronology ]

  • icon
    Blaise Alleyne (profile), 7 Jan 2017 @ 12:18am

    The Galen Erso Problem

    This is a cool idea, but in general, wouldn't there be a major question of trust? Like, at minimum, you'd need someone else to audit the work and verify the person is not intentionally creating new vulnerabilities or backdoors or otherwise trying to pull a Galen Erso. (Assuming the organization in question is not actually an evil empire; otherwise, carry on, Galen!)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2017 @ 10:41am

    Sounds like a job title that should have been created a long long time ago

    Ethical hackers mind you, whose purpose is to hack, inform, and strengthen security, as is happening today

    So why dont we do the opposite and implement mass fucking surveillance while weakening security to do so............like the few dont have an already massive influence in our lives.........this ones gonna hit the fan, gonna hit it out of the ballpark, probably around about the same time they create the effective programs to collect, store, analyze and then present our private lives in a nice user friendly GUI

    Disgusting, WE ARE NOT PROPERTY, how far from equal are you guys planning to go, i would not mass survey someone, because i would not want to be mass surveyed, i can only assume that these folks feel protected from the thing they inflict on others........ makes you a baaaaad person, certainly not as the media would portray, freaking jesus christ personified


    Wow, sorry, that went slightly off topic

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 9 Jan 2017 @ 5:56am

    Sanity! That's what, the third time in less than 10 days? Seems 2017 stared quite well..

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.