Forgot your password?
typodupeerror
Crime Security News

Job Seeking Hacker Gets 30 Months In Prison 271

Posted by samzenpus
from the hire-me-or-else dept.
wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."
This discussion has been archived. No new comments can be posted.

Job Seeking Hacker Gets 30 Months In Prison

Comments Filter:
  • Good (Score:5, Insightful)

    by Viol8 (599362) on Sunday February 05, 2012 @01:47PM (#38935709)

    Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

    • Re:Good (Score:5, Interesting)

      by Adriax (746043) on Sunday February 05, 2012 @02:13PM (#38935867)

      I'm guessing Marriott's monetary claims are mostly "It's his fault we have to pay all this money, we wouldn't have to fix anything if he hadn't used those flaws to break in."
      He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

      • Re:Good (Score:5, Insightful)

        by phantomfive (622387) on Sunday February 05, 2012 @02:52PM (#38936155) Journal

        He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

        Why do you think this? I couldn't find anything related to it in the article. Do you have some preconceived idea of how companies should act, and then judge them without checking the evidence? That's a serious cognitive bias.

        He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

        • Re:Good (Score:5, Insightful)

          by betterunixthanunix (980855) on Sunday February 05, 2012 @03:00PM (#38936237)

          He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

          Except that users are part of the system that is being attacked. As Bruce Schneier put it, only amateurs attack machines; professionals target people.

          It is true that user training is hard. It is equally true that the system should be resilient to stupid users, just as it should be resilient to malicious users. Spear-phishing and trojans are just a way to get non-malicious users to behave maliciously, and the system should be designed to contain the damage that malicious users can cause. There are a variety of technical measures that can be taken to prevent malicious users from leaking information or otherwise violating the security of the system; a large company should be taking these sorts of measures.

          • Oh yeah? You've discovered a way to prevent spear-phishing attacks from doing damage? Please tell.
            • Re:Good (Score:5, Insightful)

              by betterunixthanunix (980855) on Sunday February 05, 2012 @03:39PM (#38936511)
              I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system. The entire point of MLS systems is to ensure that users cannot leak or alter sensitive information, beyond what is necessary for their job. "Inside jobs" are a problem that has been extensively worked on, and resilience to such attacks is not completely impossible. There are cryptographic approaches to dealing with potentially malicious parties within a given system, which can ensure that security is maintained even if some of the participants are corrupted.

              We really do not have to throw our hands in the air and declare spear-phishing to be some kind of ultimate attack that cannot be defended against.
              • Good point. There is always the balance between security and ease of use.

                In this case it doesn't look like the guy got much other than a few documents, at least that's all the article mentions, so I maybe they do have some protections.
            • by EdIII (1114411)

              He has a point, and so does the other poster. Marriott cannot absolve themselves of all blame here and trumping up enormous costs is kind of way to shift the expense they should have already been paying to secure their systems. A million dollars is a little over board. I'm not blaming the victim here either, just saying that it is a little bullshit to pile all those costs on to the hacker afterwards.

              As far as preventing trojans being sent to employees you could look at it preventing all file transfers ov

              • removing all executable attachments on email, all attachments on email that cannot be decompressed,

                Companies that do this drive me crazy.

                • Re:Good (Score:5, Insightful)

                  by EdIII (1114411) on Sunday February 05, 2012 @04:13PM (#38936755)

                  Seriously?

                  Not allowing .exe files in emails drive you crazy? Especially when email was never truly designed for file transport in the first place?

                  Not allowing compressed file attachments that cannot be scanned drives you crazy?

                  Well tough cookies buddy. If you need to send files back and forth with a user on my network you can go through different channels, and whatever they are, you can bet that the file will be scanned and the user will not be allowed to install software. If you are trying to protect from being scanned or opened, you are already wrong to do so. The user has no basis or justification to need privacy (from the system) when exchanging information across email. Part of the data diode and behavioral analysis I mentioned.

                  None of what I said prevents normal file transfers needed in the course of business. Just executable files.

                  I hardly see how that is unreasonable.

                  If I wanted to go overboard and be unreasonable I would remove PDF attachments.

            • by Lehk228 (705449)
              not allowing users to execute code or load scripts which have not been approved. this isn't rocket surgery, if your users can run arbitrary code on your network, it's probably not your network anymore
        • He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

          Why do you think this?

          That's what I'd do. Why let a perfectly good crisis go to waste?

      • Really? (Score:3, Insightful)

        by DRMShill (1157993)

        Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

        Let's call a horse a horse here. This man was a criminal. He deserved what he got.

        • No. But if my house was burgled and I then decided to replace all of my windows with Lexan, it would not be reasonable to claim the cost of the replacement (other than the single window broken in the burglary) as damages.
    • Re: (Score:2, Interesting)

      by Glonoinha (587375)

      It's "1337" hacker. Just sayin'.

      And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
      That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

      • Re:Good (Score:4, Funny)

        by zwede (1478355) on Sunday February 05, 2012 @03:11PM (#38936297)

        It's "1337" hacker. Just sayin'.

        And seriously, ... the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs. ???
        That's got to be the craziest application of 'cop math' I've seen in a non-drug related case ever.

        I guess you haven't seen the 'math' used in file sharing law suits then.

        • by Creepy (93888)

          The math makes sense, but the way they group it with "other costs" it is deceiving - the keywords are actually salaries and consulting expenses, not other costs. They obviously had to hire and/or contract some computer security professionals to fix their broken security and make sure it doesn't happen again and they're blaming part of the expense as having to hire these professionals. To put this in perspective, it is a lot like saying "we had to hire desk guards because people were just taking the keys to

      • Not really, they probably panicked, and hired a couple of outside consultants to check their security.
        And since they probably didn't have a real inside expert (or they would not need this) they also needed a senior security manager...
        So all in all 3 persons with expensive rare skills hired on short notice.
        for let's say 3 month.
        180 days * average 1500$/day => 270 K$ + at least one senior manager and one assistant to track what their are doing...
        "et voila" => 400 k$
        Add cost of building, chairs, computer

    • by JamesP (688957)

      So in this case it's blackemail?

  • by Weaselmancer (533834) on Sunday February 05, 2012 @01:47PM (#38935713)

    I mean, if he had access to their network and wanted a job, he should have forged interview and approval emails.

    Think outside the box, man.

  • by Bradmont (513167) on Sunday February 05, 2012 @01:48PM (#38935715)
    So how much of that $1 million in salaries was spent repairing the security holes, which they should have done anyway?
  • or perhaps I'm just too used to seeing monetary estimates by the Movie and Music industries. For example, the jobs counted as being affected by the entertainment industry as part of the SOPA/PIPA debate included all the employees of the Department of Engraving and Printing. Why you ask? Because they make the $100 bills that the movie and music execs use to snort coke while coming up with the estimates of jobs affected by the movie and music industry. Perfectly logical right?
  • by hcs_$reboot (1536101) on Sunday February 05, 2012 @01:54PM (#38935761)
    ..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
    "I found a security hole in your systems and may help you to improve this, and your systems globally".
    • by artor3 (1344997) on Sunday February 05, 2012 @02:04PM (#38935815)

      You haven't met many computer nerds, have you?

      • by couchslug (175151)

        That's why man requires punitive measures to keep order.

        Most folks "get it". For those who refuse to get it, a knouting is in order.

    • by Dogtanian (588974) on Sunday February 05, 2012 @02:27PM (#38935969) Homepage

      ..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

      No, no, no, no, NO.

      You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

      Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

      You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

      This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

      • by Mitreya (579078)
        You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

        It seems like a reasonable risk to me. He may have gotten a job like that - and if not, then he'd be no worse off. I mean, what's Mariott going to do in revenge? Not fluff his pillows when h

        • by Dogtanian (588974)

          I mean, what's Mariott going to do in revenge? Not fluff his pillows when he stays there?

          Er, they (*) are going to make the case that part or all of his activities constituted hacking of or intrusion into their system, leading to his possible arrest.

          Unless it's *very* clear that the guy has done nothing wrong- and believe me, this is an area where the lines can be blurred, and even if they aren't can be made to appear that way- he's going to have to defend himself against these accusations with both the police and a court system that probably won't be as tech-savvy as they should be and coul

      • by Lehk228 (705449)
        +1

        corporate security loves a good witchhunt, and they will likely go after you for jail time and far more money than you have.
        BR> if you find an exploitable hole in a system used by a big company, the best thing you can do is make an infographic detailing how to exploit said hole and what do do afterwards, wardrive a few towns over until you find an open AP, and post it all over 4chan and other places like that.

        the corporations have demonstrated an inability to be reasonable, time and time again, n
        • by Dogtanian (588974)
          If possible, it would be reasonable to notify the appropriate party(s) at the company of the hole beforehand, to give them a chance to fix it- taking care, however, to protect your identity for the reasons given above.
    • by X.25 (255792)

      What makes you think he was smart in hacking?

    • Re: (Score:3, Interesting)

      by roman_mir (125474)

      He is just not that smart, period. Say you run a company, some schmuck breaks through some web-app and steal some documents and then blackmails you with these documents to get a job? So what does he expect exactly, an actual job from you?

      Let me put it this way - I wouldn't call cops on him, I would invite him for an 'interview' and clean his clock.

      • sorry didn't see the "L" , i totally got the wrong impression about the type of interview you conduct, my apologies

    • Re: (Score:3, Insightful)

      by ranpel (1255408)
      Someone can have skills and lack the maturity and wisdom to wield them easily enough. It's more of a willingness to engage in a clearly criminal endeavor with those skills that is relevant. He could just as easily have delivered his findings, suggest they shore up, wish them luck and maybe hint that he's looking for a new gig and if they find themselves in need of someone that can shore up then to feel free to drop a message on this anonymous drop box. Gaining access to information is one thing but usin
    • His hack doesn't seem to have been that hard, actually. In fact, I'll bet you could do something similar if you are a programmer.

      He sent a trojan directly to certain individuals in the company, and got them to open it. Once it's been opened, then you have access to a lot of things.
    • by quantaman (517394)

      Except he didn't really find a hole in their systems. He found he could email some employees malware, trick them into opening it, and now he has a backdoor into the system. Now they could stand to strengthen up their IT policies/employee training a bit, but this isn't like he found a backdoor in their web server, and it's possible the docs he accessed weren't even particularly confidential.

      Probably the reason he couldn't arrange an IT job interview with Marriott, and claim good security skills is he didn't

  • by goodmanj (234846) on Sunday February 05, 2012 @02:05PM (#38935817)

    The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

    Honestly, any janitor could tell you instantly why this plan is idiotic.

    • by tunapez (1161697)

      I am an eJanitor, you insensitive clod!

    • by Zadaz (950521)

      Yes, it needs more press, but not for that reason.

      The word "hacker" is already synonymous with "Skeevy computer criminal" in the mind of the general public â" despite the fact that's not what the hacker community means to those who actually make up the hacker community.

      Call criminals who use computers criminals. Don't call them hackers. It makes hackers look bad.

    • The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation.

      No, the greater damage is to so-disant 'smart people's self image. He's pretty typical of most smart people I've known... intelligence and common sense are in no way connected.

  • by wdhowellsr (530924) on Sunday February 05, 2012 @02:05PM (#38935819)
    I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security. During the meet and greet the head developer asked me if I had left any back doors at my previous contracts. I looked at him strange because the thought never even crossed my mind which is the difference between a hack and a professional.

    After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

    There is a fine line between genius and insanity but stupid is all by itself.
    • by Corbets (169101)

      I'm currently working a contract with Darden Restaurants, the largest full service retaurant company in the world, and as you can imagine they are very serious about security.

      Right, that because the restaurant industry is the first one that comes to mind when I think of "serious about security".

      • by wdhowellsr (530924) on Sunday February 05, 2012 @02:32PM (#38935991)
        I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

        Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

        Damn, now I'm hungry.
        • by AK Marc (707885)
          Oh, that one. Fuck you and your piece of shit company that refuses to serve said bread sticks in Alaska. If you aren't going to open a corporate store, treat Alaska like a foreign country. I've spoken to more than one person who tried to get a franchise (as they'd make a mint, so long as you added "offer not valid in HI or AK" a the end of the commercials promising specials), I've even spoken to a few that tried for HI as well.

          But there are issues with supply chain and ingredients that are why franchise
        • I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

          You really should stop watching Ratatouille and Mission Impossible back-to-back while under the influence - because you've gotten them confuse

    • by cdrudge (68377)

      After I replied, he told me a story about a programmer interviewing for a position at Darden who had very good qualifications. He was asked the same question and immediately said, "Let me show you my back door", and proceeded to log into a company web site and pull up their web site administration page. The programmer actually seemed shocked when told that there is no way Darden could hire him.

      I guess I could never work at Darden either. I would have to lie to get a job, or if I told the truth they already

      • It's funny that you should say that because he asked me a similar question about the security failings of previous contracts and how I would overcome them. As I work with WCF often I talked about the problems with using the out of the box implementations and how encryption, handshakes and at the very least not publishing methods can reduce security breaches.

        Now I wouldn't have shown him the security breaches but if you simply said that you know for a fact that many companies that you have worked for neve
    • I worked at the corporate office of a large, nationwide restaurant company. Saying you are the best tech guy at a restaurant company is like being the tallest guy in the Munchin Baskeball Association.

  • This guy got it all wrong. There is no such thing as capture the flag hacks leading to jobs. Who gave him the idea that this would work out in his favor? Tech smarts was there, but no sign of the minimal business smarts it takes to hold a job was there.

  • "hi, i'm arnold, i stole your tv. would you like to hire me to put a lock on the bathroom window i broke into?"

    i'm trying to put myself in the thinking here, and no... i just can't understand. i've reached my stupidity simulation threshold. i simply cannot understand a person this dumb

    • Hi, I'm Steve B., You may know me from youtube videos of my rousing speaches at Microsoft developer conferences.

      I didn't invent your android phone or any of the software on it, but I have found a flaw in the system that I can exploit. Its a flaw in the legal system but that's not important.

      If you don't want me to activate this exploit, you need to pay me $30.00 for every phone you sell.

  • by Anonymous Coward

    30 months? It is a good thing he didn't pirate some MP3s. Then they would really be mad at him.

  • On one hand it would make sense for him to release it out of spite or whatever. On the other hand, they did technically hire him, so...
    • Eh? How would he release the info? Unless the Secret Service is as dumb as he is, he was probably whisked off to the "interview" as soon as he got off the plane, and then arrested. He hasn't been unsupervised since he set foot in the US.

  • The title and summary seem to convey different things. "Job Seeking Hacker Gets 30 Months In Prison" sounds like a hacker was trying to get a hacking job somewhere, while the summary makes it clear that he hacked his way into getting said job. Just saying.

    Nonetheless, blackmail is blackmail. Malicious hacking involving the exposure of private data to unwarranted eyes ought to be punished.

  • by CxDoo (918501) on Sunday February 05, 2012 @03:45PM (#38936553)

    Do you see what happens when you fuck a stranger in the ass?

  • And this is one of those times.

  • by stealth_finger (1809752) on Sunday February 05, 2012 @05:05PM (#38937103)
    ...wouldn't it be easier to hack in and put your self in the employee database, set up payroll or send an email from the proper account to the payroll section to sort it and then just turn up on Monday? Or better yet not and get paid anyway.
  • by Maljin Jolt (746064) * on Sunday February 05, 2012 @07:27PM (#38937865) Journal

    He deserves it.

In every non-trivial program there is at least one bug.

Working...