Job Seeking Hacker Gets 30 Months In Prison 271
wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."
Re:Secret Service? (Score:5, Informative)
Since Cybercrime/computer fraud falls under their jurisdiction. Since about 1983 or '84, I think.
Re:Geez what a moron (Score:5, Informative)
He could claim entrapment. There are articles every once in a while about some hacker that breaks into sombody's servers, and they're so impressed they recruit him right off.
You'd have to be an idiot to believe things like that, but it doesn't take a lot of brains to cause damage.
Except no one induced him into breaking the law. The very first contact that he had with Marriot contained proof that he had already committed a crime.
Entrapment only works when the originating idea for the crime came from a police officer, or an agent thereof. (If a cop tells a confidential informant to get a gang to rob a specific store, then that would be entrapment as well.)
Re:Secret Service? (Score:5, Informative)
I guess referring to them as the SS would not be too far from the truth...
Re:Good (Score:3, Informative)
Re:Good (Score:5, Informative)
And yes, my docs are confidential and none of you IT monkeys should be able to read them ...
There is your first problem. Already there is no room for reasonable cooperation without mutual respect and understanding.
IT should be a 'business enabler'
WRONG, WRONG, AND WRONG.
I am not just "IT". I am the CTO.
Enabling you to do your job is only one part of my job, and not even the most important. I must prioritize my responsibilities. In order to keep the company safe and sound I have to reasonably find a balance between the use of a system and the security of a system. That is first and foremost. Figuring out how to make your life easier comes in second.
Do you really think there is a danger? Hackers targeting your company would simply send the latest 0-day, which your anti-virus wouldn't catch anyway.
Yes, Yes I do. Absolutely. Hackers would not just "send the latest 0-day". They will try social engineering, dropping flash drives in the parking lot, probing of Internet facing assets, email phishing attacks, etc.
How can their 0-day get through if all email attachments are locked down to document file types only, and those are inspected and have certain functionality removed?
I don't care about little Hitlers in IT that talk about staff as 'The user has no basis or justification to' ... WTF!
With respect, I get paid to decide the basis and justification for your actions.
Anything the user needs for business you should provide!
Wrong. Anything that the business needs, I need to find a reasonable solution that the user can work with while satisfying the primary needs for the business. Which is that reasonable balance between use and security I spoke of earlier. It's not Burger King, it's not what you want when you want it.
but instead of 'being reasonable' and blocking everything you should provide a solution to enable that user in secure file-sharing with people if there is a business need
I completely agree. Which is why I completely block email, especially on inbound, but have other means of secure document sharing between you and corporate clients. Which is important to note, I don't view the customers as your customers, but the company's customers.
In your case, which is not unusual, email is not the best and most secure method. A secured website that allows you to share very specific data with customers is best. We have vendors and service providers that have very strong data policies as well. They would never ever send a PDF via email. Secured PDFs are downloaded via a web portal with multiple user account credentials that I get to control via another management portal. I can then review all of it as part of my job.
I understand your need. My job is not fill your need the way you want. Why? Simply put, you ain't the CTO buddy. I am the CTO. When something goes wrong, it is my ass on the line, not specifically yours. If it is bad enough, like a huge data breach, your livelihood is affected along with countless others. That's a responsibility I would have to live with.
So that's why I carefully consider your needs. What is it you are trying to do? How can I make that the easiest way possible for you? How do I make it secure and satisfy our data security policies and the vendors? Multiple vendors? How do I make your life easier and more efficient?
At the end of day, believe or not, I exist to make your lives easier so you can be more productive, while also protecting the company to the best of my ability. It's not to be a dick and make your life hell for "funsies".
And yes, my docs are confidential and none of you IT monkeys should be able to read them ...
I'm going to touch on this twice beca