15-Year-Old Arrested For Hacking 259 Companies

An anonymous reader writes "Austrian police have arrested a 15-year-old student suspected of hacking into 259 companies across the span of three months. Authorities allege the suspect scanned the Internet for vulnerabilities and bugs in websites and databases that he could then exploit. As soon as he was questioned, the young boy confessed to the attacks, according to Austria's Federal Criminal Police Office (BMI)."

Not hacking

[Anonymous Coward]

nerd voice

Excuuuuse me. The term is 'cracking'.

/ nerd voice

Re:

[SJHillman]

2600 would disagree

Re:Not hacking

[mcgrew]

Citation? because the AC is correct. I understand how muggles confuse nerd terms, but they've taken OUR word for modifying hardware or writing quick-and-dirty single-use code and we let the muggles mangle the meaning of OUR word! As someone already pointed out, he's not a "hacker", he's a script kiddie. The hackers wrote the code he used for his cyberburglary and cybervandalism.

I never thought I'd see the day when we would be acceptable, let alone the day normal people pretend to be us.

Re:

[betterunixthanunix]

He is saying that some people say that "hacker" only refers to people who like to illegally break computer security systems, by referring to 2600, a hacker group known for that sort of thing. I say that anyone who is curious can read 2600 magazine and see that while there are a lot of articles about breaking security systems, there are other articles that are within the scope of the old school meaning of the word "hacker."

Re:

[SJHillman]

Go read 2600 - or go buy their Best Of book, a good read. The editors have repeatedly stated that they're against using the term "cracker" to denote a malicious hacker. I never said whether or not cracker is the correct term, just that 2600 disagrees.

Re:

[Myopic]

I disagree. My understanding is that "hacker" predates "cracker", and that some nerds decided they didn't like the pejorative sense of "hacker", so they adopted it as their own (cf. "nigger") and proffered "cracker" as a pejorative replacement. Most nerds, and all non-nerds, rejected this attempt at redefining the word "hacker", and continued to use it with its original meaning. To this day, that minority of nerds, especially the ones who like rhetorical pugilism, continue to make their specious case on Int

Re:Not hacking

[amRadioHed]

First, you use a made-up word...

Care to give an example of a word that is not made-up?

Re:

[Anonymous Coward]

Care to give an example of a word that is not made-up?

Grunt

It's not made up, because its use predates written languages.

Re:

[sfhock]

http://bit.ly/IAXJB0 [bit.ly] he disagrees

Re:

[tehcyder]

First, you use a made-up word...

Care to give an example of a word that is not made-up?

God.

Oh, wait...

Re:

[spire3661]

all words are made up. Muggle is a valid word. It will be in the dictionary someday because people use it.

Re:Not hacking

[DarwinSurvivor]

all words are made up. Muggle is a valid word. It is in the dictionary because people use it.

http://oxforddictionaries.com/definition/muggle?q=muggle [oxforddictionaries.com]

Re:

[cffrost]

all words are made up. Muggle is a valid word. It is in the dictionary because people use it.

http://oxforddictionaries.com/definition/muggle?q=muggle [oxforddictionaries.com]

Haha I love Oxford's example: "she’s a muggle: no IT background, understanding, or aptitude at all"

Re:

[DarwinSurvivor]

Hmm, sounds like an IT-Crowd reference... Must investigate!

Re:

[SendBot]

Look, I haven't read any Harry Potter books or seen any of the movies, but even *I* know what a muggle is! God forbid you try to look it up yourself:
http://en.wikipedia.org/wiki/Muggle [wikipedia.org]

Re:

[mcgrew]

Yes, it's a made-up word, but is in common useage. It's simply someone who is normal, not a wizard.

Re:

[Anonymous Coward]

because you always use the word muggles incorrectly.

Hollywood would disagree

[betterunixthanunix]

If you actually read 2600 magazine, the scope of the articles fits in with the typical definition of a hacker: someone who likes to tinker with computers and other electronics. There is something of a bias toward computer security, but I have also seen articles about undocumented functions of electronics, technical information about various networking equipment, and so forth.

Hollywood, on the other hand, turned "hacker" into a code word for "computer criminal." No surprises there, given that Hollywood's view of computing is basically the antithesis of what the old school hackers had in mind. Hollywood thinks that computers should only be programmed by licensed professionals, who can be held accountable for the software they write (e.g. deCSS). In Hollywood's view of the world, if you buy a computer that has been programmed to stop you from running your own software (e.g. an iPhone, a PS3, etc.), then defeating those restrictions is criminal behavior -- and they got that codified in the law with the DMCA.

Re:

[FingerDemon]

Hollywood thinks...

Citation needed...

Re:

[Cerium]

http://www.imdb.com/title/tt0113243/ [imdb.com] :D

Re:

[SJHillman]

I was referring to the parent poster who (sarcastically) was saying it's cracking, not hacking. The editors of 2600 have repeatedly stated that they don't support segregating cracking and hacking, that malicious acts do fall under "hacking" just as much as non-malicious acts.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[The Pirou]

I haven't read a fresh copy of 2600 in a very long time, but in picking up a random copy off the shelf (Fall 1998) there is an article on page 15 called 'Back Orifice Tutorial.' The article went on to describe basic social engineering skills and methodology for operating this software. There were are also several other articles of interest such as 'Screwing with Moviefone' and 'Screwing with Radio Shack & Compaq' in the particular issue, all of which seemed like they were aimed at script kiddies. As

Re:Not hacking

[Tarlus]

The teenager used various hacking tools widely available on the Internet, including software that helped him remain anonymous.

Nothing more than a script kiddie.

Re:Not hacking

[jellomizer]

A real hacker would break into 256 companies, not 259... What was he thinking?
Unless he actually broke into 512 or 1024 companies.

Re:Not hacking

[Nrrqshrr]

He was probably aiming for 1337 companies...

Re:Not hacking

[treeves]

Well, there are only a few of those. That's why they're 1337. Duh.

Re:Not hacking

[hellkyng]

Actually I believe he was going for 640 companies broken into, and that really ought to be enough for anyone.

Re:

[naturaverl]

Not anonymous enough.

Re:

[MightyYar]

I'm asking this as someone who wouldn't even qualify as a script kiddie...

If you were hacking into sites (blackhat, whitehat, whatever), would you do so from home? I would think that at the very least, you'd get in your car and look for open WiFi. I imagine that with the high-speed cell networks and prepaid phones you could even afford to hack from anywhere with a cell signal.

But certainly not from your home network?

Re:Security blanket

[b4dc0d3r]

A 15 year old most likely is not mature enough to have that level of understanding.

Disregarding his age, anyone would fall into the same trap. Dip your feet in the water, and don't get caught. Go a little further, and still remain undetected. Maybe you get detected next time, but they can't find you. All from the psychologically safe bedroom/basement instead of getting in your car (which a 15 year old in Austria may not be allowed to do).

Once you truly understand how the network works, and you're writing your own tools, you understand that the safest place you can be is in public, away from anything personal including hotel reservations. But that also has to include CCTV or other surveillance. Until then, the comfort zone of "home" makes you feel you can not get caught. The illusion of safety when you are at your most vulnerable. Especially when repeated attacks come from the same place.

Disclaimer: I'm not a white hat, nor a black hat, nor an any hat. But I have read a lot about people and what makes them do stupid things.

Re:

[PuZZleDucK]

Thanks b4dc0d3r,

Now I know why i did all those stupid things :p

Re:

[karnal]

And an additional "a" if we really want to be going to specifics.

Re:

[History's Coming To]

One of the connotations "script kiddie" carries is of a certain naiveté. In many cases people will download a ready-made script (hence the term) to, for example, scan for a security hole in an out-dated Wordpress installation, I see them the whole time in my server logs.

You're correct though, doing it from behind your home router is generally a dumb thing to do because it's so traceable. The easy alternative is to go through anonymous proxy servers which don't log the traffic (and they do have leg

Re:Not hacking

[Tarlus]

"Script kiddie" doesn't mean the use of scripts, it's about the attitude embodied in the attack. If the tools are nothing but a means to an end (draining a bank account, blackmailing an executive, etc.) then you're looking at a script kiddie. The fact that tools were used, on its own is not enough to make that call.

I certainly have no qualm with this. That said, I hold that "script kiddie" perfectly fits the description of a 15-year-old who defaces websites and leaks their back-end to the Internet, with probably limited skills. I could be wrong, maybe he's a technical genius who just needs better guidance. Either way, that is a purely pernicious attitude, and while I agree that most web developers/admins deserve this kind of wake-up call, the kid had no greater motive than the enjoyment of stirring the pot under the shroud of anonymity. And that attitude deserves a derogatory name like "script kiddie."

Re:

[DurendalMac]

I'd say it's more the level of understanding that differentiates. If you get the tools, have no idea how they work, don't care how they work, etc, then you're a skiddie. If you do know, understand, try to, maybe tinker with them on the lower levels, then maybe you're something more.

Re:Not hacking

[Securityemo]

For defacement, "asshole" is a much better term regardless of skill level. Moral judgment should be separate from judgment of skill.

Re:

[DurendalMac]

Well, you can be an asshole if you just throw crap for defacement or you can be an asshole if you build your own custom software and find a new exploit to steal a bunch of SSNs for identity theft. Skiddie is almost universally negative, but someone could use such tools for a good cause. Shame that it's so rare.

Re:Not hacking

[Medievalist]

Bruce Perens was addressing a bunch of geeks once and somebody asked him to use the word cracker instead of hacker when referring to computer criminals. Bruce replied "I refuse to use the word cracker because it's insulting to georgian-americans, and will continue to use the phrase computer criminals". I laughed my ass off, but he was right.

Re:

[WillHirsch]

When are nerds going to accept that "hacking" has a perfectly legitimate second meaning? It is really really simple. If the object of the hacking is a technology, you can carry on using the maker-hobbyist-anorak definition. But when the object is an individual or a group using some sort of electronic security, hacking means compromising that security in whatever way you want. If the hacking is being done "into" something, there is no ambiguity at all. This has been the understood meaning ever since people w

Re:

[account_deleted]

Comment removed based on user account deletion

Hacking is not a crime.

[Anonymous Coward]

It's a survival trait.

Re:

[kelemvor4]

It's a survival trait.

Right. Just like when I was a kid we used to say "skateboarding is not a crime".... until we got in trouble for it.

Re:

[Dainsanefh]

He will probably get probation instead. This is Europe, not Amerika, remember...

Not surprised

[Anonymous Coward]

Austria is a former penal colony. All their citizens are descended from criminals.

Re:

[Dutchmaan]

Let's put another shrimp an the Bahbie!!!! /JimCarrie

Re:

[Anonymous Coward]

As this is Austria I would say the correct /idiotic/ reply should have been something like "Thow another strudel in the oven"

Re:

[Tarlus]

crumb* of intelligence

Re:

[delysid-x]

Let's make a scrumb of intelligence

Re:

[Tarlus]

Actually, I was just amused by the irony of that statement.

Re:Brilliant

[Lunix Nutcase]

Ha ha! Spelling Nazi fail.

Re:

[DarwinSurvivor]

Right, because nobody immigrates there...

script kiddie

[rst123]

Any one else read this as nmap and known vulnerabilities?

Re:

[rsmith84]

I was thinking the exact thing. That plus good old hacker-target.com

Re:

[sl4shd0rk]

Any one else read this as nmap

No, Nessus.

Re:

[motd2k]

Almost all the kiddie sweeps we're seeing these days are from acunetix.

Hey

[obliv!on]

That's 1507 systems to you and he's 11! ;)

Re:

[nschubach]

Hell, if it were me... I think I'd stop at popular numbers. Pick a pattern of common computer values like 16 sites, then stop for a while, then 64, then 256, then 1024.

System Operator arrested

[Ranx]

System Operator arrested for leaving the computer system of the company he worked for vulnerable for attacks by kids. Oh wait...

Re:

[nschubach]

...or their lawn gnomes stolen for not chaining them down!

Re:

[ArsenneLupin]

But what if the lawn gnomes then commit mischief elsewhere? Shouldn't the owner be held responsible? Just look at what happened to France, after some sloppy gardener didn't pay attention to his gnome...

Re:

[TehZorroness]

But do we arrest bankers who keep confidential client information in their house while they are on vacation and leave the back door unlocked so their neighbor can feed their cat? That seems like a closer analogy.

Re:System Operator arrested

[Lunix Nutcase]

No. We don't arrest bankers, silly. We give them golden parachutes.

Re:

[MightyYar]

If only... gold would make a terrible parachute.

Re:

[JonySuede]

then maybe not.
If the resistance of a nano-wiremade out of gold is acceptable, you could make a parachute constructed out of a few layer of bi-dimensionally woven gold nanowires. But it would be incredibly expensive to do so; so much that at that point that banker's parachute could be made out of unobtainium.

Re:

[skine]

Not necessarily.

For example, the Mythbusters made a lead balloon that flew.

Re:

[MightyYar]

I don't understand... gold doesn't hold a sharp point at all. Terrible material for that.

You people are crazy - first this talk of using golden parachutes, which would likely kill the poor bankers.

Then you talk of making gold into points... not only would it cost way too much and add undue weight to the front of your projectile, but if the banker has any kind of body armor on it certainly couldn't pierce it.

Re:

[Opportunist]

We arrest bankers? Huh? Where? Hell, they're completely exempt from any liability as well, they can ruin whole economies and nobody will bother.

Re:

[Skapare]

Yes, that is not an arrestable offense. Just as we don't arrest people who leave their house unlocked.

There, fixed it for ya.

Re:

[ZeroSumHappiness]

Wow. That's absurd. That's beyond absurd. That's Monty Python level absurdity. I can see it now, a thief informing a cop that he just stole everything from a cop and the cop going off to fine the car's owner.

I can't wait until a thief unlocks a car, steals everything in it, then leaves it unlocked for the owner to later be fined. I guess that means it's effectively illegal to have broken locks on your car or to lose your door key for older cars that have separate door and ignition keys.

What is going on

Re:

[izomiac]

OTOH, we would probably fire a safe designer if a 15 year old could easily open it without the combination. Similar to how someone in charge of physical security would be terminated if 15 year olds could non-destructively enter the building as they pleased.

Re:

[Opportunist]

But at least the insurance refuses to pay if you leave the key under the doormat, or don't even close the door altogether.

Not so with computer crimes. No matter what a complete idiot you are, you're never to blame.

Re:

[aaaaaaargh!]

Actually, if you store others confidential personal information, money, credit card info, and so in in your house as a free "cloud service" and then leave the backdoor wide open, you will get arrested if someone gets to know about it.

Re:

[noahwh]

Perhaps you mean fired? Or possibly promoted, if it's a government job.

Re:

[Nikker]

You have to wonder, at what point do these companies start to feel stupid and have to *share* the blame?

Re:

[delysid-x]

Most 15 year olds are too lazy to even run a script if they can't do it with a console controller. The new crop of teens doesn't know anything about computers because they came up on Windows and Mac systems. When I was a teener hacking was pretty cool and got you respect on the BBS scene. These days kids just aren't into that sort of thing. I gotta give this kid props for even trying, even if he was a script kiddie. He knows a lot more than the rest of his school probably.

Re:

[uigrad_2000]

Who ever brought up sympathy? I think you're in the wrong discussion.

There's a company with a professionally managed network (let's call it Goliath) that has huge open vulnerabilities. All the adults stand around and point, and discuss it. "I'd take it down, to show how bad this vulnerability is, except that it's too easy. It's not that I'm afraid of being caught... No, no, I'm not chicken. It's just... below me."

Finally some 15 year old kiddie named David steps up, and says "Why are you so afraid of G

Re:

[tibman]

Already commented so i couldn't mod you up. I like your perspective on this. It's also silly to assume that a skiddie would stay at that level. Most people start with preexisting tools and work their way up. But there is still disdain for it.

Hey, it's Zer0C00L!

[Anonymous Coward]

His youthful adventure is about to begin.

Win

[jdog90000]

That child is a beast. Too bad he got caught xD

Re:

[doston]

That child is a beast. Too bad he got caught xD

That's what I thought. Thought the same about the barefoot bandit. But fear not, they'll get the kid in college, hook him up with a job and turn him into a cubicle drone in no time.

8bit hacking

[tom17]

See, the problem was that he is only an 8-bit hacker. He should have stopped at 256 companies or upgraded to 16-bit.

It's the overflows that got him :(

some of the CIOs at the hacked places tell ceo

[Joe_Dragon]

some of the CIOs at the hacked places should tell the ceo. This is what your cost cutting did it got us hacked as you did not give the IT team the funds to upgrade to newer software and hardware.

Re:

[danbuter]

Except that would likely get the CIO fired, as CEOs are incapable of making bad decisions.

BEULLER!!!!!

[retroworks]

In his defense, the lad said " Life moves pretty fast. If you don't stop and look around once in a while, you could miss it. "

Hack the planet!!1!

[WaffleMonster]

The only thing worse than being hacked by a bored 15 year old is being hacked by someone with an agenda.

I think governments should sponsor public hacking competitions with basic code of ethics rules and immunity from any legal or civil actions. Better than wasting billions "cyber defense".

About as dangerous as foot fungus

[alphatel]

If you look at the screenshots of what he defaced, it was default joomla templates on dead websites. If you read the forum he was in, it has about 50 active members of 2000 registered, and he was ranked the 50th best. This kid is about as dangerous as soap. If they even bother to sentence him it would be a joke. He knows nothing of real hacking and we should be thankful that Darwin has weeded him out early.

Pathetic

[Steven_M_Campbell]

259 companies aren't terribly embarrassed about implementing systems so badly that a 15 yr kid using cut and paste broke into their systems and viewed our personal information, credit card numbers, the dreaded social security number, etc, etc.

We really need to start taking these companies to task for their pitiful respect of the information we entrust to them. The kids in the wrong, no argument from me there, but couldn't they at least have invested enough effort to prevent point and drool attacks from wor

Not Hacking

[alan11]

Ok no problem, everyone is trying their best to give their best ,in my view boy's career is very bright if follows the + path Granite Worktops [discountgr...tops.co.uk]

Re:

[Mitchell314]

The the number of Austrians living among Australians isn't that high though, so you can't really blame the latter . . .

Re:Fucking Americans

[Anonymous Coward]

Always fucking things up, hey dude, go on a geography class? Idiots can't tell the difference between Austria and Australia.

Things like this are why they elected presidents like W Bush...

Re:

[Tarlus]

Austria. Not Australia.

Re:

[Lunix Nutcase]

Yeah, it's almost as if they were making a joke about people who confuse them...

Re:

[Tarlus]

One can only wonder...

Re:

[Wraithlyn]

Or maybe in his rush for a f1st p0st, this AC actually just misread it as Australia and made a stupid attempt at humour.

Re:

[Securityemo]

Why would any of those care about the fate of 15-year-old script kiddies?

Re:

[tibman]

I disagree that it should be made safer for unknowing people to get into hacking. How about more lenience and forgiveness? There are guns laying around (cyber weapons) within reach of teenagers. Some kid is going to shoot a hole in the neighbor's house because he wanted to see what happened when he pulled the trigger. Have the kid do the labor to fix it and forgive him. He'll either take up shooting at a range where it's safe, quit entirely, or start his criminal career. Hopefully one of the first two