The hacker who stole Facebook's source code has gone public with a deeper explanation of how he penetrated the world's most popular social network.
Glenn Mangham, of York, England, posted a lengthy writeup on his blog and a video, saying that he accepts full responsibility for his actions and that he did not think through the potential ramifications.
"Strictly speaking what I did broke the law because at the time and subsequently it was not authorized," Mangham wrote. "I was working under the premise that sometimes it is better to seek forgiveness than to ask permission."
Mangham implied he meant to contact Facebook once he had noticed the social-networking site had observed his intrusions, which he did little to hide. He didn't use proxy servers because he said it made auditing take longer due to the time delay between each request made to a server. He was also hoping that even when he got caught, Facebook would let him off the hook.
That didn't happen. He was charged and eventually pleaded guilty to three counts of unauthorized access to computer material and unauthorized modification of computer data, according to The Press newspaper in York.
Mangham was sentenced to eight months in prison in February, but the sentence was reduced to four months by an appeals court earlier this month. He was then eligible for release, subject to electronic monitoring and restrictions on his internet use.
Mangham used a vulnerability to download Facebook's source code, arguably the company's most valued and secret intellectual property.
Mangham portrayed himself as a security researcher who continued to probe Facebook because he wanted to look deeper for other security issues, since most systems have "a tough outer shell and a soft inside." He wrote that in the past he had been paid by Yahoo for finding vulnerabilities.
He said he took steps to prevent damage to Facebook's systems, hard-coding a delay in scripts he used to extract the source code to prevent "throttling of the server and impeding its availability."
After he knew Facebook was on his trail, Mangham wrote he "panicked because I knew how bad it looked without sufficient context." He maintained that "almost nobody" knew he had a copy of the site's source code, and that he kept it "physically detached from the internet."
"In many respects, it was better secured than the original," Mangham wrote.
Mangham's copy of the source code would surely have been of interest to cybercriminals who attempt to use Facebook to perpetuate scams. But he wrote he had no intention of selling the code.
"It is also worth mentioning that I had the source code for just over three weeks with absolutely nothing to prevent me from making copies and redistributing it, this was more than enough time to have caused significant damage to Facebook or to find a buyer, if that had ever actually been my intention but quite clearly it was not," Mangham wrote.
"When you consider that the only thing that stood between Facebook and potential annihilation were my ethics then I think the fact that it's all still in good working order should serve as some proof that I'm really not one of the bad guys," he wrote.
Send news tips and comments to jeremy_kirk@idg.com
Comments
Kipperfillets said: Saying you should have mentioned the first offence wasnt because I was unaware of the fact but because you should have stipulated WHY YOU thought it harsh You should only enter into debate or critisism of what other say if you actually understand what you and other people have postedBTW - adding the argument about ISPs blocking sites doesnt actually add any value to what youre saying Im sure I could deviate from the point even further by mentioning even more serious things out there than not being able to access a web site
Maccyroo said: I didnt suggest that there should be no punishment at all Just that 4 months imprisonment seems a little harsh for a first offense in these circumstances Comparing this crime with that of someone physically damaging a persons property by breaking in and intruding is not veryfair eitherBear in mind that this is aperson who had expertise in the area of online securitywho had previously been hired by Yahoo
Kipperfillets said: If someone breaks in to a system to steal information despite having no apparent intention to gain from it there should still be a punishmentOtherwise you open the floodgates for chancers to do what they want knowing that if they get caught they can say there was no evidence they were going to do harm If they get away with it they would just have to wait a few weeks then when they know they are in the clear then sell the dataif I broke into your house how would you feel if I said I hadnt stolen anything so its OK
Martin Hughes said: At least he was not extradited to the USA for trial
Ben Hoath said: Facebook will want to make an example of the guy though to make it be known that they will not let intruders off lightly
AD_Macrae said: The mismatch between the Hacker ethic- however honourable- and commercial reality is the law If you do something illegal good intent is rarely taken into account Its also hard to prove Maybe he backed away from selling the source code out of fear of the probable consequences rather than because he honestly never planned to sell it On the evidence I feel he earns the benefit of the doubt but Im not acorporate lawyer a judge or a policeman They have codes to uphold tooThe lesson of this and similar incidents seems to be that its vital to get permission first If you think you see a chink in someones security call their security people and tell them Of course you might still end in jail Wouldnt be the first time
Maccyroo said: 4 months in prisonseems a little harsh if there is no evidence that heeither did or intended to do any harm to the site or sell the source code he extracted No doubt Anonymous will take their revenge on Faceboo at some time for prosecuting and in this particular case I may even have a little sympathy for them doing so