Prison Time For Manager Who Hacked Ex-Employer's FTP Server, Email Account (bleepingcomputer.com) 37
Catalin Cimpanu, writing for BleepingComputer: Jason Needham, 45, of Arlington, Tennessee was sentenced last week to 18 months in prison and two years of supervised release for hacking his former company's FTP server and the email account of one of his former colleagues. Needham did all the hacking after he left his former employer, Allen & Hoshall (A&H), a design and engineering firm for which he worked until 2013. Needham left to create his own company named HNA Engineering together with a business partner. HNA is also a design and engineering firm. According to court documents obtained by Bleeping Computer, between May 2014 and March 2016, Needham hacked into the email account of one of his former co-workers. From this account, the FBI says Needham took sensitive business information, company fee structures, marketing plans, project proposals, and lists of credentials for A&H's FTP server. A&H rotated its FTP credentials every six months, but Needham acquired new logins from his former colleague's email account.
Hacking? (Score:4, Insightful)
Or "using a password you picked up while still at the firm"?
Re: (Score:2)
This definition of "hacking" has always bugged the shit out of me.
The act of hacking is a beautiful thing. Figuring out someone's password and proclaiming you "hacked" them is fucking disgraceful.
Re: (Score:2)
Or "using a password you picked up while still at the firm"?
This, the headline tries to infer that he was imprisoned for hacking, the summary says he was imprisoned for corporate espionage, whether he did that by electonic means or walking out the front door with a bunch of paper files under his arm does not matter.
Re: (Score:2)
He was imprisoned for unauthorized access to a computer under the CFAA. Commonly, that's hacking.
Re: (Score:2)
If you can get past that misuse of language ("hacking" = using a password someone gave you before you quit), that company was also sending our FTP passwords to its users via unencrypted email. Whoever authorized that should be fired, and possibly sued in relation to this breach.
English Language Usage Tip (Score:1, Insightful)
"Using access credentials that you shouldn't have had, after you left" equals "hacking" now.
Right. That word really doesn't mean squat any longer. Thus we have:
Anything can be hacking and anyone can be a hacker, as the prosecutor likes it.
May you live in Shakespearean times, good sir.
English language usage tip:
hacker = someone who uses a computer against its owner's usage policy
hacking = any action someone takes to use a computer against its owner's usage policy
The sense of "hacker" as describing a person with great computer skills is now an archaic usage.
Re:bleepingcomputer tells it like it is totes hax! (Score:4, Informative)
Only the 'journalist' who wrote TFA used the word hacking. The actual court documents use the words 'accessed a computer without authorization'.
Amateur. You grab all of that before you leave. (Score:3)
Have to plan ahead.
Re:Amateur. You grab all of that before you leave. (Score:5, Insightful)
The kind of stuff he wanted gets stale very fast. That's why he had to keep "hacking".
Re: (Score:2)
Somewhere TV producers started applauding in unison.
Re: (Score:3)
Have to plan ahead.
And use a service account or root if it is unix naming it after something sounding technical and legit.
Re: (Score:2)
Have to plan ahead.
You'd think so...
I do support for clients in the finance sector. You'd be surprised how many people think that if they move these files a few months in advance, they wont get caught. Hell, I'm surprised how many of them still use email to do it. Finance company == log fucking everything.
Remove all your access (Score:1)
I am fanatical about it. As you are training your replacement remove all your access. Last thing I do is change my password to something like "N[Sf+JbQ*"X5ReXL54DwUp5>%&{lU3`yP^9T>Bumh~N"L"N9CB,Fu58", with me having no record of it. Then have my replacement disable my account. (Since most places I have worked we used Jira, accounts are really difficult to delete.)
This insures that I am never even tempted to see if I have access, and if some ID10T reactivates my account in the
Re: (Score:1)
Thanks for your concern.
News for Nerds (Score:2)
So just because the article contains the word "hacking" (regardless of how aptly it was used), this is now News for Nerds / Stuff that Matters?
Unless there are some mitigating factors here to discuss, it looks like this is a very open and shut case of "Idiot knowingly accessed a system without authorization and stole his previous company's data to use in direct competition."
In other news, everyone's local police forces arrested a number of people for various offenses which they allegedly committed.
Re: (Score:3)
"Idiot ... stole his previous company's data
Technically it's not theft, it's copyright infringement.That's much worse.
(Actually, I'm guessing there's some other term for accessing corporate secrets. Just couldn't resist the knee-jerk Slashdot correction.)
Oh, Lordy, FTP needs to just die already (Score:3)
Guy shouldn't have accessed it without permission... although going into a former colleague's email seems like a bigger deal to me. He deserves whatever he gets.
But, man, if they're running an FTP server in this day and age, this is likely not their only issue.
Re: (Score:2)
Given the lack of understanding of most reporters, it might have been an SFTP server, or even a Kerberized FTPS server. I'd suggest not over-interpreting a casual reference in a news report as proof of incompetence on one party's part.
Re: (Score:1)
Use S-FTP and Kerberize FTP. (Score:2)
FTP supports TLS and Kerberos. Why was it not a requirement that to use FTP, you need a Kerberos Ticket from the KDC?
18 months for being naughty? (Score:1)
Did he cause any damage except make a company feel bad the hard way for having bad security policy?