Facebook themselves have a policy of tolerance toward white hat hackery (basically `give us a reasonable amount of time before releasing to the public' and `do what you can to protect other users' privacy). I want to hear their side of this.
> Between 17 April and 9 May he is accused of downloading a computer program "to secure unauthorised access" to Facebook; of attempting to hack into Facebook's "Mailman" server; of using PHP script to secure access to another Facebook server, dubbed "Phabricator"; of sharing a PHP script intended to hack into that Facebook server; and of securing "repeated" access to another Facebook server.
This is deeply disturbing to me. I'm a participant in Facebook's whitehat program (http://facebook.com/whitehat) and have been awarded a cash prize several times. These accusations are things that I've either done, attempted to do, or succeeded in doing myself with the goal of getting paid for discovering a vulnerability.
>> downloading a computer program "to secure unauthorised access" to Facebook
Any basic security auditing tool falls into this category and this is something I've done all the time. Wish they would more clearly state what made his access unauthorized when my hacking attempts are welcomed.
>> attempting to hack into Facebook's "Mailman" server
I've attempted this too. It's a great target since it's 3rd party code, Facebook runs an out of date version, and some versions have publicly known vulnerabilities.
>> using PHP script to secure access to another Facebook server, dubbed "Phabricator"
I've attempted to do this and just yesterday was considering another attempt. It's a great target since it doesn't go through Facebook's normal release process, it's a large project, and it's open source.
>> sharing a PHP script intended to hack into that Facebook server
I've done this. Sometimes I need another set of experienced eyes to help me get a proof of concept working. Of course it was someone I trusted to keep my discovery confidential.
>> securing "repeated" access to another Facebook server.
I've done this too, both before and after Facebook announced their whitehat program. Before the program they thanked me and sent me swag, after introducing the whitehat program they started awarding me cash on prepaid debit cards.
I can only assume that this guy was prosecuted instead of thanked because he didn't tell Facebook promptly about his discoveries, or perhaps he used them to do something like stealing source code out of Phabricator (Facebook's code review tool). I wish the reporting of this did a better job of covering the details.
I've participated in the program as well (and I'm going to be interning with Facebook's Security team this summer). This incident doesn't worry me personally and I hope it doesn't worry anybody else. But if you want clarity, I think arice's comment sums up this particular situation very well:
> His attempt to access data was outside our whitehat guidelines, had clear malicious intent, and included extensive and destructive efforts to remain undiscovered and anonymous. In addition, he made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is false and insulting to the community of responsible security researchers.
Did you consider if you should have shared this admission of what probably amounts to criminal activity in USA?
The FB "whitehat" pages to my reading are in no way giving you a right to "security test" their servers. Their statement appears more like an amnesty, akin to "if you did happen to shoplift from Walmart and you choose to return the goods unspoilt, packaged and in saleable condition, then we won't prosecute you".
They also say, FWIW, that "Security bugs in third-party applications" are not included in the program; so that would rule out attempting to compromise Mailman.
Moreover they say "Security bugs in Facebook's corporate infrastructure" are ruled out from their program which to my mind rules out compromises on Phabricator - it's not a part of the publicly facing Facebook site but instead is a backend tool.
knock knock
If you were in the UK you'd be getting an extradition order for this based on recent history.
Facebook's Responsible Disclosure Policy applies to all Facebook properties. The exceptions you outlined specifically apply to our bounty program. Basically, we may not pay a cash reward for a security issue reported in Mailman (an open source tool), but we still appreciate the responsible disclosure and you absolutely shouldn't be worried about a lawsuit.
I found myself wondering if perhaps the 'white-hat' reference is a blunder in the headline. This article woefully lacks any actual details regarding what he did or how he approached communication with Facebook, only stating that he was a white-hat hacker for Yahoo once (which obviously proves nothing).
I searched around a little bit, since I found the lack of details somewhat disturbing. This is the best I found: http://www.seattlepi.com/news/article/Facebook-hack-lands-UK.... From the sounds of it, he broke into an employees account (likely their work computer, possibly further access). I'm speculating, but that makes it sound like he stole some portion of the Facebook source code, coupling that with the "intellectual property" claims.
I'm curious about this line, towards the bottom:
his intention throughout was to contact Facebook in due course when he had rectified their problems
I agree, dubious use of the term white-hat. He hacked into their systems, stole the code, and kept a copy on an external hard drive. Didn't do anything malicious, but didn't contact Facebook about it either. They discovered the intrusion by accident, and it took them months to track him down.
So "keeping the data to himself and doing nothing with it" is considered white hat?
Facebook themselves have a policy of tolerance toward white hat hackery (basically `give us a reasonable amount of time before releasing to the public' and `do what you can to protect other users' privacy). I want to hear their side of this.