What I find most disturbing about this whole situation is the way in which these teenagers are handling themselves, especially after the fact. The continued denial of responsibility and half-hearted mea culpa, coupled with the monetary damage to those businesses who had been running on PHPFog, leads me to sincerely desire that these teenagers face a penalty of some magnitude, not just a slap on the wrist.
Maybe then they'll stop with the half-assed apologies and recognize that there's a right way and a wrong way to do things.
Maybe then they'll stop with the half-assed apologies and recognize that there's a right way and a wrong way to do things.
PHPFog built a castle out of sand and you're upset that a wave came and demolished it. I'm always surprised at how thin-skinned a lot of HN commentary is. "Oh, Zed shouldn't be so rude" "These kids' lives should be destroyed for playing games with an wholly insecure website." "I stopped reading that article because it used the word blowjob."
I don't get angry at my dog when he shits in the house. Being angry at something that can't understand only satisfies the urge to shift blame.
My dog shits in the house and it's my fault for not walking him sooner. If some children compromise every level of your company then getting mad at them is only trying to deflect the blame. PHPFog is the only responsible party in this mess. I feel for the customers who still trust them.
This isn't a wave knocking over a sandcastle or a dog shitting in the house. These are 16 year old kids, old enough to know right from wrong, and with the knowledge and skills to exploit the system. And once the exploit worked, they didn't then responsibly disclose the problem to PHPFog; they started vandalizing, changing passwords, and the works.
This is like someone finding an unlocked door to the apartment building's maintenance office, taking the master keys from there, rifling through a bunch of people's personal belongings, sticking signs in the windows saying "this building's landlords suck," and changing the locks on some of the doors to make it hard to clean up the whole mess.
They absolutely are the responsible party; you should never blame the victim of a crime just because the victim didn't take adequate steps to defend themselves. If I accidentally leave my door unlocked one day, that does not make it suddenly OK to come in and take my stuff and it's my fault for not having locked my door, instead of yours for taking my stuff.
Now, in this case PHPFog does bear some responsibility, because they have a duty to protect their customers as well as possible, and from reading about how this happened, it sounds like they were amazingly sloppy and irresponsible about it (passwords stored in the clear on the server, passwords shared between various accounts, leaving unsecured shared systems running after beta launch, etc). But that doesn't reduce the culpability of the attackers; they acted maliciously, with full knowledge of what they were doing, vandalized systems, changed passwords, and bragged about it.
I'm now nearly 25, and the amount I have changed since I was 16 borders on the immeasurable. Teenagers are glorified children. We seem to forget how little reflective capacity we all had when we were teenagers.
If I were 16 and hacking some stupid website, I would think, sure this is "wrong", and I might get in trouble, but I probably wouldn't think that it would matter 5 years from then, or 20. Truth is, a criminal infraction can fuck your life up worse than is deserved. You could be forbidden to immigrate to your wife's home country, denied any worthwhile job you can find, or spend a sizable portion of your life in a smaller cage than they house animals in.
There's a reason juvenile law exists, but we forget it. We charge 12 year olds as adults. This isn't that different.
Hell, where I live, a lot of employers will check the sheriff's website for public arrest records. These aren't convictions, they're arrests. People are being denied jobs based on accusations.
I've never gotten so much as a speeding ticket, but even I realize what a load of shit this all is.
So when they turn 21, a "be responsible" switch will magically flip in their minds?
The job of parents and society is to teach children responsibility. That means having consequences for your actions. And the closer you get to adulthood, the more adult those consequences should get.
When I was a teen, some real estate developers tore down a bunch of woods where I had always played and started building a house. I was ticked and I vandalized the construction site. But my crime was discovered, and I had to work carrying lumber in the hot sun and scraping glue off windows to pay back the damage. Why did I have to do this? Because the developer talked to my parents. And my parents made me do it.
This was light punishment - I wasn't taken to court, and I didn't get a criminal record. But parents are to children as legal system is to adults: they set the rules and enact the punishments. If they don't, someday the legal system will have to address their failure to do so by locking up their grown children who never learned right from wrong.
I'm not sure what the consequences here should be, but the argument "they're kids, they can't be held responsible" is silly. If they're not expected to be responsible, they won't learn to be responsible.
What you're saying is fine. Its probably the better adult way to handle it - talk to the parents. Other people are suggesting FBI/Criminal law. How would you have fared/grown up if they sent you to court?
Do note that since he is tech oriented, he probably now knows what a S* storm he has kicked up - the blog response pretty much ensures that he is aware. I assume you would be sweating bricks if you knew that the FBI was coming after you AND that you had hand delivered a bullet point confession. I assume thats a pretty strong deterrent (in his specific case)
(Incidentally fighting to stick up for your woods was a kinda nice thing to do, modulo the amount of vandalism you pulled off.)
I see your point, but not all teenages would do this even if they thought they would not get caught.
While I agree that the full force of adult law is probably inappropriate, some punishment should be exacted. Perhaps some sort of injunction regarding limited access to the Internet for a time (to be enforced by their parents, and to include replaying any fancy 'net capable phones with a good old not-even-got-GRPS mini-brick phone for the duration).
If I left my front door open and some kids came in, raided the fridge, broke the TV and ran up a huge phone bill, I would not expect them to get away completely unpunished. I'd not want them put away, and I wouldn't want it on their permanent record unless something particularly immoral was done (harming the cat, for instance), but I would want something to be seen to be done to educate them on right/wrong and act as a deterrent to others. I would also expect to be laughed at for being daft enough to leave my front door open!
These are 16 year old kids, old enough to know right from
wrong [..]
These kids were being assholes, but that does not warrant federal charges. The problem is that we can choose between unsatisfactory public shaming or thoroughly ruining their lives. There is no middle way, where they get an appropriate punishment, fitting the damage done. If harsh punishments were a deterrent, these kids would already have been deterred, because there are plenty of examples of teenagers harshly punished for relatively minor computerrelated crimes. I'd rather see them grow up to become, probably average, members of society.
Also, whether they know right from wrong is a question whose answer definitely isn't as clear-cut as you make it out to be. There's a reason we don't consider them adults yet.
This is like someone finding an unlocked door to
the apartment building's maintenance office,
taking the master keys from there, [...]
Yes, in theory, it is. But in practice, it's not. Especially if you're still a kid. It's easy to miss that there's something going on in the real world when you're doing damage "just online". (I know I sound like the "You wouldn't steal a TV! Why do you download movies?" crap-ad, but I hope you get my point.)
I've been a 16 year old idiot myself. After doing some stupid things to a website I was threatened with some trouble. I could avoid it by having extensive talks with the site's owner, and paying for their losses, but still, I learned my lesson: everything you do on the internet, in the virtual world, has an effect in the real word. Also it was an urgently needed wake-up call for me; I learned to think twice and since then haven't done any nasty stuff without considering its impact.
So in my opinion some sort of punishment is needed for the kids to learn their lesson. The FBI or other federal institutions shouldn't be involved. Talk to them, I'll guess they're nervous as shit right now! Just bill them the time you needed to tidy up the mess they left (or a fraction thereof), and I think both sides are good.
I really like the unlocked door analogy, but there seems to be some kind of disconnect in everyone's mind when it comes to "online" crimes.
Door locks are extremely "exploitable", but if a 16 year old were to use a bump key to gain access to PHPFog's corporate office and vandalize the place, all of the sudden it's a much bigger deal.
I have a theory that it has to do with familiarity and empathy. Door locks are a pretty standard solution. We all have them on our homes, and we think to ourselves, "I've done a reasonable job of securing my home." When someone's home/office is broken in to, we can easily identify with them. We look at the scenario and realize that we could easily suffer the same. We empathize with them.
Move the playing field to the Internet and all of the sudden everyone is expected to have Fort Knox level security. When someone's infrastructure is compromised, everyone stands atop the high hill, looking down on the drowning masses as the tide comes in, but the reality is that we're all vulnerable at some point.
A startup could easily spend as much on security as they do developing their core product. Why? As a startup, I'm not going to invest in double-reinforced steel doors, bullet proof glass windows, armed guards, and a centralized vault. That's wasted money in my view, because I have a reasonable expectation that people will act with civility. If someone does break in, I'm insured, and I will report the crime to authorities who will investigate. If the criminal is caught, there are real penalties, and they'll carry the stigma of having to check "YES" next to the "Have you ever been convicted of a felony" on their job applications.
I'm not saying we should try these kids as adults, but when I was 14, some kids who shared a bus stop with me broke in to a house near our bus stop and trashed the place. They got caught and suffered some severe penalties. It was a valuable lesson for everyone involved. A couple of the kids were from really bad homes and suffered from greater influences than the threat of the law, but the other two turned their act around really quickly. Had they gotten away with it, or had the attitude been "they're just kids", I'm not sure they would have realized the impact of the crimes they committed. I think we need more of this balance in our views of internet crimes.
While there's a lot of emotional appeal to seeking justice in this case, my inner pragmatists says that this should really be looked at as free penetration testing for PhPFog. If this kind of hacking had stiff penalties (as you desire), only those with truly malicious intent (and probably financial motive) would do it. Likewise, the consequences wouldn't be some petty vandalism, but serious financial damage.
The fact remains that the site was insecure enough for a 16-year-old to find his way in. And the contributing factors to this insecurity might not have been identified had he not performed the attack in the first place.
"you should never blame the victim of a crime just because the victim didn't take adequate steps to defend themselves."
This reasoning is not applicable when the victim is a corporation who gives implicit or explicit guarantees to their customers about security. Your example should be: if you stored your stuff at a paid storage facility and someone there accidentally left the door yo your unit open.
I wouldn't care if it's a bunch of teenagers or Chinese cyber-warfare team who breaks into my Gmail account, I'd be mad as hell with Google for letting this happen.
Pressing charges against the proprietors of the crime will not change the fact that this host acted in a very irresponsible and sloppy way, and is in short untrustworthy.
I work with 16 year olds on a daily basis. Many, if not most, of them have a severely underdeveloped sense of morality, and know "right" from "wrong" no more than adults dictate to them.
"PHPFog built a castle out of sand and you're upset that a wave came and demolished it."
Your analogy is slightly off. A wave is an act of nature: this is more along the lines of a jealous kid who knocks down someone else's sandcastle because he can't build his own.
"I don't get angry at my dog when he shits in the house. Being angry at something that can't understand only satisfies the urge to shift blame."
While some HN posters might feel the the 16 year olds involved in this incident have the same mental capacity as your dog, I'd like to give them slightly more credit. ;)
I can only speak for myself here, but I do think the people involved in compromising PHP Fog should be punished. No, I don't think they should get life in prison (</hyperbole>): I hope they can learn from their mistakes. However, they did commit a crime, as they've admitted both here and elsewhere online. They should be capable of understanding that their actions have consequences, so I think some consequences are in order. What those consequences should be is up to PHP Fog.
Your analogy is slightly off. A wave is an act of nature: this is more along the lines of a jealous kid who knocks down someone else's sandcastle because he can't build his own.
In terms of moral culpability, sure. But when I put systems on the internet, I basically treat "intrusion attempts" as in practice part of the environment, like "mosquito bites" are in Texas. Perhaps they're best thought of as kids knocking down sandcastles rather than ocean waves, but their ubiquity makes them feel more like ocean waves, because you can basically assume that there are tons of those kids, and they're going to kick at your sandcastle every day.
The fact that there's a whole ecosystem of bots running automated intrusion attempts makes them feel a little bit force-of-nature-ish as well. If you lived in some neighborhood where thousands of roving robots were constantly checking doors to see if they could find an unlocked one, you'd have to treat "roving robots" as a quasi force of nature. Well, either that, or come up with a policing method that finds the controller of the robots and shuts them down, but I have relatively low hopes for how much of a dent "cybercrime" policing will make in the overall online-intrusion ecosystem.
From the perspective of security protection, intrusions are an act of nature. You should be no more surprised at an especially strong wave than you are at an exceptionally immature child.
"Act of God is a legal term for events outside of human control, such as sudden floods or other natural disasters, for which no one can be held responsible"
Do you think nobody can be held responsible for this breach?
My point is that you must treat intrusions as an inevitability when trying to counteract intrusion. And anyone who builds a sandcastle should be aware of the ocean. The kid's breaking into this account is embarrassing.
Just because we can hold individual humans accountable (and should) doesn't mean we shouldn't have the perspective of "CONSTANT VIGILANCE."
Certainly should have to treat intrusions as inevitable in designing the system, but there still is responsibility on the part of the intruder.
I lock my door because I consider it inevitable that someone will eventually try and break in. However, if someone does break into and vandalize my apartment, I sure as hell would consider them responsible and not consider in an act of God.
I never claimed it was acceptable. Only that it was irrelevant. Why should anyone besides PHPFog's lawyer and the kids' parents care? It's because PHPFog chose to play PR guru and throw the drama into their postmortem as a distraction.
Does it matter to you if some kid in Australia is brought up on charges? No?
Does it matter to you if a hosting company is competent in securing their servers? Yes?
Any discussion of who did the hack servers no purpose other than to distract from the only issue that matters to anyone which is PHPFog's security.
PHPFog fucked up security, that's a given. And they should be thinking carefully on the lessons learned from that.
But your post seems to imply that the kids who did this have no responsibility for their actions; "it was just waiting to happen". This I strongly disagree with (not least because I work with 16 year old kids and they are completely able to take some level of responsibility for their actions).
Sure, at 16 your world view is incomplete and you can make rash decisions ("for the lulz") that backfire bigger and faster than you imagine. On the other hand there is no doubt they knew the illegality and the ethical issues with undertaking this - even if only vaguely.
And if they do not completely understand those issues, do you not think they should be taught them? As responsible adults we should be getting across to them in a sensible fashion that this was not a nice thing to do, and that the impact could have been a lot wider than it was.
Because if we don't and next time they do some real damage, well, that was an opportunity lost.
FWIW I think he crossed the line by causing damage. If I caught a kid breaking into my house I would probably drag him home to face his parents. But if he started smashing plates I'd be a little more pissed, that is a wanton act and probably needs a more severe punishment.
Sure, criminal charges are a silly approach in this case (no need to ruin his life for one silly mistake). Call his parents, explain what has happened and then get him to do some sort of "community service". That's an important lesson in consequence.
In this modern world 16 year olds are not nicking alcohol from the corner shop any more; they are breaking into websites. And that has potential for much more dramatic and widespread impact. We need to stop saying "oh, they're only kids". Instead we should recognise that 16 year old "hackers" exist on the internet and think of ways to communicate with them (ideally in a way that gives them an avenue for their curiosity without risking too much damage :)).
Bottom line; a 16 year old kid is a far cry from your dog when it comes to the ability to "understand" what you have done.
I'm sorry, but in between your Straw Man argument and your indirect Ad Hominem attack, I fail to see you address the point that these kids caused harm to a business. Nowhere did I say that PHPFog bears no responsibility for the security of their service, but that doesn't excuse what these kids did one bit. I'm just much more impressed with the way that PHPFog is handling their business after the fact than these kids are. Nowhere did I suggest that these kids lives should be destroyed, however I do believe they most definitely need to be held accountable for their actions. PHPFog will be held accountable for their actions by whether or not businesses decide to do business with them going forward.
Both parties bear responsibility, and it's absurd to think otherwise.
>I fail to see you address the point that these kids caused harm to a business
Very well. These kids caused harm to a business. So what's that change? The business screwed up, badly. The agent of destruction is quite irrelevant. Had it been a power failure, backup failure, permissions failure, data leak, or data corruption would PHPFog deserve any less blame? This need to shift some responsibility to a bunch of kids is nauseating.
>I'm just much more impressed with the way that PHPFog is handling their business after the fact than these kids are.
This is another example of the weird HN mentality when it comes to companies "apologizing" (Like WakeMate blaming their Chinese manufacturer for flunky power supplies). Are you actually impressed that a corporation has better PR than a bunch of children? Does that even make sense to you? I'd be impressed if they had managed to actually apologize while accepting all the blame without trying to pawn off the responsibility for their mistakes on some kids.
> This need to shift some responsibility to a bunch of kids is nauseating.
They aren't shifting responsibility. The kids are responsible for their own actions. They did something illegal. They are responsible for it.
Now, PHPFog is also responsible for protecting their customers; they are supposed to provide a secure hosting environment. PHPFog is a victim here, but has also acted irresponsibly with regards to security (not criminally irresponsibly, but if harm did come to their customers due to this, there could be possible civil liability). The fact that PHPFog bears some blame for their security practices doesn't take responsibility off the kids who broke in and vandalized their systems.
With security that lax at PHPFog, it was inevitable that someone would have broken in. In that sense PHPFog was lucky... had these security problems not come up now, and be exploited by little punks with no larger agenda than vandalism, there could have been much more more serious damage later. What if some cyber criminal gang had turned their attention to PHPFog, and been a bit more subtle about the breakin?
I was appalled at the frequent mentions of 'luck' in that blog post. Your job as a sysadmin is to eliminate luck. To eliminate chance. To make _sure_ everything stays running, everything stays secure, everything stays confidential.
No, they are mentioned because they are the criminals who intruded and vandalized the system! Without them, none of this would have happened. There's no shifting of responsibility, since the kids who vandalized their system are responsible for their vandalism.
I can't honestly imagine what kind of moral system you have in which you don't believe that criminals are responsible for their own actions. If someone breaks into your home, is it your locksmith's fault, or the police's fault, or your alarm company's fault? No, it's the fault of the person who broke into your home. Perhaps one of the other parties mentioned was negligent, or perhaps not negligent but they could improve their security practices (install stronger locks, upgrade your alarm system, do more patrols in your neighborhood), but it's still the fault of the person who broke in and vandalized your home.
>No, they are mentioned because they are the criminals who intruded and vandalized the system!
"They" are not relevant in any way! "They" are tabloid meat for an internet drama. "They" are a distraction from the fact that a hosting company had piss poor security surrounding the core product. The entire story could be told without mentioning the hackers by name, or providing any biographical information. The only reason to include them is to distract from the real issue.
Replace "16 year old" with Russian, Chinese etc. Yes, vandals are bad. That's not exactly in question. In question is the sheer gall of PHPFog to shift blame to some kids to try and cover their embarrassment.
I think the blog post should be rewritten. Instead any mentions of the hackers should be completely neutral. Then it will be PHPFog getting out there and taking responsibility for their mistakes.
No distraction. No hand waving. And no tabloid drama.
Agree - creating a tangible identity to the villain is pulling heat off of PHPFrog.
Lets put it this way - a 16 year old kid who got lucky broke their site.
If it was anyone with intent, we would not know.
This is a case study in how to handle a situation like this. Its brilliantly done, inclusive of the comment where he says "the community is standing by us".
Perhaps a little mention would be good, but the way they make it the key points of the post, and so many people commenting on it accept it, disgusts me.
The major problem with your analogy is that storefront windows don't have hundred or thousands of bricks thrown at them everyday. Web hosts are basically under constant attack. Would you suggest that the CIA, NSA, etc. not worry too much about their computer security? If not, then I don't see why you would imply a web host shouldn't be expected to secure their servers as much as possible either.
If a storefront was under constant attack, then yes, they should have bars over it. In fact, in my hometown, there was a streak of vandalisms where kids were throwing bricks through windows. After getting hit 3 times, one store replaced their huge glass windows with smaller plexiglass ones.
I'm well aware of victim blaming, but sometimes it's justified. If someone hacked into your bank account and stole your money because of a security flaw your bank decided to put off until later, surely you would lay blame on your bank as well, no?
Let me be perfectly clear, lots of the blame lies with that attacker. But it is also the responsibility of the a web host to fortify their systems sufficiently, which clearly wasn't done in this case.
I promised myself I'd avoid another analogy but...
If I give the bank my money and the next day I get an email saying "Sorry, we didn't feel like locking up last night and some kids looted the vault." I'd have a hard time calling the bank the victim.
And something concrete:
PHPFog knew the holes existed and were negligent. I would say they even have some contributory negligence (IANAL). Especially after admitting they knew they were vulnerable.
1. We don't treat them like adult criminals (necessarily), but we certainly treat them like criminals. Here are some examples (some harsher than others):
Banks are absolutely considered victims, but if the victim didn't do their due diligence with respect to keeping their vault secure, then they absolutely share in the blame.
It's pretty simple: both parties are to blame. PHP Fog did not do due diligence in securing their servers, and the attackers committed illegal and distasteful acts.
If I leave my front door unlocked and someone walks in, there are several possibilities. If they just look around and leave, or say lock the knob behind them and walk out, that is one thing. If they smash my furniture and knock over all my plants, that was their choice, right? That action is illegal and immoral regardless of the fact that it was my negligence which made it possible. We all know these dumb kids should have reported the vulnerability responsibly. That would have benefited everyone, especially themselves. They might have been getting job offers instead of bad reputations.
If you were walking down the street and my 9-year-old daughter were to run up to you and stab you in the eye, is it your fault for not wearing a helmet? Everything is penetrable given enough time, money and patience. I agree that PHPFog made some mistakes, but it's not like they were being willfully negligent.
Wow, never seen condescension clothed so well before. You should realize that by saying "PHPFog is the only responsible party", you are open to some perverse accusations (like, if your kid turns out to be a criminal, you and the victims are completely to blame).
He is 16 and SCARED. What do you expect? A slick PR campaign? Heck in some other countries, kids aren't even considered adults at that age.
He is naive and immature and realizes what he did is wrong. To make amends, in true 16 year old fashion, he gives a bullet list of errors to try and help undo the damage.
For his inability to communicate, show restraint, maturity, planning and foresight, for the very crime of being young and immature, he gets people wanting to throw the book at him? In that case, can we please, pretty please, torch wall street?
Its quite likely that he realizes that giving an error list is BAD and STUPID, and now is trying to back pedal by putting on a brave face to ignore the bone headed-ness of his (compounding) mistakes.
Try and imagine exactly how YOU would feel if you had a huge amorphous mob saying "The FBI should come for you"? At 16 you have NO scale in your head to cope with that.
Restraint is (one of) the hallmarks of maturity. As is intelligence and not taking good faith for granted - like not sending a list of errors you can be prosecuted for.
Here is what I would do - call this kid parents and Leave it at that. Let the family know how close he is to being in BIG trouble. If you want to do one better, give him a constructive outlet. He is already probably one very, very, very, miserable and frightened kid right now. And he should be.
Its called grace forgiveness and wisdom. As adults, we are supposed to have it. You are NEVER going to deter kids from being kids. So you need to ensure that they are scared and know where the line is drawn, so that they can become effective productive Adults.
I know, they acted as if they could get away with it by apologising. However, whatever you think of PHPFog, a lot of people have invested everything they have in that project, and it could have (and still could have) done irreperable damage to their reputation and investment. Big companies can tank this crap but attacking a new startup is like punching a child.
I don't know if you were ever a teenager, but I remember when I was a teenager I had a willful disregard for consequences or how my mischief affected others.
I think they should definitely get something a little stronger than a slap on the wrist, but also remember that they're just teenagers who don't know any better. All they really need is enough of a punishment to learn their lesson, and they'll probably end up productive members of society.
Maybe then they'll stop with the half-assed apologies and recognize that there's a right way and a wrong way to do things.