A lot of hackers are just kids that make a stupid mistake. During their time in jail, their skills get soft or they'll get hardened by their time there. My hope is to let them know that people on the outside still are thinking of them and to help them keep their skills up-to-date.
I'm a bit overwhelmed with a startup at the moment, but I anticipate the non-profit to be formed and to launch sometime in the fall.
The judge sentenced him to two years' probation, citing his
rough childhood and the way he had worked to turn his life
around as considerations when it came to deciding on the
relatively lenient punishment.
I was cringing the whole time reading about the interrogation. I can imagine this whole thing would have ended so much worse for Gembe if he had actually gone for that job interview. Just try and compare Gembe to Weev, you might start pining for good ol Schönau im Schwarzwald.
It is justified what you did was illegal and not cool but they had the chance to turn it into something positive.
There are no buts here. Non-violent offenders shouldn't be arrested at gun point. And it's not just a matter of scaring someone, it's a matter of public safety. I don't get why whenever an issue like that comes out, there is always someone jumping to defend dangerous practices like that.
And this guy also stole people's software keys.
If they were talented coders, they could've found less destructive ways to make money. But he decided to go the greedy route.
Let me guess: you are a US citizen, or anyway live in a country where developer positions abound. Well, not everyone is. Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.
Also this was before Freelancer.com, before code.org. And he was a boy, he couldn't just relocate. Also, before the App Store.
This is exactly the curiosity that people who enter the InfoSec world feel, coupled with real skills. Often too much skills and too little to do to start.
Then you stumble upon a IRC channel and a world of challenges opens in front of you.
By the way, he asked Valve to hire him. Maybe he just didn't find "less destructive ways to make money" yet.
Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.
That's a legitimate programming job. Cool software rarely makes money. Cool software that makes money (game development) doesn't pay very much.
Then you stumble upon a IRC channel and a world of challenges opens in front of you.
A book is far more challenging, because in an IRC channel you're a fish in a small pond. Eventually you grow to be the biggest fish, or forever limit yourself to being small. What a book can't give is peer recognition. But peer recognition is a vain motive, and vanity is rarely lucrative. A book also can't answer questions, but you can use IRC or a website like stackexchange for that.
If anyone reading this has personal experience flirting with blackhattery, please carefully consider what you're doing and why you're doing it. (And if you'd like someone to talk to, please feel free to shoot me an email. I'd like hearing about your experiences and your thoughts.)
This was in 2004, 3 years after the dot com bubble burst and was getting rosy again. Everyone and their mother's with a blog were making hundreds a month.
Programmers have been peddling shareware since BBS days.
Are you really calling Germany a 3rd world country?
> Some people live in small towns where the cool programming positions are adapting invoice management software for small businesses.
So why is this not legitimate work?
> Often too much skills and too little to do to start. Then you stumble upon a IRC channel and a world of challenges opens in front of you. Don't judge if people are oppressed (or better, repressed) if you have never been, please, either because at that age YOU had the occasions or guidance, or because you hadn't that curiosity or talent.
This is a pretty arrogant statement. Many programmers don't program malware not because they aren't smart enough, they don't do it because it is socially unacceptable and they don't have a criminal mind.
If you feel the need to "learn" about security, don't exploit, trojan, or ddos my server. Do it to your own computer.
I'm about four years older than Gembe, when I was 18 I endured:
Threats of violence, death threats, constant insults (such as 'paedophile', 'baby rapist', 'retard', 'cunt', 'fat cunt', 'queer'), people spitting in my face, prank calls at two in the morning, false accusations (eg. being accused of threatening someone, said someone would regularly say to me "I'm going to kick your fucking head in"). Being called 'cunt' every other day tends to become a drag after twenty years or so.
My 33rd birthday is fast approaching, I still have trouble with other members of society treating me poorly. When most people go to work, they don't expect to put up with threats of being punched in the face. When you complain about your treatment at work, you don't expect to lose your job a week later.
I've spent the last two years learning programming, ten years ago I decided to learn a load of maths (my education wasn't that good). On both occasions the response often was "stick to what you are capable of" or "go and learn something useful instead". Or how about the time someone at the Job Centre decided I was incapable of filling out forms by myself, then filled it on my behalf without my permission, complete with a few silly spelling mistakes.
Gembe sounds to me like he has had it easy.
Nice justification of criminality. "But I was bored and talented!"
Oh dear, who are we to stand in the way of your genius then?
That's been essentially my entire (for money) programming career and I adore it, taking a crappy manual/outdated process and refining it to create a tool that becomes a core part of a customers business is vastly rewarding to me.
I don't think it's particularly farfetched to expect relatively socially ostracised teenaged boys to not make the best judgement decisions right as they are developing their computer science skills. Most of them end up becoming relatively well-adjusted (within the scope of an introverted computer nerd) people so why not help them in that development?
What have you been up to over the years? It'd be cool to hear about your career and life in general.
Few people in US prisons [1] deserve what they're getting. It takes a cold-hearted prick to honestly believe what you've written.
[1] While this guy wasn't, the sort of people deftnerd is talking about are.
By the time I was 21, I certainly wouldn't have done something like what he did. But, just a few years earlier, say at 18, yes, I did stupid things. In his position I probably could have done what he did. At that age many "boys" brains just aren't developed enough to truly understand right and wrong.
I'm not saying they shouldn't be punished. But I am saying they definitely shouldn't be punished harshly. In this case he was lucky to receive two years of probation as punishment. Something like that, or perhaps what we call "community service", is certainly more appropriate than throwing him in adult jail with hardened criminals.
Depends what you mean by that. In this guy's case, had he boarded the plane he would have gotten two decades in an American jail, versus two years of probation in Germany. I think he should be held accountable, but somehow, given the nature of the crime and the surrounding context, I think Germany got it right.
morally right but not condoned by the government.
^^^Not everybody does it for money actually his motivation was quite clear he liked the games but couldn't afford to buy them legit.
A situation i can relate with given I've been in a similar one.
Nowhere in this article was there a mention of hacking in order to make money.
Fortunately he was apprehended by the German Police, but things would've been way different had took that plane.
[1] There's a great presentation from him on video, including analysis of OPSEC failures from other hacker groups: https://www.youtube.com/watch?v=9XaYdCdwiWU
[2] Another timeless classic: "Don't talk to [the] police", which explains why it is never in your interest to talk to the police when you are suspected of a crime (even if you are innocent): https://www.youtube.com/watch?v=6wXkI4t7nuc
Not allowed to send books for UK prisoners as it contravenes their new "incentives and earned privileges scheme". Books are a luxury to be earned, apparently. http://www.theguardian.com/society/2014/mar/24/ban-books-pri...
I was lucky and got a slot that provided the full 80kbyte/s. I finished the download first, but my PC was pretty old back then so I didn't even bother trying to run it. Instead, I removed my hard drive (my system drive!), picked up a friend and we drove to another friend who had the fastest PC at the time. About 30 mins later all of us (I believe 5 or 6 guys) gathered in a tiny dorm and just stood in awe as we booted up HL2.
There was barely any gameplay present. You could just walk around in some maps and admire the graphics. It didn't matter. If we hadn't been stoked before, we were now.
In hindsight, this all was just an amazing PR stunt. Fun times.
That Valve worked with the FBI to get him sufficient permission to enter the US with the false pretense of getting a job seems to make this feel like much more personal than anything else.
And I'm left scratching my head as to what it really would have accomplished...
Of course, when the game finally came out to rave reviews, all was forgiven.
The Source engine is also licensed to other games. If the code is public, other engines could copy their features.
Also it is very annoying to re-secure all your computers after you have been breached. Every single person has to change their password and you don't know what backdoors the guy has installed without a full wipe sometimes.
Like other commenters said, they used him as a scapegoat; he did zero damage except make poor ol' Gabe worry.
Also, can't say I buy the hypothetical piracy cost. Does anyone have any examples of other engines copying Source features from the source code?
Also, who else had access to their network? This kid getting caught may have saved Valve from other breaches...
"Valve time" was already universally accepted. Between Half-Life, TFC, and Counterstrike, there was an enormous amount of good will towards this company even back then. Plus, we were already used to "Valve time" because it was actually "id time." Id had been doing it for nearly a decade before HL2 game out.
>Additionally they had demo'd at E3 and claimed the demo was not scripted, whereas the leak showed it was almost entirely so.
The guy who obtained the source code himself said that there were so many builds on valve's servers he had no way of knowing whether or not he had the most current build.
I think that if he wasn't German, but from another 'major' or 'minor' EU country, Austrilia and many others he would have been extradited at no time to the US.
I don't know where the cycle goes from here. Maybe the real wisdom is feeling bad for both?
"This was actually one of the interview questions, don't know why they didn't use the answer. I work as a software developer and a bit of a system administrator. I work in a company that does physical security, like fire alarms and such. Most of the work I do is programming PC control software for our systems and also quite some firmware development for various uCs. I know quite a bit of different assemblers. Measurement and automation is another field that I'm currently learning more and more."
What was done, is done. Wish you all the best in your life.
http://www.reddit.com/r/gaming/comments/fpkav/the_boy_who_st...
I think the German police officer was right. If you got arrested on US soil, (your side of) the story could have been very, very different.
Valve's use of SourceSafe at the time is another black mark, though not related to the security breach.
Developers != System Administrators != Security Experts
ps. The most important part however, are the developers, without them the other two groups wouldn't exist. :-)
The difference in the way he was treated by police and the justice system (and how different it is than what we've come to expect in America) is what struck me the most about this story.
Swartz was NOT facing anywhere near 35 years in prison. He was facing, if he went to trail and lost on all charges, and the court decided that he had caused a large amount of monetary damage, around 7 years. If he had taken the plea bargain that was on the table, he was facing a few months.
Prior discussion with more detail: https://news.ycombinator.com/item?id=7004640
>Swartz was NOT facing anywhere near 35 years in prison.
You know why people keep using that number? Because that's the number the attorney's office itself used in its own press release. That's why. But OK, let's be reasonable here. I'll fix it:
>"Compare that to the $1 million fine, up to 35 years in prison (followed by 3 years of supervised release) Aaron Swartz was facing"
There fixed it. Happy??
I'm sure from your armchair perspective, you can find nuance in saying that he wasn't __likely__ going to get 35 years, instead, he'd get a quick 7. Yet, I think if you're in that position, you may still be looking at that 35 or 50 year number. The sentencing judge could have made an example out of him as well, no? It's not like never happens. And of course, the best outcome is that he's looking at 7 + . Justice!
Of course this raises another relevant question. Why is it that prosecutors like to load-up on charges to get their nice maximums? Is it so that their office can do those great press releases extolling how tough on crime they are? Or maybe to bully the defendants into taking whatever deal they cook-up in order to get another notch on their conviction belt? If you think 7 years (here's your nice, reasonable almost-a-decade number, happy?) is what the law calls for, why not charge him for 7 years?
>If he had taken the plea bargain that was on the table, he was facing a few months.
That's right, he didn't, and then the prosecutor loaded up 35 years of charges and pulled the plea bargain off the table. Because why? To teach the next guy to not be so uppity and force them to cow-tow to prosecutor demands?
Ridiculous.
It's almost as though, by treating criminals so harshly as we do here ("tough on crime" is a popular slogan for politicians), that instead of reducing crime, we reduce our society's recognition of each individual's humanity and value, and thus cause crime to rise.
The fact that they were setting a trap for him was also relatively shocking. Don't they have to follow due process?
Its Valve's fault for letting a 16 y/o install malwares on their computers... When you are developing something you got to be serious about its security as well if you want it to remain a secret. It feels to me like their employees and IT department had no actual sense of what security was (Employees going off installing whatever on their computer, and IT team not being able to track down malware and outgoing packets to unknown sources...)