Just a reminder of how fucked we all are any time a social engineering attacker wants to target us.
I once thought I was safer since I don't even have an American address anymore and have been living abroad for years.
Nah, Amazon customer support answered an attacker's "so where was my last item shipped to" question after they authenticated by giving the support rep an address I used as a shipping address for one item almost 10 years ago.
The poor kid in TFA was doing some free social engineering pen testing.
"Mr Obama's senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed."
That's the danger of doxxing, once it's out there any sociopathic edgelord can order 15 pizzas, swat you, basically do some shit to fuck with you, except people get killed when SWATting occurs and you can just say I didn't order these when the pizza guy shows up.
He seems to have some anti US sentiments, but went with trolling random members of the machine rather than quietly collecting information & passing it off to wikileaks
Quick thought: had he continued for years, he would be tried as an adult and completely screwed. As it stands, his adolescent trolling mentality has indirectly allowed him to have a chance at a normal life.
When he was 15 (about 15 years ago), he had the chance to do a lot of damage. He roamed in sites that store credit card information in an Access database (they didn't have PCI back then). He roamed in servers that have everyone under a www-data account and "partition" people with FTP accounts, so a script that allows you to traverse the .. dir would get everyone completely screwed. He used to ship items to himself. He got someone fired from his programming job because of his shenanigans.
Oh my gosh, he would have been so screwed if anyone ever made a big deal of anything he did.
But somehow that friend of mine didn't make the news - He went unnoticed. He went on with his life, and now he has a relatively normal life and does well for himself and everyone around him.
From his story, I always have the belief that adolescents will change, if they are forgiven and shown the way by seniors.
> He used similar methods to access Mr Brennan’s AOL account and eventually Gamble was able to access his emails, contacts, his iCloud storage account and his wife’s iPad remotely.
though I don't know if the security question reset path is closed.
There was a small flare up earlier this year about people hijacking cell phone numbers, which then of course let's you take over all sorts of accounts since you can defeat the (relatively) poor security of SMS-based OTP.
It's also pretty crazy to me how easily he received access to these top secret databases when he was pretending to be essentially the CEO.
I would never let my manager into my Linux systems, just to make an analogy. I give my manager a report on what's going on but I'd never let them in. Because they're not competent enough to handle them.
Yet these top directors are able to get access to essentially any database or system just because of their title.
That struck me as odd do not US phone companies secure their sensitive customers information. When I worked at BT they took this very seriously and say looking up the queens unlisted telephone number you would get into serious trouble.
For some systems team leaders who needed wide access to data had to pass security clearing at the TS / DV level I was told.
Hah, the queen has an unlisted phone? Well I guess she has a private landline...
Reading your comment makes me imagine HM The Queen in the royal carriage, being bored at the slow pace, staring at her smartphone, scrolling through Instagram.
Lol, how did that go? I am thinking... something along these lines:
Telemarketer: When you sign up with ShitWare, our Platinum partner, you get a free BigMac (tm) with a crumpet and a small drink! This exciting promotion is only available to our subscribers! Limited time offer. Quantities are limited. Only in participating restaurants. Some conditions apply. Taxes (incl. VAT) not included.
Queen: Goodness gracious, did you just say free BigMac (tm) and crumpets? That is, like, fucking amazing! OK I clicked on that link, it says "Your Windows is infected! Click here to clean!" Is that OK? Btw where is my food.
Telemarketer: It is, indeed, perfectly OK! Just click on where it says "I Agree". BTW it is one crumpet (not "crumpets") or a hashbrown, subject to availability. This exciting, time-limited offer is ---
Interesting. I wonder, what was the procedure when some random telemarketer dialed one of those Queen's unlisted numbers? Or, whatever unlisted numbers.
Great point.
In general as a whole this shows just how stupid the 2010~current human is. Lack of logic in the social studies programs has destroyed high school and college graduates ability to reason.
The info was surely sensitive, but I don't see this article indicating that any of the information was classified (let alone TS). That would be a major vulnerability, normally guarded against by using completely separate systems to access such information.
> I would never let my manager into my Linux systems, just to make an analogy. I give my manager a report on what's going on but I'd never let them in.
I'm not sure about the chain of command in your company but in most companies, managers don't need permission from their charges for access. Managers are the ones who give their underlings access.
Granted, in most tech infrastructure, only a handful of people might have direct access to production/sensitive assets like databases, file, web, etc servers. And managers wouldn't want to muck around on production servers. But the idea that you wouldn't let your manager access or that they couldn't get access if require seems very odd. What happens if you quit or get fired? If your manager wanted access and you refused, he has the power to fire you.
> Yet these top directors are able to get access to essentially any database or system just because of their title.
Depending on their role, directors of any company can get access to anything because they act as the ultimate arbiters on behalf of the shareholders. The chairman of the board is who the CEO of companies report to.
Sure, you wouldn't want people who don't know the systems to gain access. But I'd be interested to know how a low level employee can prevent their manager or even directors from access if they wanted it.
It isn't because of their title. It's because of their authority. You can argue against access but ultimately do not have the authority to prevent it. They can fire you.
I once had an IT guy who was making up his own passwords for workstations and servers. When he refused to provide them to me I had our attorney meet with him so he could clearly understand the implications. He was holding the company hostage and violating policy. He provided the passwords at the end of that meeting and was fired on the spot.
The thing is that your manager does not need your permission. He comes in, states he wants to have all the accesses and you give them to him.
If you do not, he rightly fires you.
There are of course many legal cases where administrative access is limited.
What you are describing is scary : you hold the company in hostage, and the company is apparently happy with this since it allows such a posture from their admin team.
Beside the legal aspects I mentioned, I always had complete access to all the thousands machines and services I was ultimately in charge of. I would have test scenarios to ensure access is granted, but did not log into them because there was no reason to do so (and I may break something).
Note: the way how the acces is provided in another story. It should be documented, traceable, etc.
Someone clearly needs to be punished. Several someones. I'd let this intrepid and talented 15 year old go, and let the US (and whoever else concerned) prosecute the living crap out of all those in public positions of trust and clearly not up to it.
Suggest starting from the top. A head of CIA with classified material stored on his computer in such a way that access is dependent on some external internet provider? Under the always ressourceful American penal system, that sounds to me like any number of centuries on the inside looking out.
Why should the person committing the crimes be let go? Because you identify with them? Because they are seemingly intelligent in how they committed their crimes? I don't understand wanting to punish "dumb" criminals when the "smart" ones are far more dangerous
> Why should the person committing the crimes be let go?
Because a child calling a helpdesk and pretending to be someone else is a prank. Slap on the wrist, followed by a job offer. It seems on a similar level to ringing a bar and asking for 'Amanda Hugginkiss' or 'Mike Hunt'. At least this kid found the problem before the Russians did.
A child impersonating government officials in order to gain access to classified networks, remotely vandalizing people's computers, reading their emails, harrassing them, doxxing them and threatening to rape their children is not ringing up a bar and asking for "Amanda Hugginkiss."
If it had been a cop doing this, everyone calling this kid a hero or merely a precocious youth would be crying out for blood.
Then it would not be an even similar case. It is a feature of many civilised societies that we tend to forgive misdemeanors by minors as 'part of growing up' and 'learning right from wrong'. Should it be a crime because this autistic kid happened to be good at his prank?
> It is a feature of many civilised societies that we tend to forgive misdemeanors by minors as 'part of growing up' and 'learning right from wrong'.
Except many of the things he's accused of doing are clearly not misdemeanors. You're also assuming there was no malicious intent in what he did. He was perfectly aware that what he was doing was wrong, and he intended to do harm to people because they worked for the US government. You seem to have the actual legal system confused with the plot of Dennis the Menace or Leave it to Beaver.
>Should it be a crime because this autistic kid happened to be good at his prank?
Oh, he's autistic? Never mind, free pass then.
No... it wasn't merely a prank, and being autistic doesn't imply being legally incapable of judgement.
Trying minors for "more serious offences" is a thing just about everywhere. It's clear this particular minor knows right from wrong, and that what he did was on the 'wrong' end of the spectrum.
Would you feel the same way if he'd actually followed through on his rape threats? Or if he'd SWATted someone? At what point would you be willing to admit this "prank" wasn't harmless?
>Trying minors for "more serious offences" is a thing just about everywhere.
And not locking them up, i.e. "letting them go" is a thing in just about every civilized country.
>Would you feel the same way if he'd actually followed through on his rape threats?
I'm sorry, but this is ridiculous. There isn't a single mention of "rape" in TFA, you're discussing a 15 year old kid possibly threatening someone on a different continent.
He bombarded Mr Johnson and his wife with calls,
asking her: “Am I scaring you?” and left
messages threatening to “bang his daughter”,
the court heard.
Unless you want me to believe he was threatening to "bang" Mr. Johnson's daughter consensually, it's a rape threat.
It is a stretch to describe that as a rape threat. I don't believe a native English speaker would choose that wording to convey a rape threat.
And again, if this was a rape threat it was a very unclear rape threat by a 15 year old kid on another continent. Not something any sane person would treat particularly seriously.
Honestly, this sounds more like something along the lines of "I'm going to bang your mom", with the "mom" replaced.
No sane person would assume that "I'm going to bang your mom" is a rape threat, but rather a threat of embarrassing you by engaging in sexual relations with a close family member.
> Not something any sane person would treat particularly seriously.
... because the person making the rape threat disclosed that they were on another continent so as to assure his victims and minimize psychological harm?
I understand he's sympathetic because he shares the same anti-US government bias that many HN users have, and anyone with a computer and a hate-on for the Feds is a hero around here, but it shouldn't be impossible to concede that what he did was not merely a harmless prank, but a crime that deserves something more than a mere slap on the wrist and tousle of the hair.
> I understand he's sympathetic because he shares the same anti-US government bias that many HN users have,
There is something else here. The UK and the US have very different criminal justice systems, I have noticed a definite 'bias' as you put it against the US system on HN[0]. It has been noted, for instance in the far to long running Lauri Love case, that the UK is much more lenient to young computer hackers that the US. Perhaps it is not bias, but simply different cultures?
> It's clear this particular minor knows right from wrong
> Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.
It is entirely unclear from the article that he knows right from wrong, and furthermore it is entirely unclear that he knows that that it is any worse than any other childish prank that went wrong. My son knows it is wrong to eat in his room, but he still does it, perhaps this child feels this is on the same level?
Unless you can share some other resource that suggests something else, I find your claim to be completely unfounded.
>Unless you can share some other resource that suggests something else, I find your claim to be completely unfounded.
The paragraph prior to the one you quoted:
At one point on an internet chat he said
that he had considered not sharing any more
information “because it put lives at risk,
but then I thought they are killing innocent
people every day”, the court heard.
He was aware that he was doing harm to people, and justified it based on his belief that his victims were doing greater harm.
That merely establishes a mixed and confused picture, in that one article directly contradicts itself. I suggest we let the jury do their job, since they hear all of the evidence
Please don't read this to mean misdemeanors in the US legal sense of 'not a felony'. In the UK (where the trial is) misdemeanor would normally be understood to be 'something some people consider wrong' [0]. There is no concept of felony and misdemeanor in English law. I meant this in its ordinary English sense and I am sure we can both agree that this was a misdemeanor, as in 'not the right thing to do'.
> No... it wasn't merely a prank, and being autistic doesn't imply being legally incapable of judgement.
Well actually it raises the very real possibility. Unless he is guilty of strict liability offences the prosecution would have to show criminal intent
In English law, s8 Criminal Justice Act 1967 provides the frame of which the 'mens rea' is assessed. It states:
A court or jury, in determining whether a person has committed an offence,
(a) shall not be bound in law to infer that he intended or foresaw a result of his actions by reasons only of its being a natural and probable consequence of those actions; but
(b) shall decide whether he did intend or foresee that result by reference to all the evidence, drawing such inferences from the evidence as appear proper in the circumstances.
If you cannot foresee the results of your actions you cannot be guilty. BTW publishing an opinion that suggests someone is definitely guilty, as you seem to at places in this thread, whilst a trial is ongoing is a crime in the UK.
Lots of pranks are criminal. Graffiti for instance. But if the police found your child drawing a penis on a poster of a politician do you think he deserves telling off, or jail?
Testing boundaries is a natural part of growing up. My 5yo daughter does it all the time. Unfortunately, for some kids, their abilities may place the boundaries well beyond what would be considered criminal. Some go for drugs, some go into exploring other realms.
When I was a teenager, I used to connect to BBSs outside the country by using the unconnected but active phone lines that came into the building.
Only later someone told me that it was a relatively serious offence in my home country, going against national security laws and that it was done in a military dictatorship that, luckily at my time, was no longer keen on disappearing people.
Later I learned many of my colleagues on college used to do the same.
It's one area where punishment might actually serve as a deterrent. I really am all for holding public servants to very strict standards, not least where security is concerned.
If it were common knowledge that your cavalier disregard of prescribed rules would see you on the street within ten minutes of it being discovered, I'm sure it would sharpen the attention of some, and get rid of others.
A deterrent to future pranksters maybe. But I would imagine that the real danger is from malicious actors (say, foreign governments) who would not be deterred by the threat of punishment. So what does punishing this kid get us, other than satisfaction?
It would achieve the very negative thing of not dealing with the real issue.
It reminds me of the story of Richard Feynman demonstrating to a superior how not spinning the dial of the standard GI safe at Los Alamos after closing it allowed someone to read the combination. His superiors response was to send a memo saying, 'Don't leave Mr Feynman alone in your office'.
It seems mad that access to sensitive databases, for instance, is a simple password reset issue. I would have hoped for some kind of additional hardware security, like a keyfob/dongle. I remember reading that MI6 spooks have them.
I too have little sympathy for the likes of the FBI or CIA when they suffer this kind of breach, it shows they are not competent. Unfortunately they will instead try to extract retribution from some autistic kid...again.
The only way to solve this issue is to decentralize violence / punishment. Still, it will take a lot of time to get there _after_ we have decentralized currency. For now this is what we have with all the good and the bad parts.
A smartcard is usually used for access to SBU material from regular computers, but apparently some agencies have not caught up and are still using username/password for authentication.
One takeaway here is that the professionalization, training, oversight and salaries of IT support staff all need to follow the same ascending curve as the sensitivity of the staff and systems they are supporting.
Sigh. These organizations clearly need mandated 2FA, and no "security questions". I like that some people use a password manager to fill in the security questions with random strings, but sensitive systems just shouldn't allow such easy attacks.
86 comments
[ 3.8 ms ] story [ 248 ms ] threadI once thought I was safer since I don't even have an American address anymore and have been living abroad for years.
Nah, Amazon customer support answered an attacker's "so where was my last item shipped to" question after they authenticated by giving the support rep an address I used as a shipping address for one item almost 10 years ago.
The poor kid in TFA was doing some free social engineering pen testing.
What a waste of talent.
2) Leaving ridiculous voicemails like "I'll bang your daughter" is exactly what kids do
3) How can you possibly suggest that those two things are similar? That's simply twisted.
"Mr Obama's senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed."
That group (if one can even call it that) taught a generation to go for trolling/harassment rather than subversion.
When he was 15 (about 15 years ago), he had the chance to do a lot of damage. He roamed in sites that store credit card information in an Access database (they didn't have PCI back then). He roamed in servers that have everyone under a www-data account and "partition" people with FTP accounts, so a script that allows you to traverse the .. dir would get everyone completely screwed. He used to ship items to himself. He got someone fired from his programming job because of his shenanigans.
Oh my gosh, he would have been so screwed if anyone ever made a big deal of anything he did.
But somehow that friend of mine didn't make the news - He went unnoticed. He went on with his life, and now he has a relatively normal life and does well for himself and everyone around him.
From his story, I always have the belief that adolescents will change, if they are forgiven and shown the way by seniors.
Too crazy.
https://support.apple.com/en-us/HT204915
though I don't know if the security question reset path is closed.
There was a small flare up earlier this year about people hijacking cell phone numbers, which then of course let's you take over all sorts of accounts since you can defeat the (relatively) poor security of SMS-based OTP.
I would never let my manager into my Linux systems, just to make an analogy. I give my manager a report on what's going on but I'd never let them in. Because they're not competent enough to handle them.
Yet these top directors are able to get access to essentially any database or system just because of their title.
For some systems team leaders who needed wide access to data had to pass security clearing at the TS / DV level I was told.
Reading your comment makes me imagine HM The Queen in the royal carriage, being bored at the slow pace, staring at her smartphone, scrolling through Instagram.
The irony was the press office was on the floor above and didn't notice.
Telemarketer: When you sign up with ShitWare, our Platinum partner, you get a free BigMac (tm) with a crumpet and a small drink! This exciting promotion is only available to our subscribers! Limited time offer. Quantities are limited. Only in participating restaurants. Some conditions apply. Taxes (incl. VAT) not included.
Queen: Goodness gracious, did you just say free BigMac (tm) and crumpets? That is, like, fucking amazing! OK I clicked on that link, it says "Your Windows is infected! Click here to clean!" Is that OK? Btw where is my food.
Telemarketer: It is, indeed, perfectly OK! Just click on where it says "I Agree". BTW it is one crumpet (not "crumpets") or a hashbrown, subject to availability. This exciting, time-limited offer is ---
Queen: Yeah whatever dude, just send the food in.
Queen: This is good. Most good.
Is that something that BT would intercept?
It’s like a false sense of capability.
The info was surely sensitive, but I don't see this article indicating that any of the information was classified (let alone TS). That would be a major vulnerability, normally guarded against by using completely separate systems to access such information.
I'm not sure about the chain of command in your company but in most companies, managers don't need permission from their charges for access. Managers are the ones who give their underlings access.
Granted, in most tech infrastructure, only a handful of people might have direct access to production/sensitive assets like databases, file, web, etc servers. And managers wouldn't want to muck around on production servers. But the idea that you wouldn't let your manager access or that they couldn't get access if require seems very odd. What happens if you quit or get fired? If your manager wanted access and you refused, he has the power to fire you.
> Yet these top directors are able to get access to essentially any database or system just because of their title.
Depending on their role, directors of any company can get access to anything because they act as the ultimate arbiters on behalf of the shareholders. The chairman of the board is who the CEO of companies report to.
Sure, you wouldn't want people who don't know the systems to gain access. But I'd be interested to know how a low level employee can prevent their manager or even directors from access if they wanted it.
I once had an IT guy who was making up his own passwords for workstations and servers. When he refused to provide them to me I had our attorney meet with him so he could clearly understand the implications. He was holding the company hostage and violating policy. He provided the passwords at the end of that meeting and was fired on the spot.
If you do not, he rightly fires you.
There are of course many legal cases where administrative access is limited.
What you are describing is scary : you hold the company in hostage, and the company is apparently happy with this since it allows such a posture from their admin team.
Beside the legal aspects I mentioned, I always had complete access to all the thousands machines and services I was ultimately in charge of. I would have test scenarios to ensure access is granted, but did not log into them because there was no reason to do so (and I may break something).
Note: the way how the acces is provided in another story. It should be documented, traceable, etc.
Suggest starting from the top. A head of CIA with classified material stored on his computer in such a way that access is dependent on some external internet provider? Under the always ressourceful American penal system, that sounds to me like any number of centuries on the inside looking out.
Because a child calling a helpdesk and pretending to be someone else is a prank. Slap on the wrist, followed by a job offer. It seems on a similar level to ringing a bar and asking for 'Amanda Hugginkiss' or 'Mike Hunt'. At least this kid found the problem before the Russians did.
If it had been a cop doing this, everyone calling this kid a hero or merely a precocious youth would be crying out for blood.
Then it would not be an even similar case. It is a feature of many civilised societies that we tend to forgive misdemeanors by minors as 'part of growing up' and 'learning right from wrong'. Should it be a crime because this autistic kid happened to be good at his prank?
Except many of the things he's accused of doing are clearly not misdemeanors. You're also assuming there was no malicious intent in what he did. He was perfectly aware that what he was doing was wrong, and he intended to do harm to people because they worked for the US government. You seem to have the actual legal system confused with the plot of Dennis the Menace or Leave it to Beaver.
>Should it be a crime because this autistic kid happened to be good at his prank?
Oh, he's autistic? Never mind, free pass then.
No... it wasn't merely a prank, and being autistic doesn't imply being legally incapable of judgement.
Would you feel the same way if he'd actually followed through on his rape threats? Or if he'd SWATted someone? At what point would you be willing to admit this "prank" wasn't harmless?
And not locking them up, i.e. "letting them go" is a thing in just about every civilized country.
>Would you feel the same way if he'd actually followed through on his rape threats?
I'm sorry, but this is ridiculous. There isn't a single mention of "rape" in TFA, you're discussing a 15 year old kid possibly threatening someone on a different continent.
And again, if this was a rape threat it was a very unclear rape threat by a 15 year old kid on another continent. Not something any sane person would treat particularly seriously.
Honestly, this sounds more like something along the lines of "I'm going to bang your mom", with the "mom" replaced.
No sane person would assume that "I'm going to bang your mom" is a rape threat, but rather a threat of embarrassing you by engaging in sexual relations with a close family member.
... because the person making the rape threat disclosed that they were on another continent so as to assure his victims and minimize psychological harm?
I understand he's sympathetic because he shares the same anti-US government bias that many HN users have, and anyone with a computer and a hate-on for the Feds is a hero around here, but it shouldn't be impossible to concede that what he did was not merely a harmless prank, but a crime that deserves something more than a mere slap on the wrist and tousle of the hair.
There is something else here. The UK and the US have very different criminal justice systems, I have noticed a definite 'bias' as you put it against the US system on HN[0]. It has been noted, for instance in the far to long running Lauri Love case, that the UK is much more lenient to young computer hackers that the US. Perhaps it is not bias, but simply different cultures?
[0]https://news.ycombinator.com/item?id=16171239
> Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.
It is entirely unclear from the article that he knows right from wrong, and furthermore it is entirely unclear that he knows that that it is any worse than any other childish prank that went wrong. My son knows it is wrong to eat in his room, but he still does it, perhaps this child feels this is on the same level?
Unless you can share some other resource that suggests something else, I find your claim to be completely unfounded.
The paragraph prior to the one you quoted:
He was aware that he was doing harm to people, and justified it based on his belief that his victims were doing greater harm.> clearly not misdemeanors
Please don't read this to mean misdemeanors in the US legal sense of 'not a felony'. In the UK (where the trial is) misdemeanor would normally be understood to be 'something some people consider wrong' [0]. There is no concept of felony and misdemeanor in English law. I meant this in its ordinary English sense and I am sure we can both agree that this was a misdemeanor, as in 'not the right thing to do'.
[0] https://www.collinsdictionary.com/dictionary/english/misdeme...
> No... it wasn't merely a prank, and being autistic doesn't imply being legally incapable of judgement.
Well actually it raises the very real possibility. Unless he is guilty of strict liability offences the prosecution would have to show criminal intent
from wiki https://en.wikipedia.org/wiki/Intention_(criminal_law)If you cannot foresee the results of your actions you cannot be guilty. BTW publishing an opinion that suggests someone is definitely guilty, as you seem to at places in this thread, whilst a trial is ongoing is a crime in the UK.
Seems to me that (small) property crimes are a crucial part of many pranks. http://hacks.mit.edu/Hacks/by_year/1994/cp_car/
Here's 3 that come to mind:
- toilet-papering a house/tree
- ding-dong-ditch (harassment, possibly even rising to a hate crime in the right circumstances)
- flaming shit on doorstep (obviously)
Whether something is a crime or not is a pretty bad test for whether a child should be held accountable as an adult for the act.
There needs to be one! It's still going strong.
All went on to good careers in tech & VC.
I’m actually more worried about the mindset that doesn’t want children to question authority and test the boundaries.
When I was a teenager, I used to connect to BBSs outside the country by using the unconnected but active phone lines that came into the building.
Only later someone told me that it was a relatively serious offence in my home country, going against national security laws and that it was done in a military dictatorship that, luckily at my time, was no longer keen on disappearing people.
Later I learned many of my colleagues on college used to do the same.
Thought exercise: Does/should the same hold true for children who question authority and test boundaries through petty theft, or muggings?
Why or Why not?
Do they? What does that achieve?
If it were common knowledge that your cavalier disregard of prescribed rules would see you on the street within ten minutes of it being discovered, I'm sure it would sharpen the attention of some, and get rid of others.
You may wish to turn your comment around by roughly 180 degrees.
It reminds me of the story of Richard Feynman demonstrating to a superior how not spinning the dial of the standard GI safe at Los Alamos after closing it allowed someone to read the combination. His superiors response was to send a memo saying, 'Don't leave Mr Feynman alone in your office'.
I too have little sympathy for the likes of the FBI or CIA when they suffer this kind of breach, it shows they are not competent. Unfortunately they will instead try to extract retribution from some autistic kid...again.
Why weasel into an organization and steal piddly shit when you can just pretend to be the director and ask anybody for anything?