12 comments

[ 0.26 ms ] story [ 45.6 ms ] thread
Customers punished by Vodafone's stupidity: 2 million Vodafone execs fired: 0 Vodafone execs given raises: several

Status quo is maintained.

I actually feel sorry for the hacker; once he/she gets caught, they're probably in for a lot of trouble with the law given the tough sentences handed out nowadays for minor crimes.
The sentence they're given might be unduly harsh in your opinion, but they chose to hack into Vodafone's systems and take a copy of the information. It's pretty well publicised how harsh sentences are for hacking, so they would have known in advance the risks they were taking.

With this in mind, why should anyone feel sorry for someone being punished for a crime they committed?

Oh come on. Hacking punishments should not be that severe, only proportional to the damage caused. Where has anyone demonstrated the property damage in this case? They have only estimated a number. Hackers get disproportionate sentences to what they have done, compared to for e.g. bankers who commit crimes.

EDIT: After reading the comments below, I guess I need to clarify what I said. I put it badly to say the least; I should have said "property damage" instead of financial damage.

I'm not arguing that punishments for hacking are fair or proportionate to the crime. All I was saying is that the hacker who carried out this hack will have known that punishments for this sort of thing are very severe, and, consequently, I don't feel sorry for them. When you commit a crime, regardless of whether you think it causes damage or that the punishment is fair, you're still accepting the risk of receiving said punishment.

I do think that demanding some actual, demonstrable financial cost be presented before a hacker can be tried is an extremely dangerous precedent, though. A real world analogy would be if I pick the lock and enter your house without your consent, stand in your room watching you sleep, then leave, all without causing any damage. I haven't caused you any financial damage, but I should certainly be arrested and charged for it.

If I punch you in the face, the black eye will go away in a few weeks, and you will not have any financial damages you can demonstrate. So I should only get a warning for punching people in the face?
Financial Damage? Well, there is reputational/brand damage. Costs of defending themselves in litigation, costs of repair, costs of re-engineering systems, costs of PR responses, and so on.

But actually, fuck that dude. Vodaphone isn't the victim really. I am. Now phishing emails sent to me will be better, and can include data that I previously used to verify legitimate emails. Now I have to sort out all my bank accounts and have new numbers issued. Now I have to think about how I deal with the fact that the answers to common security questions are in the "hackosphere" for sale.

So no. I don't care about the financial damage. The guy has effectively sprawled graffiti on 2 million peoples lives, which they have to clean up. I'll reserve my sympathy for people who are at least are well intentioned...

I don't know why technologists would ever want a social norm of responding to security vulnerabilities by severely punishing the people "responsible" for them. It is highly, highly unlikely that anyone in the C suite made any decision which proximately caused this vulnerability.

Instead, it is likely that you're advocating for firing a modestly compensated engineer whose crime is shared by substantially every production system everywhere.

I vividly remember reading Cuckoo's Egg where he is describing all the machines in the field that shipped with username "Field" password "Service" that were open doors. I thought at the time that the folks responsible for those deployments ought to get a citation rather than throwing teenagers in jail.

I wonder now how things might be now. Would folks think a bit more about deploying busted web sites?

> A person with insider knowledge stole data including names, addresses, birth dates, and bank account information, the world’s second-biggest mobile-phone carrier said in a statement today.

Am I correct in understanding that the data stolen is Vodafone's customer payment details (ex: for auto payments)? At first read I thought that Vodafone had gotten into banking but I don't think that makes sense.

> The hacker had no access to credit-card information, passwords, PIN numbers or mobile-phone numbers, Vodafone said.

Credit card numbers and passwords I can understand as not being accessible (both can be either escrowed or hashed) but I don't see how it's possible to not have access to mobile phone numbers. If Vodafone is anything like US carriers then your phone number is basically your account number (sometimes a couple extra digits, ususally nothing though). Does anyone really think they have a separate account # per customer with the just the above data referenced to it?

Vodafone also does DSL and other business (and actually tracks me as two different customers for DSL and mobile stuff). It's quite likely that they've got a seperate id system.
> If Vodafone is anything like US carriers then your phone number is basically your account number

Although to the customer it may appear that your phone number is your account number, that normally isn't the case. This is for a number of reasons:

* Phone numbers can change either through porting or by choice (i.e, due to nuisance/harassment, etc)

* Single 'accounts' can have multiple phone numbers (i.e, a family plan)

* Some plans may have phone numbers that are opaque to the user (i.e, 3G dongles, etc)

In the carrier systems I've seen / worked on there has normally been a unique account identifier that isn't the MSISDN.