PHP Fog Blog

How We Got Owned by a Few Teenagers (and Why It Will Never Happen Again)

Hi, I am Lucas Carlson, founder and CEO of PHP Fog and the guy who hasn’t slept in almost 4 days. This is my story.

Saturday, March 19th, 2011 – 10:01pm – It was a dark and stormy night in Queensland, Australia. Elliot, a 16 year old student, should have been preparing for his final exams on Monday. Instead he was in a race with John, a 16 year old student living in New York, and “turby” to deface the PHP Fog site the fastest.

Before we continue, it’s important to explain how our infrastructure works so you will understand the nature of the exploit.  Rather than running a shared hosting environment like the ones you may be familiar with, PHP Fog provides dedicated servers for each one of our customer applications. Each application stack also includes a caching layer, a load balancing layer, a database layer and a shared failover environment. The entry point of this exploit was our shared failover environment, which we will be discussing in more detail as the story progresses.

Thursday, March 17th, 2011 – 8:20pm – In a forum administered by John, some of our beta customers apparently did not understand that we intended to provide our users dedicated EC2 instances. They felt proud of themselves after uploading code to those servers that ran a remote shell and proceeded to compromise the servers we assigned them (the first of many violations of both US and Australian law).

The way they did this was uploading a program and executing it with our post-deploy hooks. Internally at PHP Fog we were aware of the potential security threat behind post-deploy hooks and were about to disable them indefinitely on Friday, March 18th but our software for deploying the site update malfunctioned and we decided to put it off for the weekend. What unfortunate timing.

However the servers that people run their applications on do not have access to other parts of the system, so these kids hit a dead end. Their exploits got them no further than simply signing up for Amazon’s free tier of EC2 service. A security hole, to be sure, but not a very exciting one.

Saturday, March 19th, 2011 – 10:32pm – Elliot was different. He caught a lucky break – ironically enough when the dedicated server he had running on our system died.

Some more background is necessary. The failover system we use works as follows: every application on PHP Fog was simultaneously deployed in both their dedicated instance as well as a shared hosting environment. Nginx was configured so that if your dedicated instance stopped responding for any reason (hardware or network failure) it would automatically redirect requests to the shared hosting environment.

The failover system has almost never been used in the history of PHP Fog and then only in rare occasions where we needed to move people into new hardware did it get utilized. For weeks we had been working on securing this environment with various industry standard tools and we were days away from replacing this server with a locked down, more secure version. Another timing mistake.

Of the thousands of servers we had running, Elliot ’s dedicated server died and his app was in failover mode. When he followed the instructions provided on John’s page, he broke into our shared hosting environment that had not yet been locked down.

This failover server should have been taken offline a long time ago. It was a relic that I had built as a proof of concept. We were replacing it, but I should have just taken it down until we had the replacement. Unfortunately and stupidly, I had an old copy of the site code on that server which had our PHP Fog system passwords that I also stupidly had not deleted or changed. This was really naive and irresponsible of me. The old code-base, all our proprietary intellectual property, was posted for around 5 minutes to twitter.

You can be sure every single system password at PHP Fog has been changed and they are not put on servers any more and I have more than learned my lesson here.

Saturday, March 19th, 2011 – 10:46pm – Less than 15 minutes later, our systems super-star Jake Olsen (not “turby” Jake) noticed something was not right.

Saturday, March 19th, 2011 – 10:49pm – Jake proceeded to boot Elliot off our systems and reboot servers.

Saturday, March 19th, 2011 – 11:09pm – Jake shut down every server on PHP Fog. Without access anywhere else, Elliot logged into our twitter account, our blog, and our DNS manager. He pointed phpfog.com to a site John called “PHPFog sucks,” he bragged about his exploit on our twitter and blog.

Sunday, March 20th, 2011 – 2:15am – Elliot sent me an IM. Apparently he was now sorry. The only thing going through my head was be nice to him, we need as much cooperation as possible right now.

2:15:12 AM Elliot : Lucas.
2:15:23 AM Elliot : Listen, before you begin, I want to apologize.
2:15:35 AM Elliot : I do this sort of thing for kicks, but I agree that this went a little too far.
2:15:41 AM Lucas: before you apologize can you at least take down the site explaining the exploit
2:15:51 AM Elliot : Unfortunately, that’s out of my control.
2:15:59 AM Elliot : I don’t run that domain, however I will talk to the owner tomorrow. He’s gone to bed.
2:16:36 AM Elliot : I don’t want any hard feelings between us, this originally started as a proof of concept to prove your platform was insecure.
2:16:44 AM Elliot : I guess I did that, but there are better ways I could’ve gone about it.
2:16:58 AM Elliot : Yes, it was me as root on your servers, and in your twitter, and etc.
2:16:59 AM Lucas: I really wish you had reached out to me before this
2:17:04 AM Elliot : So do I, now.
2:17:12 AM Elliot : You guys are funded and I could’ve lost you a lot.
2:17:21 AM Lucas: a whole lot
2:17:28 AM Lucas: a lot of people’s lives depend on this
2:17:37 AM Elliot : I didn’t touch anybody’s files.
2:17:39 AM Elliot : Only phpfog’s.
2:17:49 AM Elliot : Didn’t even look through them.

2:21:25 AM Lucas: can you give me the twitter password?
2:21:32 AM Elliot : I’ll change it back for you.

2:54:44 AM Elliot : Well, look on the bright side. At least it was us three, who got in just for kicks, and then told you how instead of someone who got in, pulled an rm -rf / on all of your stuff, and then changed all of your passwords.
2:55:16 AM Elliot : Wait, did I tell you how?
2:56:01 AM Lucas: not yet
2:56:08 AM Elliot : Want a brief?
2:56:11 AM Lucas: sure
2:56:25 AM Elliot : It relied upon a glitch in your system
2:56:29 AM Elliot : which ended up with my app
2:56:32 AM Elliot : being on your main node or something
2:56:37 AM Elliot : instead of being on its own instance
2:56:45 AM Elliot : then I used the method detailed by turby
2:56:46 AM Elliot : to gain root
2:57:00 AM Elliot : then I just searched around for a password, the one that worked for me was ••••••••••
2:57:08 AM Elliot : Then I went a little further and found ••••••••••
2:57:24 AM Elliot : then just basically logged in and posted on your blog, on your twitter, and that was about all.

3:06:20 AM Elliot : Well, we’re outta here for now.
3:06:28 AM Lucas : ok
3:06:40 AM Elliot : ‘Night lucas. Sorry about what we pulled again. :\

Our forensic analysis after the fact corroborated Elliot’s story of vandalism. We found no evidence of anyone besides Elliot breaking into our systems beyond the individual dedicated servers with no compromising information.

Even though it was a case of vandalism, none of us at PHP Fog were going to take any chances at all. Here are the steps we have taken since. We worked through the weekend and nearly non-stop since to get sites running again. At this point 99% of the sites are running and secure again.

Credit cards – We have never stored credit cards on any PHP Fog server. There was never any possibility that credit cards could have been compromised by this attack.

Rebuild every single server on PHP Fog – We shut down and re-created every single server we controlled. This numbered in the thousands. We had to be 100% sure that there were no rootkits anywhere and this was the only way to do that.

No more shared passwords, anywhere – We are no longer using shared passwords. They were a short-term stopgap measure we had been planning to replace, and now they have been replaced.

Change every ssh key/password/token/api key everywhere – In the last 3 days we basically rebuilt everything from scratch from the ground up.

Eliminate shared hosting failover server – We may never do shared hosting failover again if we can not guarantee its security. We might do a non-realtime failover to automatically launch a new instance for you, but this experience taught us what a bad idea this can be.

Eliminate post-deploy hooks – Until we can do this securely, we are removing it from our features.

Eliminate custom Apache conf and php.ini – Until we can do this securely, we are removing it from our features as well. Users may still rely on .htaccess files.

Complete lockdown and rebuild of the app’s dedicated servers – We have audited our dedicated servers to provide a much more secure environment that will be much harder to exploit through the techniques listed in the forum. We started out being quite trusting of our beta users, but have had to limit what they can do now in order to protect us all.

Upgrade internal password storage – Account passwords were cryptographically hashed, however we are clearing everyone’s password and before you can log in you will need to enter a new password.  We are emailing password reset links to all of our beta users. Going forward, passwords are hashed with an even more secure algorithm.

Upgrade internal communication systems – Although these were not attacked this weekend, we have secured them anyway. SSH keys for git deploy have been generated on a per-server basis so there is no possible way to get “keys to the kingdom”. Code deploys onto dedicated servers are now read-only so compromised servers can not modify the main code repository.

App password changes – While we have no evidence that our users’ passwords have been compromised, we strongly advise every beta user at PHP Fog to change the passwords of the users in their applications (WordPress, Drupal, etc). We will also provide tools to change the database passwords. If you are using a password you share with other sites, learn from our example: change them all to strong, unique passwords and use a secure password manager such as 1Password or LastPass to store them.

Regular penetration testing – We have hired professional white hat hackers with government level security experience to attempt regular pen tests on our system, both as regular users as well as giving them special access and seeing if they can get through.

Audit of the vandalism – We found no evidence that our customers’ code or databases were accessed at all during the event. Since we keep all the customer code in cryptographically secure git repositories, it is almost impossible to modify these repositories without SHA1 hashes revealing the changes.

This is an amazing amount of work for 3 days and I am incredibly proud of our team at PHP Fog. We made sure our system was rock solid before bringing any sites back up and it took a massive effort. This is the best group of engineers I have ever seen. Thank you, guys!

I also want to thank the PHP community. We thought that we would be mocked and be bombarded by angry tirades, but the complete opposite has been the case. At the end of the day security is our responsibility, but all systems are prone to attack. Human error, bad timing, and oversight caused ours. Our beta testers have encouraged us to bounce back while denouncing the childish and criminal acts against us. We thank you all so much and will not let you down again.

We are talking to our legal counsel and the FBI and may press charges. This kind of behavior will not be accepted. Ever. There are proper disclosure protocols for handling this kind of situation and none of them were respected.

That said, we highly encourage our users to help us strengthen our security in a pro-active way. If you find a security flaw and report it using the Full Disclosure Policy to security@phpfog.com with notice, we will help strengthen your security reputation in a very public way and reward you generously.

  • J. R. Lenz

    How do you guys explain to your customers that you put a system into production that hadn’t been “locked down” ? This is extremely poor business practice.

  • http://twitter.com/crashdev Chris DeVore

    Great, honest assessment Lucas – I’m proud of you and your team and very glad to have made a bet on you. This is how great companies get built.

  • http://taptouchclick.com/ Tap Touch Click

    That sucks guys. While they might be sorry, he caused your team and yourself to be stressed beyond my imagination and work straight for more than 3 days, and you will never get that time back. I hope that the little kids that did this get some sort of punishment, whether it be charges pressed or something else that you decide on. I’m glad that you were able to take this terrible situation to further secure the service for the users.

    Keep on rocking!

  • http://taptouchclick.com/ Tap Touch Click

    It is “Beta”, and if you wanted to use a service that was completely “locked down” don’t sign up for something that invite only beta. They fixed it quickly, and I doubt it will ever happen again, and certainly not when they launch publicly. They care about their users.

  • http://taptouchclick.com/ Tap Touch Click

    It is “Beta”, and if you wanted to use a service that was completely “locked down” don’t sign up for something that invite only beta. They fixed it quickly, and I doubt it will ever happen again, and certainly not when they launch publicly. They care about their users.

  • http://its.verymickey.com Mickey Slater

    Great job getting the system back online and tighten up. Super shitty experience to have to go through, but sounds like everyone’s sites are more secure now so a little silver lining at the end of it all.

    M

  • http://twitter.com/tHeReaLeXero eXero

    I know this may not be the case, but the guys that did this helped you gain knowledge of an exploit, confessed about it, and from what you know did nothing other than what they told you. I don’t see why pressing charges is necessary, but if you are seeking money, then I guess you might want to press charges. Just my thought process.

  • http://twitter.com/jclermont Joel Clermont

    Thanks for the complete transparency here. It is greatly appreciated.

  • http://www.facebook.com/gravastar Chris McCreadie

    You guys handled this perfectly. Dealt with the problems, admitted to your mistakes and were communicative at every step. I have no doubt this service is now massively more secure than it was and I have now made my mind up I will be migrating my servers to php fog ASAP.

  • Guest

    How did your brain get to that conclusion? Hmm, this service provider was hacked and defaced, lets migrate my servers there. The apology is too late, the damage was done first.

  • Anonymous

    Hi!

    “should have been preparing for his final exams on Monday. Instead he was in a race with John”

    Heh, Dramatic.

    “and Jake aka “turby””

    His name isn’t Jake. Where did you pull that from?

    “In a forum run by John”

    I do not own that forum.

    “some of our beta customers apparently did not understand that we intended to provide our users dedicated EC2 instances.”

    Uh, yeah we knew. http://grab.by/grabs/413d4923d63130c1955f17372fe1073e.png

    “What unfortunate timing.” “He caught a lucky break”

    Lots of mentions of “poor timing” and “luck” in this post. Shoulda, woulda, clouda applies here.

    “A security hole, to be sure, but not a very exciting one.”

    A security hole is a security hole. The fact that is was very simple is a not a good reflection for phpfog.

    “Eliminate shared hosting failover server – We may never do shared hosting failover again if we can not guarantee its security. We might do a non-realtime failover to automatically launch a new instance for you, but this experience taught us what a bad idea this can be.”

    It’s a bad idea if you do it wrong. As you said, it was never locked down properly.

    “Eliminate post-deploy hooks – Until we can do this securely, we are removing it from our features.”

    Why don’t you just allow a predefined list of commands and have them limited to the web directory? Come on now.

    I’m impressed, this post was not the outright lie I was expecting. Good job.

  • http://www.facebook.com/profile.php?id=508395719 Peter Vessenes

    Fabulous, fabulous debrief. I’m sending it to my team right now. I note happily that one of your funders feels the same way.

    Also, you should probably go get a massage and cry yourself to sleep. It will help. : )

  • Anonymous

    No need to pour salt in their wounds. I think they’re well aware of what happened. You should be thankful their postmortem was honest and straightforward.

  • Anonymous

    Very impressive. Although I have an account with you guys, I have never deployed anything with you…yet. No doubt now that I feel 100% comfortable with your service given the level of commitment you’ve shown.

  • http://prestavalve.com Guest

    Isn’t beta for finding bugs?

  • frostbytten

    I’m really enjoying the progress and openness of phpfog. Hopefully I can get some of our end-users to move to this for hosting when it’s live.

  • Anonymous

    If you don’t place your servers until you find a perfectly secure host, you’ll never place your servers.

  • Aldo Nievas

    Thanks Lucas for being honest and doing your best for getting back all websites. Keep up the excellent work.

  • http://twitter.com/IsaKft Isa K

    I think anyone who has been in web development for any sizable length of time has been hacked. In an odd way I think this experience has improved my opinion of your service Lucas, because I remember the first (and only thank God) I got hacked. It was super embarrassing because, yes, it was a certain degree of laziness and human error on my part but it taught me so much and ultimately made me a much better developer (well, one hopes anyway lol)

  • http://www.facebook.com/liam.bowers Liam Bowers

    In reality this was bound to happen at some point and maybe this was the best time for it to happen?

    The team has clearly put a lot of effort in to ‘fixing the problem’ and as a developer myself, I know it’s not a lot of fun to work 48+ hours sold and won’t be wanting to repeat it any time soon.

    I personally appreciate the honesty and explaining what went wrong, what you/we have learnt and what’s been done to make sure it doesn’t happen again.

    Good luck and well done for handling this problem well.

    Liam

  • manish

    This is good work from phpFog to educate what really happened and reassuring the security..!

  • Anonymous

    While I usually dislike people cracking something, then posting about it just to prove a point, it seems to have worked this time :)

    No disrespect, but security probably was a lower priority for you guys while working on features, and this was a pretty good wake up call in hindsight.

  • Anonymous

    So bummed to hear about this guys. But it’s very reassuring that you handled it in such a stellar way! I’m really excited about using PHPFog, and I really believe you guys have the drive to keep real PHP developers happy :)

  • http://www.bywombats.com Ryan Szrama

    That’s ridiculous. Just because you confess to something doesn’t mean you should be immune from prosecution. For what other crimes would you apply the same logic? Grand theft auto? Extortion? Attempted murder?

    “Well, you see, here’s how I perpetrated my crime. Can we just forget I did it? You learned a valuable lesson, and I’d appreciate not being held responsible for my actions.”

  • http://noinput.net/ Jim Carter III

    it’s not until you hear stories like this that you consider how secure your current servers are to start with.

  • http://noinput.net/ Jim Carter III

    still a fan, well done guys.

  • Anonymous

    Thank you for being so open about this guys.

  • http://crrodriguez.clavid.com/ crrodriguez

    Getting owned by 16yo kids and “shooting the messenger” in the process doesn’t give credibility to your product in any way.

  • http://www.facebook.com/andreas.saebjoernsen Andreas Sæbjørnsen

    Most startups experience a crisis like this. It is not the cause of the crisis that defines us, it is how we react to it and improve. Good work and thanks for sharing!

  • James

    This whole narrative about how these teenagers took down your site seems kind of pathetic. It sounds like a kid coming home and telling his mommy how he got bullied at school. Don’t tell everyone it was teenagers. Don’t tell everyone they got lucky. It just makes your security look even worse than it quite obviously was. All you need to do is explain what got exploited, and how you fixed it. Leave the storytelling to the novelists.

    Also, you might want to be careful about publishing the names of minors accused of crimes. That violates the law in many places, and can have negative ramifications for the prosecution if it was ever brought to trial.

  • Kris

    The timing might have been unfortunate on a few things – that really is no apology, hackers never sleep. Granted though, it happened while you were still in beta.

    Pressing charges – well, I would keep it at this. As bad as their behavior was, I think you guys can equally be blamed for making some serious mistakes. Elliot is 16 after all, give him a break.

    All in all, I think you handled the situation, and I hope it opened your eyes for the future. I will certainly continue PHPFog and I am happy this happened now and not later.

  • http://www.beaverjournal.com Benjamin Kerensa

    Lucas,

    Just a FYI Amazon doesn’t by any means allocate a dedicated server for each instance so there is no way that each PHPFog app is allocated a dedicated server. Instead your probably confusing dedicated with a virtual private server or cloud server which is its own self contained environment stacked on top of a bunch of others.

  • bars

    I hope you enjoy your time in jail. Maybe then you’ll understand how childish you are at this point in your life and how inappropriately you handled this situation.

  • Guest

    I agree, if anything, this debacle was a chance for PHPFog to PROVE how proactive it is and can be. Getting hacked in beta stage, closing the initial security holes, and putting up a solid line of defense gives a plus point to PHPFog in my book any day.

    It’s PHPFog’s choice to sue the kids. It must have been hell for the past few days. However, I don’t think the right way to deal with the few kids is to make their lives hell for the next 40-70 years. Remember, they are just a few stupid teenagers who didn’t know any better, not hardened criminals.

    My two cents. You DO NOT HAVE to agree with it. I would personally hire the kids, but again you might call me a lunatic for saying that. You could sue them, but I don’t know how much money you’d be able to pull out of the kids. Maybe put them in debt forever and hang them on a wall to show an example, but that’s about all.

    *Regardless, a ton of independent developers will flock to PHPFog just because of the scent of competency surrounding the scenario. Your achievement in the past four days is astounding by almost every measure.*

    Don’t forget a story like this will get around the tech news net in a very short time. PHPFog has a chance to use this situation to its best advantage and get a bout of publicity/advertising THAT IS EXTREMELY RARE. PHPFog is LUCKY to have this happen.

  • uxp

    The proper way to disclose of an exploit on a system is not to deface the website and change all their passwords. That’s breaking the law, even if the perpetrator feels bad about it. Maybe he’ll get of lightly because of it, but that does not mean he is not liable for damages.

    If you do know of an exploit, kindly informing the responsible party of it is all you need to do. Proof of concept can be worked out later in a controlled environment if you aren’t sure executing the exploit will cause damage.

  • http://www.chadkeck.com Chad Keck

    Last time I checked access to PHPFog was by invite after you put yourself on the waiting list and it is openly labeled a BETA platform. When something is in beta you better fully expect that there could be security or reliability issues.

    Until it is generally available and they drop that beta label do not rely on it for mission-critical applications or anything you “care” about without understanding those risks.

  • http://www.chadkeck.com Chad Keck

    While you certainly have a valid point that is a matter of opinion don’t you think? On one hand it is extremely transparent which someone like myself really appreciates in a company (almost non-existant today) and on another it may seem “unprofessional”. I think this is due to typical reports of this nature not stating everything that happened. I’d rather know it ALL. Of course, this is just MY opinion now :)

  • Abc

    You mention that email will be sent out with a link to reset the password?

    That is very poor security.

    Knowing this, i can send out a phishing email with a link to my malicious site and grab passwords.

    Ouch. Dont do that!

    Good luck.

  • http://twitter.com/lox Lachlan Donald

    The reality is that all security breaches in retrospect have obvious easy preventative measures. It’s completely asymmetric, web developers have to get everything right, an attacker only has to find one hole.

    In my mind the important thing is how a company deals with issues like this, it’s pretty clear that Lucas and the team have learnt from this and are more likely to have secure systems moving forward than a company that hasn’t dealt with these issues first hand. On top of that, they’ve communicated clearly what was happening, provided a transparent and detailed analysis of what went wrong and clearly worked around the clock to fix it.

    Well done guys, we’ve all been there in some form or another, I only hope if we ever face the same thing we handle it as gracefully.

  • Guest

    I know, but I there are hosts with a better track record which have also been around for longer. PHPFog is very new in the world of hosting.

  • http://twitter.com/psoplayer Noah Manneschmidt

    Thanks for demonstrating such dedication and transparency throughout this episode. Now, get some rest!

  • http://twitter.com/comex comex

    Three likes?

    I just… This comment makes me so angry I don’t even know how to begin. I can’t think of any way to justify such a cruel wish.

  • http://www.waynechang.com Wayne Chang

    Lucas, I was on the other end when I found a twitter vulnerability (http://waynechang.com/2011/02/02/how-i-discovered-a-security-vulnerability-in-twitter/). The right way to handle it is through RFPolicy that you linked there. That’s what I did, and Twitter appreciated it — feel for you, but glad the community rallied behind you.

  • Guest

    Theyr’e just kids.

  • http://twitter.com/rooomansanchez Roman Sanchez

    FBI? Doubt they’ll give a crap.

  • Rikvanbeer

    How nasty people could be? Why haven’t this Elliot simply warned you? He could even charged you for the work of explain how unsecure the system was, this would be honest. But make it a public issue is awful. These guys have a motivation of harm people who works hard and honestly…I don´t get it, really.

    My best whishes!

  • http://dan.cx/ Daniel15

    Umm… Australians don’t have final exams at this time of year (unless Queensland is different to other places in Australia)

  • http://rewrite.name/ a2h

    Do you have children?

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    Liked doesn’t even begin to describe how much I agree with you. When I read this, I couldn’t believe the level of ignorance and fan-boy pride the post contained.

    Elliot and John (Charlie wasn’t really involved) are both 16 year olds who are very ambitious about computers, and have a very bright future. Like all kids, they made a small mistake. It would be a very despicable and pitiful act for phpfog to pursue and sue them. This would undoubtedly ruin any chance these two have in getting jobs in the technical field. If phpfog follows up with a lawsuit for this fairly harmless intrusion, I will loose all respect for them as a company, and I hope I won’t be alone.

    So, in conclusion, bars, you are hoping for the lives of these two kids to be ruined. I hope you can live with yourself knowing that.

  • http://twitter.com/antonid Antonio

    hahaha are you serious right now

  • http://rewrite.name/ a2h

    Here’s a question: If one of the people who was involved was *your child*, still going to high school, who happened to use skills in an area they’re passionate in, in such a way, would you or would you not support charging them as a criminal, and sending them to jail (along with rapists, murderers and whatnot)?

  • Michael

    All reading this has done is convince me to never, ever have anything to do with PHPfog.

  • http://www.chadkeck.com Chad Keck

    I’m rather shocked at how many people are taking offense to this comment. Kids or not, they went WAY over the line and broke the law(s). When that happens you get punished, plain and simple.

    I don’t care what you say now, if you were in the shoes of the PHPFog team you WOULD feel different and if you state otherwise then maybe you should go take a huge risk starting a business, sink countless hours and who knows what type of personal investment plus that if your investors and let this happen to you. Then let me know how you feel.

    No one said these kids deserve some crazy amount jail time but they sure as hell deserve to be punished. If you find a bug/exploit, keep it to yourself and let the company know. This was not a simple prank that only affected the PHPFog team but thousands of other web sites.

    I’m ashamed that some of you think this behavior is OK (to some degree) because they are “only 16″. Pitiful and certainly explains why many people have such little respect for others property these days (because there shouldn’t be any punishment apparently).

  • Anonymous

    +1 to them, I personally wouldn’t have told you. Also you have failed to notice one thing…~You will find out what in the next 24 hours.~

  • Sam

    This is a very snide way to reply to a company that now has every reason to send you to jail. I would apologize and leave it at that, if I were you.

    For them to not sue you would be very gracious already. As much as some might feel that you don’t deserve to do time, the law isn’t so forgiving. What you did to someone else’s hard work is neither a service, nice, nor fair no matter how you choose to look at it. You stomped all over someone else when you could have made another choice. Bad decision.

  • http://rawdmg.bandcamp.com Inacio

    I don’t think you even have an idea of what you’re talking about

  • Guest

    Don’t drop the soap.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    How about you take your advice, and step into their shoes.

    You discovered something huge, and you can’t contain this discovery. You leak news to your pal, and you decide to toy around with this discovery with him. Doesn’t this sound like the typical teenager? Adventuress and feeling invincible.

    But, unlike normal teenagers and bending this until it snaps, they realized the consequences that may come with this. After they finished their rather harmless exploring, they proceeded to fess up to their mistakes, and inform the site owner.

    In the end, what really was harmed? From what I’ve heard, Elliot deleted the source code, and according to the blog post, he fully described the nature of the exploit to the site’s CEO.

    These were all issues phpfog was aware of, and it was their own carelessness that allowed for these issues to be exploited. They tried pushing everything off as “bad luck” and “bad timing”. phpfog should be taking much more of the blame than is being set on John, Elliot, and Charlie.

    I’m not trying to justify their actions entirely, they did made stupid decisions along the way, but they don’t deserve a lawsuit that will stick with them for the rest of their life. Instead, a slap on the wrist would be appropriate. Ban them from using phpfog, and I’m sure they’ll respect it.

  • http://rewrite.name/ a2h

    Why are you assuming people that disapprove of ruining teenager’s lives are in support for having no punishment handed out at all?

  • http://www.chadkeck.com Chad Keck

    “hahaha are you serious right now”
    “Do you have children?”
    “Theyr’e just kids.”
    “I don’t think you even have an idea of what you’re talking about”

    I am assuming, you’re right, but these types of comments to the post I replied to don’t seem to be taking the matter seriously now do they?

    And explain how some harsh community service, monetary payback, probation or even a short jail term (which won’t happen anyways) would ruin their lives? It wouldn’t…it might make things a bit more difficult for a while but in life there are consequences for your actions. Do not forget this.

  • GuesterJester

    I don’t think you should press charges. As long as the customers are happy with the outcome of having their stuff safe I think you should be proud of this.
    These kids deserve a boot to the head, but going to jail for a few years is not a good way to deal with angsty teenagers.

  • cornkits

    A company’s reputation was publicly damaged. Families’ incomes were risked. This is not play time kiddos, this is business and business is serious. 16 is plenty old enough to know better than to pull nonsense like this, and phpFog would be perfectly justified in pursuing whatever means they deem necessary to protect their interests and the interests of their customers. These kids knew what they were doing and they knew the risks, and I think it’s unconscionable for you to defend their reckless and damaging actions as simple youthful indiscretion. You fail to see how serious the risk and possible damage and real financial concerns that were at stake here, and you’re encouraging other “talented kids” to go ahead and act like little punks and toy around with peoples’ livelihoods — see it’s ok, they’re just kids and they’re “talented”. BS. I work with dozens of genuinely talented technical people every day that also have character and communication skills and respect for others, and don’t expect to be coddled and feted because they’re ‘talented’

    Lucky for these two phpFog seems to be far more tolerant of reckless juvenile nonsense than I would.

  • http://rewrite.name/ a2h

    Perhaps I and others overread the “jail” part of bars’ comment, but “jail” *is* jail (even if you say it won’t happen, after “liking” his comment), and nothing changes that. As well as that, seeing threats of even getting the FBI involved (whether this falls in their jurisdiction or not) does somewhat imply very harsh consequences.

  • http://www.chadkeck.com Chad Keck

    Why would I want to be in their shoes? Even if I was, I would not make a public stunt out of finding this exploit, especially in the manner which they did. One thing I’m noticing is that people keep looking past the countless marathon days these guys had to pull off to secure and bring back up thousands of site deployments. This is not a game, it did ‘hurt’ and affect many. This doesn’t mean the PHPFog team didn’t make mistakes, they obviously did and have openly admitted to them, but it does not make the CRIME any less severe.

    You are digging yourself into a deep hole here…in the end, what was really harmed if:

    - I drive drunk
    - I steal some items from a store
    - I vandalize someones personal property
    - etc, etc, etc

    Age does not make this ok. They are 16, not 6 and they DO understand which is why they had such a change of heart later (doesn’t change the situation though). If you still think they don’t, slap the parents with the lawsuit for not properly educating their kids and letting them think this type of behavior is acceptable. And an actual lawsuit or not, all I’m saying is they need to take away a damn good lesson from this and a wrist slap and stern talking to is NOT going to do the trick.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    What company wants to hire an IT technician who has a criminal record which involves black-hat hacking? If phpfog proceeds with this lawsuit, this will be stuck with them forever. In reality, what harm was done? Nothing more should be done than banning them from phpfog’s service, and proper notification of their parents.

  • http://www.chadkeck.com Chad Keck

    I only say it won’t happen because typically with minors (and assuming this is a first offense) I believe this is somewhat rare, but someone please correct me if I’m wrong.

    FBI seems a little much I would agree, but who knows what else is going on. Are they investigating IP theft? I would say the question about whether or not they actually deleted all of this is valid don’t you think? What would you do if someone stole your IP and said they deleted it? Would you believe them 100% after what they did?

  • http://twitter.com/IsaKft Isa K

    … “a small mistake”? Sorry but this is not 1995. White hat standards have been around for a long time, any tech enthusiast should know them.

    What these supposed ambitious kids and their defenders seem to miss is that they hurt a lot of people ALSO passionate about computers, many of us WITHOUT $1 million in venture cap funding to be jealous of. They damaged the financial investments of a lot of people ALSO ambitious, ALSO with promising careers and bright futures. Why exactly should they get to avoid taking responsibility for what they knowingly and willingly did while the rest of us who broke no laws BTW and who spent hours coding and developing have to bear the consequences alone?

    That’s baloney.

  • Guest

    You’d really destroy a family for this? What, less than 24 hours of downtime and not much else is what happened to customers of phpFog. And you’d destroy a family for it?

    You are one of the most heartless persons I have ever met.

  • http://steamcommunity.com/id/Starpluck/ Starpluck

    Justice will prevail.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I’m not saying they did nothing wrong, it’s obvious that they did. To take one of your examples, what they did is closer to having a glass of wine, and then deciding that driving would be a bad idea. They took the first steps, but they didn’t do anything that is mortally harmful.

    I think they do deserve some form of punishment, but putting this matter into legal hands is not the way to go. By bringing this to court, you are effectively ruining these kids’ lives. They’re 16, and both still live with their parents. If they are fully compliant with phpfog, which they have been so far, the matter should stay out of court.

  • http://rewrite.name/ a2h

    “They knew the risks”.

    Do people binge drink because they know the risks? Do smokers smoke because they know the risks? Do people taking drugs take them because they know the risks?

  • http://twitter.com/IsaKft Isa K

    People who think nothing was harmed know nothing about developing an app. When you’re competing for users 2-3 days of downtime is DEATH. And that’s what happened. The service had to be completely shutdown so that every inch of phpfog could be checked for malicious code because the people in question only wanted to play the white hat game after they had been caught. It would have been completely irresponsible of phpfog NOT to shutdown, there was no reason to believe the promises that nothing more had been done.

    If they had played this responsibly from the beginning service for phpfog users probably would not have been disrupted and they would have gotten the street cred from the community they so badly crave. But they didn’t. I don’t necessarily want to see them go to jail, but you can’t have it both ways. You can’t say “I’m smart enough to challenge the adults!!” and then cry “I’m only 16!!” when things don’t go your way.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    Business is business. Small mistakes don’t go unnoticed, and if you’re going to allow something to slide, even if for a short amount of time, you better be damn sure you’re ready to risk your company’s reputation in the off case it does go wrong.

    Think about Toyota, people were claiming that a mechanical failure was leading to unresponsive breaks. This undoubtedly hurt Toyota’s reputation. However, it was how they reacted which got a lot of that broken reputation back. No doubt, phpfog made a very prompt, and a very wise reaction. They took everything down to secure the data, and fixed the issues.

    I may have come off on the wrong foot, but I don’t think they should be let off with no punishment, I just don’t believe this should go to court.

  • http://www.chadkeck.com Chad Keck

    Heartless? Wow, if you knew me you would know just how far off the mark you are.

    Please explain to me how a lawsuit or even simply punishing these boys with probation, or even stern community service as I stated above is destroying a family. I’d really like to hear this.

    Do you think other families don’t go through situations similar in nature for other crimes their children commit? Or really really bad behavior?

    Heartless would be letting these boys get off scott free. This sets a bad precedent and does not prepare them in any way for the REAL WORLD.

    Also, tell me what is so bad about any of the punishments I’ve called out. And use your real name while you’re at it. Stand up for what you believe in.

  • Chris

    Did the PHP Fog guys make a couple mistakes? Yes. Did they go through the humiliation of having those mistakes exploited? Yes. Did they learn from their mistakes? It would appear so.

    So, did those teenagers make a mistake? Yes. Did they suffer the consequences of their mistake? Not yet. Should they? Yes.

    They are minors who showed remorse and regret for the crime they committed if it goes to court, they would get off fairly easy unless they are tried as adults for some reason. PHP Fog learned a very, very valuable lesson, the sting of being hacked and humiliated and they have taken it very well. Why should the perpetrators be robbed of an equally valuable lesson that would hopefully keep them from doing it again? It would be unfair to both parties.

    PHP Fog deserves some credit, I don’t think I have ever seen a company lay out their flaws and weaknesses so blatantly and honestly. They made some very common mistakes that many other companies make as well, but they don’t tell their users exactly what happened and exactly what they are doing to correct it. If anyone thinks they are a bunch of blubbering fools for making the mistakes, look up Operation Aurora. Companies with much much higher funding have been hacked as well, like HBGary, Google, Adobe, Juniper, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical and so many more.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    Heartless is a very strong word, and doesn’t properly describe Chad Keck. Like everyone, he is biased. Just like I’m talking out of concern for John and Elliot, he’s talking out of concern for the phpfog developers.

  • http://rewrite.name/ a2h

    I’m on the side of people who don’t support ruining lives of teenagers who make ridiculous mistakes like this. However, that doesn’t mean I support the idea of them being completely absolved of any responsibility of actions at all.

    Even so, what’s with this idea that anyone and everyone do things, knowing the consequences. Who binge drinks, takes drugs, because they know it can possibly kill them? Smokes to get cancer? Do what’s been done to PHP Fog to possibly get the FBI, an extradition, jail sentence, criminal record on them, when they are still a minor, haven’t done any form of tertiary education, been in the workforce at all?

  • http://www.chadkeck.com Chad Keck

    I think we will have to agree to disagree at some level here. I would say it was more like them drinking that wine and going for a joyride, side swiping a few cars and knocking down some mailboxes while at it. Did they run over anyone? Maybe not, but damage was done that others will have to clean up. Was it the car owners fault for parking their car a few inches too far off the curb? You can certainly say that…but it is a long stretch. They shouldn’t have been doing it to begin with.

    Let me ask you this — how would you ensure they learned their lesson if the punishment isn’t mandated?

    Also, I’m all for them working this out outside of the legal system, that is always an option. As someone in their shoes I would just want to know they TRULY learned their lesson.

  • Brett

    I think you’ve forgotten what it’s like to be their age. Sure, they’re 16, fully capable, and aware and in control of their actions, but being hotheaded young teenagers, they probably didn’t fully consider the implications for the employees and customers of PHPfog.

    Sure they’re definitely aware and in control of their actions, but at sixteen, I’m not sure people are always mature enough to see the far reaching implications a careless choice can have. I’m not saying this absolves them of what they’ve done, hopefully now that the

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I have to say that this is the equilibrium, because I completely agree with your post.

  • http://www.chadkeck.com Chad Keck

    Well said Nicholas and thank you. Everyone tends to have a bias in situations like these often times due to life experiences one way or the other.

    I absolutely understand where others are coming from in regards to the teenagers at question. What concerns me most is worrying that they don’t learn a proper lesson from this situation that keeps them from making another mistake like this somewhere later in life. Everyone makes mistakes but some are certainly of different magnitudes and are things you never want to repeat.

  • Sam

    A thing to note (I do agree with everything you’ve said) — if you read their forum posts and postings here and on their personal websites, they come off as unapologetic and self-righteous. With this in mind, I personally don’t think they deserve just a slap on the wrist.

    Now I’m not saying they should do hard time or anything like that, but they seriously need to be taught a lesson in humility. It’s not okay to cause others great discomfort and then not apologize.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    Of course they’re coming off as unapologetic and self-righteous, they’re scared teenagers. They know they fucked up big time, and they are afraid of consequences.

  • Jay

    Crimes are met with their due punishment. Also, what you think of as less than 24 hours of downtime is clearly stated above as 4 days without sleep. What happened here was irreparable damage to a company’s name, as well as a distinct lack of remorse from the perpetrators.

    Were their attitudes more in check, you might have more basis for your claim. However, just look at their forum posts and personal web sites.

    From http://elliotspeck.com/phpfog.html:
    “I know a number of people have actually registered (or intend to register, registration is closed) for phpFog since the incident thanks to the attention drawn to it by myself.”

    Is that supposed to make things better?

    “…going to press charges against me and the other two. Personally, I think that’s ridiculous. What can they get out of two sixteen year olds? Besides, I gave them everything back…”

    Unapologetic.

    “I have many many connections and friends.”

    I hope one of them is a lawyer.

  • Jay

    “PHPFog is LUCKY to have this happen.”

    I’m pretty certain that others will agree — this is categorically untrue. No company wants irreparable harm done to their brand. Which is what happened.

    If you know anything about tech, you’ll realize that the kids are unskilled — script kiddy level with a little creativity. How does that help in building out a web service? It doesn’t. Hiring is not an option.

    If you know anything about law, you’ll realize that they won’t get 40-70 years. They’re minors. Also, if they show remorse they will get off lightly. But what you see in their writings and so on are not indicative of remorse by any means.

    There are consequences to actions, period.

  • http://profiles.google.com/zomg.rawr.zomg Luke ~

    “Yeah we knew about the security holes but we went live anyway”

    Security should be your number ONE priority.

    You failed, and were dealt a blow accordingly (from two teenagers, mind you)

    You could have been dealt a much larger blow, instead of harassing these kids, take it on the nose and ensure it doesn’t happen again.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I have to thank you as well, in most cases, the other party in an argument would typically resort to unjustified or unproven facts, and/or personal attacks to force an opinion they barely understand. I have seen a lot of comments blindly back up phpfog 100% with little or no regard to how this will effect John and Elliot in the end.

    You have consistently replied with an open mind, and your points have been well supported. There needs to be more people like this.

  • http://rewrite.name/ a2h

    Well, I have stated I do agree with punishment, so in that scenario I would agree with punishment… as appropriate. In my opinion, there needs to be context to make a decision, both in what was done, damages, the perpetrators and their backgrounds. Unless you’re referring to this situation? I don’t think anything was deleted.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    Going to quote myself here, as I’ve said this all before.

    Business is business. Small mistakes don’t go unnoticed, and if you’re going to allow something to slide, even if for a short amount of time, you better be damn sure you’re ready to risk your company’s reputation in the off case it does go wrong.

    Think about Toyota, people were claiming that a mechanical failure was leading to unresponsive breaks. This undoubtedly hurt Toyota’s reputation. However, it was how they reacted which got a lot of that broken reputation back. No doubt, phpfog made a very prompt, and a very wise reaction. They took everything down to secure the data, and fixed the issues.

    Of course they’re coming off as unapologetic and self-righteous, they’re scared teenagers. They know they fucked up big time, and they are afraid of consequences.

  • Sam

    So are you saying that being teenagers can excuse them from both the crime and the lack of remorse? I could buy the first, but the second can’t be right. In a just system, they must be held accountable for what they’ve done. Perhaps not in court, but in some way.

    Also, since you don’t think they should go to court, what alternatives are there to making sure that they’ve paid their dues?

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I never said that being teenagers should get them completely off the hook, they do deserve some level of punishment. I was simply stating the nature of teens is to retreat when confronted. They did something wrong, and are afraid. I’m not asking you to excuse their unapologetic response, but allow you to have a certain level of understanding as to why they have that reaction.

    In all honesty, I don’t think I would be able to come up with an adequate form of punishment, and I choose to let that be a compromise between phpfog and John/Elliot.

  • Sam

    I think we can assume that 16 year olds doing black hat hacking and using language like “a whore’s vagina” aren’t going to get much discipline from their parents.

    What they did was black hat hacking. If it goes on their record, well that’s what they did. It’ll be up to them to explain it to their employer in the future, and if they lose a job opportunity because of it, that’s the consequence of their actions now. Actions have consequences, and that’s fair by law. The court system exists to deal with such issues.

    The thing I agree with you on is that sometimes court resolutions can be heavy-handed. However, that is not a problem on the part of PHPFog; that’s a problem with the court system. For any justice to be executed, I don’t see any other way than for this to go to court.

    And again, their lack of remorse makes the situation very different from if they showed themselves to be apologetic. It’s not a simple lack of remorse or simple defensiveness — read compwhizii’s forum posts. He has a blatant disregard for his actions. Elliot even thinks he’s done something that helps PHPFog. They need to know they what they did was certainly the opposite.

  • Guest

    So it wouldn’t have been a big deal for random people to get into your Gmail account while it was in BETA for 5 years?

    I think these kids should go to jail and learn a lesson, but your explanation of BETA is lame.

  • Sam

    IANAL, but they might benefit from arbitration, which I think might be the only alternative to court. I’m guessing the FBI were involved because they’re the agency with country-wide jurisdiction with regards to the internet. I mean, they’re the dudes who bust torrent sites and pirates.

  • Sam

    On second thought, I remembered that disputes like this can alternatively be settled through arbitration. That might be the best route in this case, and PHPFog might be able to exact justice (community service, monetary damages, etc) without staining their lives with a police record. However, if they are as unapologetic as they’ve so far shown themselves to be, I wouldn’t fault PHPFog for taking them to court.

  • PieClock

    You seem to forget the fact that these kids have a full life ahead of them. Because of a mistake on their part that DID NOT harm anyone, but in the end actually helped, you’re up for support on giving them a criminal record and crippelling them for the rest of their lifes. You sir are an idiot no harm to you. They’ve surely learned their lesson because I’m sure they’re all scared as hell.

  • Heh

    Better than someone coming along using them same exploits and deleting everything.

  • Jay

    “Of course they’re coming off as unapologetic and self-righteous, they’re scared teenagers. They know they fucked up big time, and they are afraid of consequences.”

    You’re excusing their attitude with the fact that they’re teenagers. That is unacceptable, and you should know better. That sentence doesn’t say anything.

    Whatever consequences PHPFog has faced/will face is now set in stone. But when you leave your home’s door unlocked, it still doesn’t mean that a robber is allowed to walk in, share your secrets with the world, and get away unscathed. There are laws for breaking and entering, and consequences. They must face justice.

    They also distributed intellectual property. That’s directly causing damage. That’s a crime, and nothing less. People breaking and entering is not a catastrophic act of god or act of nature. It is premeditated criminal activity.

  • Jay

    Note: it was these two teenagers that “dealt a blow.”

    That spells premeditated CRIME. Distribution of intellectual property. CRIME.

    Being 16 and stupid doesn’t get you off the hook for killing someone, for stealing something, or any other crime. Causing irreparable damage to people should result in justice served, period.

    This isn’t an act of nature. This is criminal activity followed by arrogant bragging and lack of remorse. They deserve punishment and that’s indisputable.

  • Defers

    If script kiddies can hack the site then what does it show? To me it shows that phpfog should not have been running the service if script kiddies could gain the access they could. They need to take more blame as they obviously weren’t ready to launch beta

  • Fsffesf

    Oh no they lost 3 days! Let’s press charges and ruin 3 kids whole LIFES.

  • Sam

    Distributing the company’s IP didn’t harm anyone? Why don’t you spend your heart and soul building something, let me kick it over, laugh at you, be unapologetic, watch you scurry about setting things straight for days, and then go unscathed?

    They “helped?” Don’t kid yourself. Reporting in confidentiality a security exploit is helping. Black hat hacking is NOT helping.

    Read
    http://elliotspeck.com/phpfog.html
    http://www.facepunch.com/threads/1071855-A-member-of-Facepunch-may-cause-me-to-be-sued?s=47a611ecb8802bf0e13aa3a14682a831
    http://www.facepunch.com/threads/1071855-A-member-of-Facepunch-may-cause-me-to-be-sued?p=28754506&highlight=#post28754506

    Scared? “I have many many friends and connections.” “Note I’m not looking for sympathy” “people have actually registered (or intend to register, registration is closed) for phpFog since the incident thanks to the attention drawn to it by myself.”

    And there we go with the personal attack. I’m an idiot, no harm to myself, okay. I’m not the one who’s in a pickle, I’m just tellin’ it as it is.

  • Sam

    I’m sure everyone understands that they’re scared, but that is a straw man in that it doesn’t matter. They ought to be scared. What matters is whether they’re apologetic, and from what they write, they’re not. There is no remorse, and that’s not acceptable, I’m sure we agree.

    We agree that punishment is up to arbitration in the fairest case, but where we might differ is that I wouldn’t blame PHPFog for pursuing court action. It’s their ballgame. There will be no said “compromise” between them and John/Elliot, as it’s up to PHPFog to come up with a fair punishment now. John/Elliot have but to sit and take what they get. Unfortunate I’m sure we agree, but the truth.

  • Jay

    False dichotomy. Their choices were not “delete or do what they did,” but rather, “do the right thing and report in confidentiality, or do what they did.”

    They chose wrong.

  • Sam

    Would you say the same if they committed any other crime?

    If you’re saying “they didn’t hurt anyone,” your view of this thing is very skewed. You have to understand what it means to take someone’s days, weeks, months of work and then distribute that proprietary IP throughout the internet. They have full lives ahead of them: so do the people that they’ve hurt. You don’t hurt someone and just get away with it, and you don’t demand forgiveness especially while being unapologetic, which appears to be their current attitude.

    I’m not saying the sometimes overbearing hand of the court system is necessarily the answer, but I’m saying they need to be sorry, and they need to learn their lesson. How that will be determined is up to PHPFog since they have all the legal leverage now.

  • jwdunne

    Yes, people know the risks behind that. With that said, if someone comes along and murders a drug addict via a heroin overdose, it’s still a major crime.

  • Pedro

    Why is the attackers’ blame even into question? This doesn’t make any sense.

  • Jay

    They have a problem to deal with, yeah.

    You as a person would not use their service because you seem think they were irresponsible. That’s fair, nobody says you have to.

    You’d like for them to take more responsibility for what happened (I think that’s what you mean by “take more blame”) — sure. Even I think they used some of that dodgy “timing” wording and whatever. I don’t think it’s disingenuous but if you feel that way, it’s understandable.

    My question is, why is this in reply to what I’ve written? The discussion in this thread was:

    1) Was this debacle good for PHPFog?
    No. It hurt the people running the company very much, and if you believe otherwise you should learn a little about what it means to start a company. Also learn a little about what distribution of all the intellectual property at a company means. This isn’t a case where nobody was hurt. PHPFog was very much hurt by this, and to say that “they left their door open” is no excuse for walking into their house and destroying things of value. Yes, intellectual property is something of value. Someone’s hopes and dreams are things of value. Someone’s means of making a living is something of value.

    2) Should the perpetrators be punished?
    Yes. What they did was criminal and not excusable. Age is not an excuse. Ignorance is obviously not the case, and not an excuse. And remorse is not present, and is all the more reason they need to learn their lesson. Fact is, they did something criminal.

    3) Should the perpetrators do time in jail?
    General Consensus: Hopefully not, we’re all civilized and level-headed people around here, but they need to learn their lesson and show remorse, and clearly that should go beyond a slap on the wrist from what appears to be negligent parents.

    The thing that bothers me most is when people say “they have a full life ahead of them,” without failing to consider the lives they just impacted very negatively. The implications of their actions go beyond a surface-level interpretation. You can’t just look at PHPFog and say “oh they’re a company,” — there’s real people who work there too and who also have families, children that may just as well be affected because of the moronic actions taken by these teenagers. To claim full knowledge of the extent of the damages that were done to this company is arrogant and just as cold as saying that the kids deserve 40 years of hard time. There has to be equitable justice here.

    PHPFog has owned up and is dealing with its consequences now. The teens have *not* had consequences, have *not* owned up to the fact that their actions were wrong plain and simple — and that right there is injustice.

  • Jay

    If I ran a restaurant with a secret recipe, and you stole my recipe and gave it away, would I be wrong to press charges? Now I’m at risk of going out of business. What if my restaurant is how I feed my kids? How is it that my life can get ruined, but not the people who hurt me?

    That’s not fair, is it?

  • http://www.chadkeck.com Chad Keck

    No, it is Google’s use of the term BETA that is lame. This is precisely why I do not use Gmail as my primary email service.

    Thanks for making my point.

  • Jordi33

    I think you shouldn’t charge the kids. He didn’t destroy anything, he told you the truth, he told you how he broke into your servers. You can scare him a little bit, but if you make him go to jail you can destroy his life. Don’t do it. Remember he wasn’t destructive and he helped because he felt sorry, but I guess you don’t care about other people lifes. You Americans are very cruel…

  • Jordi33

    You are very cruel with these kids. They are 16 year old! There are kids that age that beat other people, that burn houses, that steal and cause real damage. They didn’t do that, they talked to you, didn’t delete anything.
    You are cruel, and seeing that you are a Chinese I guess you have the learnt the cruel part from the Americans (guns, death penalty, etc…) and from the Chienese, who are more or less the same (remember the milk case in China?).
    The two cultures are know in the rest of the world for being cruel, and you are just like that. Learn to have feelings and empathy animal.

  • Jordi33

    Everyone should remember this if they destroy the two teenagers lifes: PHPFOG IS CRUEL.

  • Jordi33

    No, we can do like in the United States: shoot them because they are at your house. Crazy Americans…

  • http://twitter.com/rossmasters Ross Masters

    Ignore this troll, I doubt he’s even read the article. Well written and a solid explanation, bounce back!

  • Anonymous

    I’m sorry Lucas. I’ve gone through this and it feels like death. It feels like the work is never done and that you are forgetting to secure something so the work is pointless. Anyway PWN!!

  • http://profiles.google.com/andreas.kadenbach Andreas Kadenbach

    i was impressed by how open and mature phpfog reacted on this matter. Nonetheless it would be a refreshing change of attitude towards these kids/”hackers”/dunnohats if fbi or other authorities would be the last way to go. of course i can imagine (having been there myself) that you feel obliged to do whats best for the company. but sueing 16 year old want do that. it will, maybe, even encourage others to do the same.
    without these kids your site would (maybe) still be prone to attacks of that kind.

  • http://sigzero.myopenid.com/ Robert

    Stop touting the line that they are “just 16 year olds”. They knew better. They should be held responsible for their actions.

  • Afed

    Next time you’ll be owned by preteens. Thus always to php users.

  • Nnn

    pathetic

  • Nicholas Travis

    Do you any mental issue that you are aware? This comment, as well as the others where you call Sam an “idiot” and an “animal” seem either infantile or mentally challenged. In both of the cases you sound depressingly immature and maybe it would had been for the best if you hadn’t commented at all.

  • http://www.facebook.com/gravastar Chris McCreadie

    My Brain got to that conclusion very simply. I invest in people not technology. The technology can / should and will be updated and replaced constantly. Good people with integrity, they are hard to find.

  • Jonas

    “Bad timing”? Oh, how unfortunate. It had nothing to do with you launching a completely insecure service and keeping your fingers crossed no one would exploit it until you perhaps some time in the future had the time to build a proper service?

    It was just bad timing that got your twitter credentials stolen as well then?

    Yeah, I trust you a lot when you say that you’ve researched the matter and this guy didn’t touch any other files. Liars.

  • http://www.jagdesignideas.com Joel Glovier

    Wow Lucas, I admire the grace with which you interacted with that kid. It certainly shows maturity on your part, and surely helped you get to the resolution more expediently.

    Also appreciate and admire how you’ve responded so quickly to all of this, made multitude levels of adjustments to prevent future attack, and shared so transparently with your user base what’s going on.

    Kudos.

  • Sanchezis2010

    Hackers hacks myspace. myspace presses charges. Myspace fails.
    Hacker hacks Facebook. Fb hires them. Fb is now fb.

  • Anonymous

    I add you guys points for your honestly with this.
    But now i am also definitely sure that i will never use your service for real application. Sorry but, source code with system passwords just laying on the server?

    Thank you, Elliot for showing us how crappy PhpFog is.

  • Rob

    As a complete neutral, I can’t see how the company’s reputation was damaged any more than deserved. You simply do not run a service while leaving backdoors like that non-governed failover system and features with known risks because one day the holes will line up. These kids have possibly prevented something far worse from happening if someone with genuinely evil intentions had been left to run riot. Pursuing a couple of kids via the FBI would merely compound the reputational damage imho.

  • Rob

    Just a small thing – it’s not breaking and entering if you left your back door open.

  • James

    Where’s the part where you contact law enforcement?

  • http://twitter.com/dprvig Josh Miller

    That’s called trespassing. :P

  • http://twitter.com/mckasty Mike McKasty

    I think I’m actually more likely to use PHPFog knowing they’ve been burned like this, and put that much additional time into security.

  • X711Li

    Keep in mind that the source code, although deleted, was still distributed, despite it being proprietary software.

  • wm

    You’ve probably never experienced that kind of kick or seen what it does to otherwise perfectly reasonable and caring adults. There is nothing that let’s you perceive cruelty towards human beings or other obvious harms that would inhibit further action and prevent you from going bonkers. You don’t need instruments the see the physiological effects for a few hours and in addition at the age of 16 there’s usually lots of hormonal stress anyway. THIS is bad timing!

    I don’t see Elliot doing such a thing again, now that he knows in what dangerous state of mind you end up. What do you want to do? Force those kids into company with criminals and start a black hat career or save a potential white hat?

    Also, if you’re running a public service, you have to defend against the attacks vectors you don’t know. Those that you’re aware of are going to blow up right in your face.

  • Ax

    FBI gets involved because that’s who has jurisdiction over this type of crime in the US. (Multi-state, etc.) The FBI is just the national police force, not really anything more than that.

    If you don’t like the punishment for breaking a law, it’s really not appropriate to hassle those affected by criminals breaking said law. You should go to your elected officials and tell them. In a representative democracy, it’s not PHPFog’s responsibility to mete out justice; that’s why we have a legal system. PHPFog’s responsibility is to a) report the crime and b) assist the investigation where possible. Leave it to the judicial system to adjust for the kids’ ages, specific backgrounds, prior records, etc. PHPFog doesn’t have access to that data, and THEY AREN’T JUDGES so leave it to the pros. If you don’t like the results, call your senator. Minority kids get swept up in a callous legal system all the time, and nobody really cares about that.

    As to the costs of this, I see a real financial cost. 4 20-hour days x (let’s say) 5 people working @ $100/hr = $10,000 worth of labor to get the platform back up. Who’s going to reimburse PHPFog for that?

  • Sam

    Thanks for being racist. Being Chinese makes me a baby-killer who puts melamine in milk. Uh huh. Being American makes me supportive of guns and the death penalty. Right.

    I don’t think that anything I’ve said is off-base or cruel. I don’t want them to do unjust time in jail any more than the general consensus on these threads here. If you read anything else I’ve commented on I make my position very clear: they need to know that what they’ve done is wrong. That is all.

  • http://www.chadkeck.com Chad Keck

    Well said

  • http://twitter.com/Fluve Fluve

    It’s funny how you’re complaining so much, and saying you would have fixed all these flaws ‘days’ after this had happened, seems all so odd that it just happened then.

    If anything this helped you, as said, did you really want someone else coming onto your server and wiping everything? They gave you your passwords back, they TOLD you what they did, to help you fix it, and in you come trying to be the ‘big’ man and talking about reporting them to the FBI.

    You had some horrible security on your system, blame yourself, not some teenagers.

  • Brian

    Did you really just compare hacking to murder?

    Also “lack of remorse”….did you even read the post? Doubtful because their actions do not show their intent was malice, otherwise they could have done some serious damage. Glad that 5 other people “like” your ignorance though.

  • Jay

    I’m starting to think there are a few people here who are just John or Elliot posting over and over. “Don’t be cruel, I’m just 16, don’t ruin someone’s life.”

    Read the rest of the comments, because this point is addressed over and over.

    Also, google “blaming the victim.”

  • Brian

    Why should anyone stop touting that, it’s a very important part of this case. Minors are not treated the same as adults in the court of law and there is a reason for that. They are not yet fully aware of the implications of their actions. Sure, they knew this is wrong, but do you honestly think they knew they could be sent to jail? I doubt it.

    If this same attack was carried out by a 30 year old, I would expect him to understand the potential repercussions, but I can not say the same for a teenager who has 1/3 the life experience. What they did was wrong and they should have some form of minor punishment but it should be relevant to their age and the circumstances.

  • http://twitter.com/IsaKft Isa K

    First, I’m tired of the dramatics about what the punishment is going to be. First time offenders of this type of crime do not get sent to maximum security with rapists and murderers. They get a criminal record and a sentence served entirely on probation usually with their parents. So this whole “OMG It will ruin their future forever!!!!11″ stuff is not persuasive.

    And even if it was an accurate reflection of what is likely to happen… look, people seem to have this idea that a happy, productive future is the default state that everyone will achieve as long as no one interferes and takes it away. No one is guaranteed a future with financial security, loving family and a great career. Your future is the sum of your decisions, if you make crappy decisions you get a crappy future.

    When I was 14 years old I discovered a security hole that allowed me to completely reset the parental controls my poor computer programming father had setup and gain open access to the internet. A year later I hacked into the network at school to play Tetris during class … I know what it’s like to be young and play and explore. But this wasn’t innocent playing and exploring, these kids were not motivated by curiosity and fun, they were motivated by entitlement and an obvious belief that the rules do not apply to them. How dare someone else get attention, praise and VC money! Let’s hack it so people see how pathetic they are and how awesome we are.

    So, yeah, I’m sorry. I really don’t see how saying to these kids “oh yes, the rules don’t apply to you. You’re totally right, we completely deserved it” is going to help show them the RIGHT way to behave.

  • Anonymous

    Phpfog sure has technical responsibility for what their security holes. I think the measures they are taking to fix them are appropiate.

    However, the use and abuse of those (redirecting to other servers, twitter account use, and so on) are definitively *not* their fault. No one pointed a gun to those guys’ heads and forced them to hijack Phpfog’s twitter’s account.

    “You failed, and were dealt a blow accordingly”

    You say “blow” as if it was a “rightful” act. That’s utter nonsense, and as logically-backwards as it can be.

    It is my duty to be vigilant when I drive my car. However, if I have a lapse in concentration, and you detect it, stomp my car with yours, drive me out of the highway and kill me, that doesn’t make it “right” or “deserved”. It is wrong, hideous and punishable.

    For that matter, it would still be wrong even if I was a drunk driver using my cellphone.

    The only “righful” thing these two teenagers could have done after detecting the fault would be informing Phpfog about them – the security equivalent of horning their claxons.

    Once they started changing pages, updating twitter, etc and being assholes in general they crossed the line.

    The fact that there are people out there that can grasp complex technical details and somehow seem oblivious to these basic ethical notions is worrying.

  • Jay

    Everyone knows PHPFog messed up, including themselves. That’s what the blog post is about. To say they “deserved” this is pretty cold. Nobody deserves to be treated this way.

    Your POV is not neutral. You may not care what the outcome is, but your words make like “oh they didn’t do anything that bad, don’t call the cops, it’s really their fault for not locking their doors anyway”

    The perpetrators of this debacle have NOT prevented anything or helped anyone in any way. They have committed multiple crimes. They’ve damaged peoples’ lives — this isn’t a one-way “we didn’t hurt anyone” situation. They need to be punished. There’s a right and wrong way to do things: reporting things in confidentiality is the right way. The wrong way is to distribute a company’s IP, damaging the livelihood of people and their families. Who’s being inhumane? From everything we’ve seen so far, PHPFog has been more gracious than these kids deserve. The lack of remorse from the perps is astounding.

    It’s possible that some who can’t fully understand the damage that they’ve done will look upon PHPFog negatively for seeking justice, but I don’t think it’s fair to be angry at PHPFog for pursue any avenue of justice at this point. They’ve just had their lives trampled upon by a bunch of unrepentant morons.

    You’re probably right that charges would do some level of reputational damage to PHPFog, but damage has been done already. At this point they have every right to do what is necessary to make these criminals pay their dues. And given their snide attitudes and arrogant remarks, personally I wouldn’t blame PHPFog for pressing charges. For the teens’ sake, hopefully they don’t — hopefully they see this possibility and apologize profusely, like they ought to.

  • Anonymous

    If two 16-year-olds give you a beating and sends you to a hospital. How would you feel if they told you “hey, the flight you were going to take next week? It might crash, those kids might have saved your life”. Would you still feel that pursuing them would merely compound the reputational damage?

  • Jay

    No, RTFC. I simply stated that hacking is a crime, and that what they’ve done DOES have negative repercussions to people besides themselves. They’ve hurt peoples lives and need to be punished.

    Now go read their forum and website postings, and see if you see remorse in them.

  • Anonymous

    16 years old is more than enough to know where the limits are. Unless we are talking about people with some kind of mental disease or inability. Which doesn’t apply to these people.

    Sam isn’t being cruel at all. If anything, he’s being a bit too fair in my opinion.

    You, on the other hand, are being racist and xenophobic.

  • Jay

    “So, yeah, I’m sorry. I really don’t see how saying to these kids “oh yes, the rules don’t apply to you. You’re totally right, we completely deserved it” is going to help show them the RIGHT way to behave. ”

    Right on.

    Though, I must say that criminal courts do pursue maximum penalties. While I wouldn’t blame PHPFog for pressing charges I’d rather that they pursued some sort of arbitration path prior to full-on court charges. It’d be a civil thing to do, despite the fact that they were treated unfairly and without civility.

  • Anonymous

    Maybe people will remember that the two teenagers should have “learned to have feelings and some empathy” instead.

  • Anonymous

    Hey, be grateful that I just beat you, someone coming along could just have killed you instead.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I have to mostly agree with this. They aren’t apologetic as they should be, but I’m trying to establish a sense of understanding as why they may not be.

    I guess compromise wasn’t the correct term to use. I was more or less trying to think of a settlement that would satisfy phpfog without the need to take them to court.

    I’ve made a post on the forums they are both members of directed towards them. Hopefully they’ll take the advice, and improve their chances of getting this settled. If they choose to continue on the path they’ve set so far, then I will be understanding if phpfog does continue with the lawsuit.

  • Anonymous

    I’m starting to think that you are the same guy, entering the forum with different accounts. And then switching accounts and liking your own posts.

  • http://twitter.com/IsaKft Isa K

    Well by that reasoning: Lucas and the team could have tracked them down individually and garroted them with an ethernet cable, or posted their personal information on 4chan and inflicted months of torturous abuse and harassment. Why are you complaining? It could have been so much worse!

    If you’re willing to congratulate the hackers for breaching the system because it could have been worse, you should be equally willing to congratulate phpFog for reporting it, because they could have done so much worse in response and choose not to.

    See how your logic is bullshit now?

  • Anonymous

    I have little or no regard on how this will affect John and Elliot. That’s up to the judge.

  • Sam

    Nobody disagrees with you that their ultimate punishment should take into consideration their age. My own opinion has taken that into account. However, they do require punishment, and not something minor. What they did was not minor, and they’ve seriously hurt people. 20 years might be too much, but a criminal record isn’t, because what they’ve done is criminal.

    I’m pretty sure people know that black hat hacking will result in jail. If they didn’t know that, they were even more moronic than we’ve already made them out to be.

  • Anonymous

    By your logic, the teenagers will be LUCKY to be separated from their families, from whom they apparently can’t learn the basics of ethics.

  • Anonymous

    I would be sad that my child was a criminal.

  • Sam

    Thanks Nick, that’s a level-headed post you made there. Hopefully they realize that what they’ve done is wrong.

  • http://www.bilawal.co.uk/ Bilawal Hameed

    Are you saying regardless that these kids apologized to you that you are still going to destroy their lives? They even co-operated with you.

  • Ax

    …OR “let’s hack a website and ruin MY life” was what these kids should have thought. Don’t blame the victim.

  • Ax

    Maybe the kids broke in and then gave passwords back, etc. to help them fix it…once the kids realized they had committed federal crimes? Maybe the gravity of committing felonies hit them once they were in the act?

    In any case, the societally desired outcome of a case like this has been decided in the legislatures and courts over hundreds/thousands of prior similar cases, and this case isn’t actually all that special (unless you want to bet this is the first time a computer hacker has been 16?). So why reinvent the wheel? Use the template (aka laws) and the justice-compiler (the courts) and the debugger (penal system), if necessary?

  • Sam

    First of all, I’m not PHPFog. I’m just another software developer who happens to know what it means to get stomped on by some malicious skript kiddies.

    But they clearly haven’t shown remorse for their actions, and apologies don’t change the fact that they distributed private intellectual property. Sorry won’t un-destroy my priceless art that you walked into my house and wrecked. PHPFog has every right to press charges for that. The other idea is that charges will ruin their lives — they will have a black mark on their record but it’s deserved. As far as doing time in prison, they should be happy if they don’t feel the full extent of the law. PHPFog not pressing charges is not an obligation because they were wronged and wronged in a big way. It is within every right of the company to seek a just outcome.

  • Ksmith27

    Great job on this guys. And +10 for the transparency. It can be painful to do that, but the fact that you take responsibility for the screw up and make no excuses (but offer a complete explanation) is precisely what is needed build trust with your customers.

    The folks that will throw out disparaging comments here are most likely a) people who have zero concept of what it takes to build a startup, b) people who have no idea what it takes to build a truly scalable and secure platform, c) people who would never even think of being this transparent if (God forbid) they ever made a big mistake, or d) all of the above.

    This shit will be a defining moment for your team that lay a foundation for success for years to come.

  • http://twitter.com/PatrickMandia Patrick Mandia

    The lack of accountability is a bit disconcerting, which makes buying into the service a much harder decision.

    “we were aware of the potential security threat behind post-deploy hooks and were about to disable them”

    “days away from replacing this server”

    I understand the service is in beta (alpha?) but putting the blame on timing is a bit ridiculous. What they did was wrong, but so is blaming your faults on timing.

  • http://profiles.google.com/berdon Austin Hanson

    Press charges. Not pressing charges would be ridiculous.

    “Oh no, I’m 16, you can’t be mean to me!”

  • Rpg

    You guys are mere script kiddies. Next time learn to cover your tracks.

    ================
    Info:
    ================
    compwhizii
    ————

    Name:
    John Du Hart

    Address:
    164 Newfield Lane
    Centereach, New York 11720

    Phone: 631-766-7842

    Elliot:
    ———
    Name:
    Elliot Speck

    Address:

    15 Viola Drive
    Redland Bay
    Brisbane, Queensland 4165
    AU

    Phone: +61.0458368251

    E-mails:

    e.speck@live.com
    zayfox@live.com.au

    Aliases: zayfox, elliotspeck, qombat

    http://www.facebook.com/ElliotSpeck

    http://www.twitter.com/ElliotSpeck

    http://zayfox.deviantart.com/

    http://qombat.deviantart.com/

  • Lol

    You guys are mere script kiddies. Next time learn to cover your tracks.

    ================
    Info:
    ================
    compwhizii
    ————

    Name:
    John Du Hart

    Address:
    164 Newfield Lane
    Centereach, New York 11720

    Phone: 631-766-7842

    Elliot:
    ———
    Name:
    Elliot Speck

    Address:

    15 Viola Drive
    Redland Bay
    Brisbane, Queensland 4165
    AU

    Phone: +61.0458368251

    E-mails:

    e.speck@live.com
    zayfox@live.com.au

    Aliases: zayfox, elliotspeck, qombat

    http://www.facebook.com/ElliotSpeck

    http://www.twitter.com/ElliotSpeck

    http://zayfox.deviantart.com/

    http://qombat.deviantart.com/

  • Mark

    $10,000 worth of labour that would have been done anyway. You need to subtract the amount of effort it would have taken to confidently secure the system if this hadn’t happened. And given that PHPFog have clearly learned from the experience, I suspect the job has been done better this way.

    (Also, is $100/hr really the going rate for a sysadmin round your parts? I might need to move.)

  • Mark

    When the crime is related to IP, security and trust, being honest and co-operative lessens the harm caused. This is highly unrelated to murder or theft.

  • Mark

    I love all the analogies you come up with. Do PHPFog run a restaurant? Are they at risk of going out of business because their twitter account was defaced? This phenomenon of bored teenagers discovering exploits is something unique to computing, and has very different dynamics to traditional punishment models.

    Consider the costs to both sides, and give the kids something to learn from. And bear in mind that costs of legal action would dwarf any costs from the last 4 days.

  • http://profiles.google.com/nys.deadeye Nicholas Anderson

    I assure you I am one and only, it would be pretty ridiculous, not to mention pathetic, for me to enter measures like that for an argument such as this one. I have never “liked” my own posts, as that doesn’t really matter. My only goal is to have everyone see the other side of all of this.

  • Anonymous

    Your system is a joke and you got what you deserved. Maybe if they had just told you, you wouldn’t have learned such a hard lesson.

    I don’t even know what phpfog does but from the name alone I can tell you are inept morons.

  • Anonymous

    Cornkits – spare us all the lecture on morality.

    If phpfog can’t even prevent simple exploits like this then who knows what adept systems crackers could have gotten away with. Quite simply – if you can’t secure you servers in this day and age – you deserve all you get.

    You’re right it’s not “play time”. So why the hell are you suggesting it’s acceptable to “play” when it comes to security? F***ing idiot. I bet you are yet another PHP idiot who hasn’t got a clue.

  • Sam

    What I think is the more pressing financial damage is the leak of intellectual property. The source dump allows anyone to create a PHPFog of their own.

  • Jay

    They have their intellectual property, basically the whole of the worth of their company, distributed across the internet. How do you imagine that damage can be undone?

    Not to mention the damage to their reputation. The issue isn’t whether they “would have been hacked anyway,” the issue is that hacking is WRONG. And real damage was done.

    I agree with the last statement you made, but I’m not sure you understand the costs on the side of PHPFog. As a software developer myself I empathize strongly with them. I can’t imagine what it’d be like to have everything that I’m passionate about destroyed by moronic teenagers who don’t give a damn about my feelings or how much hard work I had put into things. I would forgive them, had they proven to be truly repentant, and spared them a criminal record via dealings outside of the court. But I would still like reparations for the damage done monetarily, and in this case the perps make it goddamn hard to forgive. Their public statements are haughty, self-righteous, and refusing to take responsibility for what happened. There is no apology in that, and there ought to be.

  • Sam

    Your personal attack cornkits is childish and inane. Your writing is much like that of Jordi33 and PieClock. Are you the same person? Your inability to write with civility speaks to a childish attitude. Grow up.

    Quite simply, the argument going on here isn’t whether “PHPFog got what they deserved,” because nobody deserves to be treated the way they were treated by these hackers. If you think that anyone might deserve getting their lives trampled on, then you are a cold unfeeling person.

    Regardless of what they “deserved,” the issue here is that hacking is wrong, no arguing with that. Messing with peoples’ lives ought to result in a just punishment, and that’s what people are talking about here. The law, as heavy handed as it can be, agrees with this fact. Now all that’s left is for PHPFog to judge for themselves how they plan on doling out justice — they have every legal right to press charges, and they have every moral justification to seek reparation in some way or form.

    There are consequences to actions in life. PHPFog faced/continues to face theirs already. The kids need to own up.

  • Mark

    I can’t see that as a serious risk. The Windows source code is available through legitimate and illegitimate means, but Microsoft doesn’t worry about people creating their own copies of Windows. Besides, if I were to create a PHPFog of my own, I would implement it differently and open source it.

    The real issue is that they had access to the customer’s source code, but as far as I know, that was not leaked.

  • Mark

    Then you’ll agree it’s not about the code, but the customers. That’s why we’re called developers, and not engineers.

    Nothing was destroyed: a security boundary was breached, code leaked briefly and some childish defacement occurred. Some beta customers may leave, some may join, but an appropriate level of security has been implemented. And this has all happened during the beta period. Nothing to see here, move along, please.

  • Sam

    It’s clearly not the same thing, and what you would do isn’t indicative of what other people will do. Also if you know much about PHPFog, you realize that there are a lot of competitors in the same space. They’re still a startup — the codebase is relatively small and their IP is their competitive advantage. This hurts them in many ways — it can also affect their ability to further acquire funding.

    Thankfully the attackers had the sense not to make dumps of customer data.

    At any rate, the overall damage done to the company is not just a trivial calculation, and it shouldn’t be overlooked or made out to be smaller than it really is.

  • Jay

    Well the code serves the customers; they’re inseparably intertwined. I don’t understand what you’re trying to say regarding developers vs engineers? Software developer == Software engineer in my book.

    To say that nothing was destroyed is overlooking a lot — it’s what the attackers themselves are trying to say, and it’s gotta be made clear to them that this is untrue. They have to recognize that.

    Reputation and unique retention of intellectual property were both destroyed. The people who work for the company were hurt and will continue to be hurt by what transpired as a result of the hackers. You can’t say that what happened doesn’t matter — it’s only easy for you to say because you aren’t the one dealing with the mess.

    In the end, I think we agree that the hackers deserve to be punished. What we may not see eye to eye on is just how much damage was done and to what degree the hackers ought to be penalized as a result. I think it’s unfair to glaze over PHPFog’s suffering. What transpired here was criminal, harm-causing action, and to brush it off like a minor issue is unjust.

    I’m glad you like my analogies; PHPFog may not run a restaurant but in the example that recipe is an example of IP. It’s NOT okay to give away others’ IP. This isn’t different in any way, other than the fact that software code is several magnitudes more complicated than cooking recipes.

  • Mantor

    Don’t ruin there bright lives that they have ahead of them. They pointed out a security flaw in your servers and didn’t format everything like a real dick would have done. Some other cracker could have exploited that fault and could have done way worst things. You should smack the shit out of them then reward them.

  • qvc

    links to stuff if you missed it
    http://pastebin.com/zkvN4zF0
    http://min.us/ljEyGE

  • qvc

    here’s the forum post he made originally
    http://pastehtml.com/view/1drumpw.html

  • http://jackyalcine.co.cc Jacky Alcine

    Wow, you guys are so tight.

  • Guest

    Do smoking, taking drugs, or binge drinking involve hurting other people directly?

  • Bountyhunters

    You do the crime you do the TIME!
    How much have cost this company and the people who built it in TIME & MONEY??

    Bounty Hunter’s

  • http://twitter.com/bananaranha bananaranha

    “Elliot and John (Charlie wasn’t really involved) are both 16 year olds who are very ambitious about computers, and have a very bright future. Like all kids, they made a small mistake.”

    A small mistake is dropping a tv set and breaking it, parking in a no-park zone, etc.

    This was not a mistake –it was deliberate and it had huge costs.

    Oh, and 16 year olds are even tried as adults in many cases…

  • http://twitter.com/bananaranha bananaranha

    “I’m on the side of people who don’t support ruining lives of teenagers who make ridiculous mistakes like this.”

    Who said to “ruin their lives”? Just hit ‘em with something like a $100,000 fine and they’ll think twice next time…

    As in, sorry, guys, no college for you….

  • http://twitter.com/bananaranha bananaranha

    So, if I leave my street viewing windows open, it’s ok for thugs to break into my house and break things?

    Really?

  • http://twitter.com/bananaranha bananaranha

    “”Did you really just compare hacking to murder?””

    No. He EXPLICITLY SAID: “Being 16 and stupid doesn’t get you off the hook for killing someone, for stealing something, or any other crime. Causing irreparable damage to people should result in justice served, period.

    It’s YOU who singled out “murder” in his argument, in order to confuse things.

  • http://twitter.com/bananaranha bananaranha

    Talk about backwards logic…

  • http://twitter.com/bananaranha bananaranha

    You are very cruel with these kids. They are 16 year old! There are kids that age that beat other people, that burn houses, that steal and cause real damage.

    And stealing IP property, hacking and closing temporarily the servers of an internet business is also “real damage”.

    Do you believe the internet is just some magical fairy land with no relation to reality and stuff that happens there affects noone because it’s all digital?

  • http://twitter.com/bananaranha bananaranha

    Spare the melodrama.

    “Destroy a family”?

    How about, hand them an appropriate fine for their CRIME?

  • http://twitter.com/bananaranha bananaranha

    “””When the crime is related to IP, security and trust, being honest and co-operative lessens the harm caused”””

    Huh? How being honest and co-operative fixes the IP theft?

  • http://twitter.com/bananaranha bananaranha

    “””While I usually dislike people cracking something, then posting about it just to prove a point, it seems to have worked this time :)”””

    Yes, and if someone breaks into your house, and posts about it can also make you lock it better –invest in some new doors, window locks, alarms etc. It “worked”.

    But the burglary remains…

  • http://twitter.com/bananaranha bananaranha

    And if it was your child, still going to high school, who happened to use skills in an area they’re passionate in (cars), in

    stealing someone’s car,

    would you or would you not support charging them as a criminal, and sending them to jail (along with rapists, murderers and whatnot)?

  • http://twitter.com/bananaranha bananaranha

    “””Oh no they lost 3 days! Let’s press charges and ruin 3 kids whole LIFES.”””

    It’s “lives”.

    And 3 days can mean hundreds of millions of dollars in lost revenue for a company.

    (Imagine Amazon shutting down for 3 days).

    It’s not like the took 3 days of vacation.

  • http://twitter.com/bananaranha bananaranha

    “”I love all the analogies you come up with.””

    But you don’t understand them.

    “””Do PHPFog run a restaurant?”””

    No, they run a website (another public facing service). That’s why it called an ANALOGY.

    And the “secret recipe” is the proprietary source code.

    “””Are they at risk of going out of business because their twitter account was defaced?”””

    Yes. Companies use their twitter account for keeping in touch with customers and potential customers.

    Oh, and you conveniently forgot the part about the IP theft and distribution, the rerooting of their website, the closing down of their service, etc.

    “””This phenomenon of bored teenagers discovering exploits is something unique to computing, and has very different dynamics to traditional punishment models.”””

    Says who? Surely not the law.

    “””Consider the costs to both sides, and give the kids something to learn from.”””

    A huge fine?

    “””And bear in mind that costs of legal action would dwarf any costs from the last 4 days.”””

    Not if the culprits are made to pay for it in fines…

Powered by Olark