This is deeply disturbing to me. I'm a participant in Facebook's whitehat program (http://facebook.com/whitehat) and have been awarded a cash prize several times. These accusations are things that I've either done, attempted to do, or succeeded in doing myself with the goal of getting paid for discovering a vulnerability.
>> downloading a computer program "to secure unauthorised access" to Facebook
Any basic security auditing tool falls into this category and this is something I've done all the time. Wish they would more clearly state what made his access unauthorized when my hacking attempts are welcomed.
>> attempting to hack into Facebook's "Mailman" server
I've attempted this too. It's a great target since it's 3rd party code, Facebook runs an out of date version, and some versions have publicly known vulnerabilities.
>> using PHP script to secure access to another Facebook server, dubbed "Phabricator"
I've attempted to do this and just yesterday was considering another attempt. It's a great target since it doesn't go through Facebook's normal release process, it's a large project, and it's open source.
>> sharing a PHP script intended to hack into that Facebook server
I've done this. Sometimes I need another set of experienced eyes to help me get a proof of concept working. Of course it was someone I trusted to keep my discovery confidential.
>> securing "repeated" access to another Facebook server.
I've done this too, both before and after Facebook announced their whitehat program. Before the program they thanked me and sent me swag, after introducing the whitehat program they started awarding me cash on prepaid debit cards.
I can only assume that this guy was prosecuted instead of thanked because he didn't tell Facebook promptly about his discoveries, or perhaps he used them to do something like stealing source code out of Phabricator (Facebook's code review tool). I wish the reporting of this did a better job of covering the details.
I've participated in the program as well (and I'm going to be interning with Facebook's Security team this summer). This incident doesn't worry me personally and I hope it doesn't worry anybody else. But if you want clarity, I think arice's comment sums up this particular situation very well:
> His attempt to access data was outside our whitehat guidelines, had clear malicious intent, and included extensive and destructive efforts to remain undiscovered and anonymous. In addition, he made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is false and insulting to the community of responsible security researchers.
Did you consider if you should have shared this admission of what probably amounts to criminal activity in USA?
The FB "whitehat" pages to my reading are in no way giving you a right to "security test" their servers. Their statement appears more like an amnesty, akin to "if you did happen to shoplift from Walmart and you choose to return the goods unspoilt, packaged and in saleable condition, then we won't prosecute you".
They also say, FWIW, that "Security bugs in third-party applications" are not included in the program; so that would rule out attempting to compromise Mailman.
Moreover they say "Security bugs in Facebook's corporate infrastructure" are ruled out from their program which to my mind rules out compromises on Phabricator - it's not a part of the publicly facing Facebook site but instead is a backend tool.
knock knock
If you were in the UK you'd be getting an extradition order for this based on recent history.
Facebook's Responsible Disclosure Policy applies to all Facebook properties. The exceptions you outlined specifically apply to our bounty program. Basically, we may not pay a cash reward for a security issue reported in Mailman (an open source tool), but we still appreciate the responsible disclosure and you absolutely shouldn't be worried about a lawsuit.
>> downloading a computer program "to secure unauthorised access" to Facebook
Any basic security auditing tool falls into this category and this is something I've done all the time. Wish they would more clearly state what made his access unauthorized when my hacking attempts are welcomed.
>> attempting to hack into Facebook's "Mailman" server
I've attempted this too. It's a great target since it's 3rd party code, Facebook runs an out of date version, and some versions have publicly known vulnerabilities.
>> using PHP script to secure access to another Facebook server, dubbed "Phabricator"
I've attempted to do this and just yesterday was considering another attempt. It's a great target since it doesn't go through Facebook's normal release process, it's a large project, and it's open source.
>> sharing a PHP script intended to hack into that Facebook server
I've done this. Sometimes I need another set of experienced eyes to help me get a proof of concept working. Of course it was someone I trusted to keep my discovery confidential.
>> securing "repeated" access to another Facebook server.
I've done this too, both before and after Facebook announced their whitehat program. Before the program they thanked me and sent me swag, after introducing the whitehat program they started awarding me cash on prepaid debit cards.
I can only assume that this guy was prosecuted instead of thanked because he didn't tell Facebook promptly about his discoveries, or perhaps he used them to do something like stealing source code out of Phabricator (Facebook's code review tool). I wish the reporting of this did a better job of covering the details.