Slashdot Mirror
Australian Police Database Lacked Root Password
Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"
"Can you be charged with breaking and entering a house that has the door left wide open?"
Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.
They broke out of a honeypot,
That's exactly what they want you to believe...
Does the idea of a recursive honeypot sound entirely ridiculous? After breaking out of the first honeypot would most people not even contemplate this possibility?
If I'm reading that correctly, and they broke into a machine with poor security.
On reflection I'm not reading it correctly. What this probably means is they arrested the owner, took over the physical box, and just left it running to see who was using it. But the point stands. Not their responsibility to fix up the villain's poor security. Indeed, if this what happened, one might imagine that miminal-to-no inteferrence with how the box was running would be an operational imperative.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.
It's worth pointing out also - Under said Australian law - whoever did this is looking at about a 10 year sentence if caught. Probably more than that for interfering with an investigation as well.
Australia got specific law regarding this very early - such that the judges and politicians who passed it were acting from a position of fear and doubt - and so said hacker would probably have gotten off easier if he'd just actually physically removed said computer.
There are a lot of worse crimes which attract less harsh sentences - mostly because those deciding on the sentences understand the crime. And in the case of those laws, they didn't really "get" it when they framed the law. The understanding they had was purely intellectual - it had no emotional component, so they couldn't understand WHY someone might commit such crime, and overreacted to create more of a deterrent to err on the safe side.
There is now a severe legal cloud hanging over whatever they purported to collect.
The spokeswoman is an idiot - standalone systems, especially honeypots are isolated with an airgap and designed to be accessed. A more correct comment would be 'We are cross that evidential logs have been compromised".
"The AFP has identified a person whom [sic] has attempted to access the stand-alone computer system and we are currently working with our law enforcement partners regarding this matter," the spokeswoman said."
Any rational juror should question that oxymoron. Good luck proving the chain of evidence, after competency and professionalism is all in tatters.