Slashdot Mirror
Security Researcher Threatened With Vulnerability Repair Bill
mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
If you find a vulnerability, don't tell the people at risk, sell it or use it.
Either that or move to a less stupid country.
---- Booth was a patriot ----
If you are going to access 500 accounts you don't then report the problem with your name attached. Even if said access is just changing a number in a url because they have a retarded system.
No good deed goes unpunished.
Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.
"I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
If you find a vulnerability, disclose it. Publicly.
And yes, I work in Information Security. Vulnerability Management even. Go figure.
Next time leave the whoresons to get fucked through their vulnerability by ill-intentioned black hats rather than warning them.
they deserve it. really.
Read radical news here
The well-known author of O'Reilly's Learning Perl was caught testing an open source password cracking package on Intel's intranet while doing consulting work there in the '90s. Intel didn't find it interesting in the same way Schwartz did, and a nasty legal battle ensued.
IIRC one of the harvested passwords was "Pre$ident", from an ambitious Intel VP.
In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.
We need this for e-space.
If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.
The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.
--
BMO
He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.
but any ways that is just like having a open door and all you need to do is to go though the door next to the that is your door.
.. just add unnecissary litigation!
The linked article only states that one account was accessed in this way, nothing about a batch file or 500 accounts....
What the hell kind of logic is that? If this stands then every independent security researcher ought to leave Down Under at once and leave them to find out that White Hats != Black Hats through direct and painful experience. What a bunch of jokers.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The summary says that he "run a batch file to access 500 accounts", but there's no mention of that in TFA. According to that article "Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data."
So which is it? This is a pretty critical part of the story that seems to be missing. The linked article seems to indicate that the researcher simply found the one issue and quickly reported it to them. Summary says "the researcher had run a batch file to access around 500 accounts". Well did he did he do it or not? And how would the company have found out about that anyway? I doubt he'd disclose that information, and his computer wasn't seized.
Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
Companies don't want to know. Literally. If they know, it increases their liability for doing nothing in the event of a problem.
No good deed goes unpunished
I thought Australians were no nonsense people that didn't put up with (or use) bullshit like this.
The rule should be: Disclosure Guarantees Immunity
This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.
tomorrow who's gonna fuss
It took a lot of work to delete all references to "ass" and "douchebag".
Ehud
Dear Maged,
I read with interest your letter to Patrick Webster copied at
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf
Mr. Webster informed your client of a security flaw in their software that allows
access to members' confidential and financial information. He did so in accordance
with accepted business principles of Full and Open Disclosure.
Your response shows that your law firm clearly lacks an understanding of the law,
the facts, and of technology. I'll use an analogy to make these complicated
ideas seem simpler. If I spot your garage door is wide open, and I enter, say
"hello," and let you know that you left it open... that is not trespassing. It is
a good Samaritan effort to inform you. Your bullying email is not the right
response.
Your bullying letter to Mr. Webster strongly suggests that you need to get an
expert who understands the technology.
That way you won't come across like a ludite, and have yourself, your law firm,
and your client, show yourselves to be total head-in-the-sand ostriches. Your
client was notified about a security flaw, and now wants the security researcher
to pay for them to fix it? Absurd.
It's one thing to be uneducated. That can be corrected. It's quite another
to be uninformed and open one's mouth and prove it. You've done the latter.
Best and kindest regards.
Ehud Gavron
Tucson AZ USA
Ask the EFF to write up an internationally-binding contract, in which a company would make a legal commitment not to harass, annoy or otherwise harsh the mellow of any security researcher who provides them information in good faith. It should be written so as to side-step any possible laws to the contrary. I.e., commit the company to indemnify & hold harmless, choose not to prosecute, etc.
Any company who signs this is likely to get security assistance. Those who do not sign, could not expect such assistance.
Now, who the counter-party would be I can't tell you.
What is needed is a proxy organization. Something like Wikileaks, who can take from the white hats, and manage disclosure to the outside (company affected, etc). This way a white hat can report issues to the proxy with less risk of being prosecuted or sued by idiot entities.
Reminds me of a phone company that we looked into for a security class at university (I'm Australian). They allowed access to anyone's account balance simply by calling a number and entering their mobile number. The system provided no other means of verifying your identity. They were investigated by the Privacy Commission and were found to he in breach of the Privacy Act. I can't imagine this company cannot also be.
No good deed goes unpunished.
- I wish I would stop finding this to be true.
If I were a "security researcher" I wouldn't offer anything to anyone unsolicited. Fuck 'em. Fuck ALL of 'em.
The only way to punish these cocksuckers is to NOT look for any credit, expose their vulns, then laugh quietly as they are exploited.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
The problem is, the guy admits to accessing their system and obtaining documents that he should not have been able to get. He says "Here are 500 samples".
What is the first thing that should occur to someone? Well, how about if he accessed 1000 and is planning on ransoming off the information of the 500 he didn't tell anyone about? Why do you think they want to see his computer? Unfortunately, anyone clever enough to do this would have moved the other 500 somewhere isolated that they would have to tear his house apart to get. Like on a microSD card sewn into a stuffed animal.
See, he has zero credibility here. He can say "But I only took 500! I swear it!" and it does no good. Even searching his house doesn't generate any credibility, it only says they didn't find what they were looking for. Checking his computer only proves that if he has criminal intent that he isn't stupid about it. Since many (most?) criminals are stupid, not finding something on the computer actually does say something ... just not much.
The real question is how much would other records be worth to the subject of those records and how much would it be worth on the open market? If you could take a record and turn it into some cash - presumably by drawing on the assets of the subject of the record - then you have a pretty clear idea of the worth. Even if the value was only privacy there might be some monetary value that you could get from the records. Then you have to either make the records irrelevant or you have to watch this guy for the rest of his life to see if he suddenly comes into a lot of money.
Rule of Acquisition #285 I believe.
The New South Wales Crimes Act clearly states that "Unauthorised access, modification or impairment" requires "intent to commit serious indictable offence" (Part 6, 308C) however it could be argued that he accessed "restricted data" because "restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer." (Part 6, 308H) but when it comes to court there are so many loopholes to get out of that it's very ineffective (Eg: No Published Data Access Policies to define "unauthorised", whether or not it was communicated properly and whether or not simply changing a number in a URL even constitutes executing an unauthorised computer function) even then, "Unauthorised access to or modification of restricted data held in computer" is a summary offence. Pillar can go suck his balls.
This is why you make your findings public. Stupid companies like this deserve the result.
Less than a year ago I found a similar (though not quite as grievous) flaw in a Kickstarter-like website when I mistyped the URL to my own profile page. I grabbed a handful of info with it; just a few random accounts to proof-of-concept automated grabbing, the technique for which I made note of in an e-mail to their support address. Also, I got the e-mail address of user #1 (unsurprisingly, the implementer), whom I CCed the support e-mail. After a few e-mails of discussion about the precise nature of the flaw, I received a very grateful thank-you from the owner of the company and the head of IT, and the flaw was fixed within the hour despite it being the dead of night in their HQ's time zone. When I see stuff like this, though, it makes me wonder if the next time I trip across something like this I should do the same thing.
The line between a cracker and an amateur "security researcher" is very thin indeed.
This is why security professionals always obtain a service contract as the very first step.
A service contract is an agreement between you and the other party; it details what services are to be performed, what disclosure (if any) will take place, who is responsible for damage in case that SQL injection goes horrifically wrong, how much you will be paid for your service, etc.
It's one thing to haul somebody in front of a court and say, "He broke into our system!" when your defense is, "But, I was just trying to do a good deed!"
It's another thing entirely when that defense is, "We agreed in advance that they would pay me to break in and write a report!"
"Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."
They can't simply look at their server logs and see what pages were served up to his IP address?
Personally, I wouldn't try exploiting someone else's system without getting their permission in writing first, but then I couldn't exploit my way out of a paper bag so I guess it's a moot point.
I can clearly see a need for the researcher to collect "unauthorized data".
Say for instance, white hats had to pen test only their own systems. A whitehat determines that XYZ corp's client accounts package exhibits a vulnerability when $Foo conditions are true. He sends this finding to XYZ, and also to $MultinationalCorp who uses XYZ.
$MultinationalCorp responds to the private disclosure, thanking them for the effort, and "affirming" that their implementation of XYZ client portal is not configured $Foo, and so does not have that vulnerability.
Without directly testing $MultinationalCorp, and pulling some "secret sauce" as proof, $MultinationalCorp can simply deny, and do nothing. (Which is what they usually do.)
This is why pulling some secret sauce is necessary, because it indisputibly shows that they are vulnerable. (Else, how would you get the secret sauce?)
Then there is the issue of "how do you locally pen test your own copy of $ClientSoftware, when $ClientSoftware is not available for purchase because it is a totally homebrew solution that is not distributed outside of $MultinationalCorp?"
The ONLY way to test the security of such a system is to test the live system. For the same reason above, you need to collect some secret sauce, otherwise they will just ignore the report and pretend you are a crank.
ladies and gentlemen is why you put the vulnerability on the internet, anonymously.
At least the fear of being exploited will put proper security in peoples mind...then eventually maybe we can get people who actually understand security in charge of security.
The Kruger Dunning explains most post on
it's the age of the internet. There is no reason to be wrong about facts.
http://www.ohiobar.org/Pages/LawYouCanUseDetail.aspx?itemID=477
The Kruger Dunning explains most post on
Next time I find a flaw and there will be a next time you will be the last to know not the first.
In a previous life I worked for an Australian law firm in their financial services division (not Maged's firm thank god). From Maged's profile you can clearly see he is an expert in superannuation law http://www.minterellison.com/People/maged_girgis/. I can say, with 99% certainty, that he has no practical experience in how section 308H of the Crimes Act and section 478.1 of the Criminal Code Act work. I don't claim to either. But the modus operandi of these law firms is that when a big client comes in with a weird request they get a junior lawyer (or crack team of junior lawyers if the billing is low for that month) who doesn't know much about anything to do some "research" and draft a threatening letter based on a few hours of reading some textbooks and legal databases.
It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).
Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!
I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.
Hm. The URL has my account number in it... I wonder if all accounts are accessible by that param alone? Nah. Well, let's see... I'll just increment the number.
ACCOUNT=1234
while true; do
ACCOUNT=$((ACCOUNT+1))
wget -nv url://site.with.FAIL.security/showstatement?acct=$i > log.$i 2>&1
done
By the time I press Ctrl-c I've hacked over 500 accounts!
Perhaps if they get enough negative feedback, they'll drop the threatening postures and lawsuits...
http://www.firststatesuper.com.au/EmailEnquiries
-=Lothsahn=-
Strange how most people seem to be forgetting this very simple yet very pertinent fact.
This fund had been making his personal and financial details publicly available!
You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.
The difference between going to civil/criminal action and getting paid can be summarized in one word: authorization (or authorisation if you're outside the USA).
If you as a security researcher are going to practice full disclosure, be familiar with the laws of the land and consider retaining counsel. It's just too damned easy for a corporate entity to impoverish/imprison you. This statement of itself is fucking tragic.
I'm not a lawyer. Just applying some common sense.
Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...
They should get down on their knees and thank him for disclosing this appalling security hole.
Step 0. Stop using that computer. Unplug it and keep it in a safe place. You'll need to buy or borrow another computer in the meantime.
Step 1. Hire a lawyer with backgrounds in computer forensics.
Step 2. In the witness of the lawyer or its legal representative, allow a forensics technician perform a exact clone of your hard drives. The original harddisk will be put into escrow.
Step 3. Have the lawyer notify that company that they'll need to file a subpoena to access that clone. Arrange for a lawyer's meeting and delivery.
Step 4. in the presence of forensics technicians from both parties, examine the data on the harddisk, and remove the data deemed necessary. The company's lawyers may have to conduct additional analysis to make sure the data had not been misused during the researcher's work.
Step 5. The cleaned harddisk clone is returned to the researcher, and the researcher will test if the operating system is still functional, that his own personal data are intact.
Step 6. If so, the escrow harddisk may be safely and securely destroyed.
Step 7. Have your lawyer send a freaking bill to that company.
The escrow harddisk is used in case an unresolvable dispute happens during the Step 1 - 7.
The lesson: Samaritans need Samaritan lawyers. (Samaritan lawyers always send their bills to the party responsible.)
No wonder we shipped those thickos out of the UK and in droves...
From SALTER v DPP [2008] NSWSC 1325 (5 December 2008)
...
http://www.austlii.edu.au/au/cases/nsw/NSWSC/2008/1325.html
13 Counsel appearing for the defendant drew attention to a number of prior decisions, albeit on different statutory provisions, those cases including Gilmour v Director of Public Prosecutions (Cth) (1995) 43 NSWLR 243, The Director of Public Prosecutions v Murdoch [1993] 1 VR 406 at 409,410. In that last mentioned case Hayne J said:-
“... Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual express or implied limitation which excluded the actual entry made, then the entry will be “without lawful authority to do so.”
In my view the section requires attention to whether the particular entry in question was an entry that was made without lawful authority. In the case of a hacker it will be clear that he has no authority to enter the system. In the case of an employee the question will be whether that employee had authority to affect the entry with which he stands charged. If he has a general and unlimited permission to enter the system then no offence is proved. If however there are limits upon the permission given to him to enter that system it will be necessary to ask was the entry within the scope of that permission? If it was, then no offence was committed; if it was not, then he has entered the system without lawful authority to do so.”
14 The passage has direct application to the situation here.
15 Authorisation to use a computer or authorisation in an entirely different field of law may be general or it may be limited or it may be subject to conditions, and I do not believe that s 308B should be given an operation so as to set at nought that aspect of the general law. As Hayne J said in the passage to which I have referred:-
“If there are limits upon the permission given, it will be necessary to ask was the entry within the scope of that permission?"
------- So, much will depend on the terms that governed the access to the website. Can these be posted ?
this is the best analogy yet but it misses out on one thing:
In the penetration the movable panel gives access to the valuables. So better analogy would be a voice activated door that doesn't check if the voice is allowed to enter the premises. And if you installed such a thing and are not aware that it doesn't check if the person at the door is allowed to enter then you don't deserve to be paid back anything. (At least not under my law)
And on that other thing about paying for the repairs: ;-)
Direct object access vulnerabilities are usually remedied with one line of code. Now I don't usually put a price on that but if I had to I would say it's about 100£. Unfortunately to make me write that line of code you will have to contract my company for an initial screening 12000£ or much more if you want a full scale research. So yes, I'll pay you a hundred bucks if you do that
Now that I think about it more, I think it was an address which piped to "uudecode" rather than "uucp" .... sorry!
Legal document, my arse! It's a trying-it-on letter from a dodgy solicitor.
They're vulnerable to SQL injection in the login page at https://services.pillar.com.au/FSSMembers/static/Login.aspx
I getting tired of reading stuff like this... ...being a good Samaritan is the wrong approach. Depending on the local laws I would perform the following:
1. Assume that the Software Owners (SO) (there's probably a legal term for this) are fully cognisant of the functionality
and vulnerabilities of their product.
2. If you discover something, like a criminal entering you home, you don't politely ask them to leave - you assume
they're there for an evil purpose and you immediately (as soon as possible) involve the police, make a complaint
provide as little details as possible to satisfy the statuary execution of the complaint and wait for the trial.
3. You have to honestly believe this as your aim is not to be accused of malicious behaviour.
4. Despite what is said, the burden of proof is always on the accused (keep in mind if the roles were reversed). At the
trial (try to avoid a hearing) present your side - prosecution goes 1st. Again you believe that they already know about this
issue, and by it's existence purposely allowed it to continue unchecked to to place you in some sort of risk/evil path
(legal term needed). Again, this is how you would be treated if the roles were reversed. They have to demonstrate that
wasn't/isn't the case. Remember, they hold the bloody knife (the vulnerability), they have to prove that it was an accident -
nobody's going to believe someone repentantly walked into it, i.e., you had access to and reason of to bring this vulnerability
upon yourself - you have absolutely no control over it - in point of fact.
5. These things are best handled at the local level - but some state prohibit citizens from filing criminal complaints so it may
be a hard sell to a prosecutor. Keep in mind, too that you only know this exploit works for you; you have not tried to access
anything beyond your account, but you mis-entered your # (or whatever) and saw that you did not receive an error but displayed
someone else's account (in which you immediately exited). You did not explore it further; that is the job of the police.
As sad as this seem, even though you may be acquitted (if you did not follow this approach), you still have a criminal record
that you have to explain until the end of your life, the outrageous expense of defending yourself, and probably the loss of
you job and its income.
Someone who did the checks Patrick made could write to the IT staff describing everything he did in hypothetical terms: "it looks like it might be possible for me to increment the number and download other account holders' statements. In fact it looks like I might be able to run the following linux bash script and download hundreds of statements... If you try this script and validate my concerns, ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See:...Please let me know what you find. If my fears are validated I would hate to see this vulnerability appear on public sites thus jeopardizing my information."
Don't you think publicly disclosing the vulnerability, as you have done here, might not be the best thing to do in the face of a potential lawsuit? If I was your lawyer, I would slap you upside the head. You just increased your liability by several orders of magnitude.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
You know what that threatening letter is? It's Pillar's managers shitting themselves.
They've exposed all their clients to fraud and identity theft, they are in violation of all the laws on data protection, plus some on Financial Services regulation. Superannuation is regulated pretty heavily, they could and probably should have their licence to be a fund yanked by the Financial Services Authority. This is mud to hide from their incompetence, I'm surprised they haven't called you a Hacker in the media yet. Email to your ombudsman, they are in the wrong here.
The Passport Canada website had a security flaw discovered by a user. They took the website down, fixed the problem, and kindly abstained from pursuing legal action. If a government can behave civilly, surely others can too.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
He is a famous INDIPENDENT SECURITY RESEARCHER, a role that you probably don't know of.
maged.girgis@minterellison.com needs to appear as plain text. Just because.
The ones that published the information were the affected company, the prosecutor.
Honestly if we put it as an analogy, the persecutor is a messy person that puts all his documents into your table and tells you to simply search for yours. You can still take picks at other of course. Who is responsible for the privacy breach?
I really have no clue.
When I was a kid, about 5 i think, I found a key hidden in something in the backyard of our part of an apartment complex. It was obviously left by the previous renter as a way to get into their place if they forgot their key. (well, that's my assumption). Being a 5 year old kid, i of course, tried it in my apartments lock. It worked.
Then I tried my neighbors lock, and sure enough, it unlocked their door also. I went on to try all the locks, which it didn't unlock any other door, but i did piss off some people living there.
This was the early 70's, and of course, no one would call the cops on me. Today? I'd probably be some sort of terrorist if I did that.
But the point? My doing that, showed that our apartment and our next door neighbors apartment had the same key, or one so similiar that they both work on each unit. So we got a new lock.
I wasn't trying to break into anyone's apartment, i just found a flaw, and was trying to see how far it extended before telling the proper authorities (which in this case, was my mom).
Thought I'd share, probably doesn't have much do to with the article, but hey,i tried, right?
Be seeing you...
They couldn't secure the server, so it isn't unlikely they hadn't thought of checking the logs.
Apparently the FSS company relies upon http://www.pillar.com.au/ superannuation administration services to handle its online functions. And Pillar have a list of all their customers here: http://www.pillar.com.au/links.htm One would hope all customer installations have fixed this issue.
Not to end this incredible hypothetical.... but I'd say its just big wig words from the law firm.... especially, given this...
http://www.firststatesuper.com.au/SecurityOfMemberInformationUpdate