Slashdot Mirror
Ask Slashdot: To Hack Or Not To Hack?
seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?
Maybe you could get the NSA to hack them?
Just brainstorming here...
Please don't call such activity "hacking". It is cracking. Learn the difference.
If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.
For a 5 year tour of the federal penitentiary system, aren't you?
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
translated:
do you know how to steal? (implied yes as an answer)
do you know how to *hide*?
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Maybe the company doesn't care, but the people with money on the line will. And when they start to care, the company will start to care. Don't go hacking to try and prove a point, that's just gonna cause you more trouble than it's worth. And if, at the end of the day, no one cares or does anything about it, no sweat off your back.
Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.
Have you emailed the IT manager, the CTO, the CEO, some random guy? And what are your credentials? Are you emailing from superhacker123@hotmail.com?
U.S. – (650) 432-2978 or usfraudcontrol@visa.com
Report them to a newspaper and tech sites or something. Business papers, even.
write 2600 mag they'll post it.
How do I make my amazon wishlist available to you?
Drop everything, wipe the files you have, reformat and reinstall your computer, create a plausible deniability claim to any account you used of this that can be tied to you.
Then go to an internet cafe and post somewhere.
The Singularity is closer than you think
Quant
You should probably hire a lawyer. It doesn't matter how good you're trying to be. Anything you did to come to your conclusions that was illegal is going to be frowned upon... severely. And if you do go public, you'll likely be hit with a C&D letter.
Now just forget about it and hope no one hacks them before they forget about you.
What's the right thing to do? Keep email bombing them until someone takes you seriously.
What's the fastest thing to do? Leak info and POC to various news sites that cover start ups - like TechCrunch
There's a reason there is no "Disagree" mod...
The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.
Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!
I am the penguin that codes in the night.
Send them a link to this website: http://ask.slashdot.org/story/11/12/02/2124215/ask-slashdot-to-hack-or-not-to-hack
This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM? People can't just go around doing things without permission like that. If your internet connection crosses a state line, (and due to packet routing it probably is and you might not even know) then you are committing a FEDERAL CRIME. That means that not just the police, but the FBI will come knock on your door. History is just FULL of people who though, hey, I'm pretty clever, I'll hack these people and get a job. NOBODY WILL HIRE A CRIMINAL I PROMISE YOU.
Cannot stress this enough. Jeeze.
Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
How about notifying the local police department, better business bureau, or city council member? How about the newspaper? That's likely to get a lot more attention from the powers-that-be at the company.
Contact CEO or their board of directors.
First off, QUIT FUCKING TRESSPASSING.
I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.
The company didn't ask you to do a security audit. It's not a public organization where you can claim some sort of "ownership" or such. It's a Private Place. They're responsible for their own security, not some random passerby. You have no business doing what you did, and that's it. If they blow security, they're on the hook for the consequences. We have very well established methods for doing that kind of reinforcement.
Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general. Grow the Fuck Up.
Just drop it, period, and go find something else do spend your energies on. And, find another crowd of people to hang out with - those ones you're in with now aren't a good influence (obviously).
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.
To prevent someone from stealing a bunch of people's personal information, you plan on, stealing a bunch of people's information. Unless you are Batman, you are not legally allowed "to blow them out of the water" and your initial entry into their system is also illegal.
Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.
My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.
It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.
But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is
1) legal
2) professionally done
3) likely to get taken seriously by the developers at the affected company.
Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!
This is not news. This is not a story. There isn't even a fucking article to tell someone to go RTFA. This is some idiot asking for advice on an absolutely terrible scheme which has been explained before (with actual news mind you, of people getting locked up or tried for crimes instead of just theorizing). /. This is something that should go on a programming forum, or a law forum. (Or better yet, kept to oneself as a hair-brained scheme that would fail).
/. ?" I go "hey, news for nerds means a lot of topics."
This is not something for
Usually when somebody goes "THIS, on
But this is just ridiculous.
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
Probably good time for another session...
A feeling of having made the same mistake before: Deja Foobar
I would send them one more email explaining how to crack a user account. If they still don't believe you, then I would send a complaint to the FTC with all of the relevant information on how it is insecure. The investors in this company don't want to hear about it. If the name of the company gets out, they'll have issues. If you really believe that their systems are insecure, post the name of the company here. People post security flaws all of the time: http://mashable.com/2011/10/03/htc-security-flaw/ I think you actually have a responsibility to tell people about the issue after you have done what you can to help the company.
You could consider contacting one of the major credit card companies like Visa. That's assuming you haven't done anything which could be construed as actually testing or exploiting the hole. If you have, it's a pretty sure bet the FBI will be on you like white on rice. They might anyway, but that would be a one way ticket to Club Fed.
Been years since I cared about security, since I just firewall, VPN, and use virtual account numbers where I can.
Why don't you screw them indirectly, by posting the information on bugtraq or whatever the equivalent was/is these days. Let them get hosed by some other dumb fool willing to take the risk and publicly shamed. Not that it matters, public shame, people go the supermarket in pajamas and blow out in tuners at major intersections for all to see, but what the hell, try it, maybe then you'll get the point.
Wash your hands of the matter afterwards. Not worth your time, effort, legal fees, and potential jail time cleaning up some else's ass. History has shown that the bearer of bad news, even if they do nothing wrong, gets axed and is deemed complicit by knowledge. A company that incompetent already doesn't deserve to grow, and investors that don't do their due diligence, deserve to get hosed for investing in a company with such purported bad security.
thats really cool! I like hacking too and do a lot of it but nothing that complex. I just recently hacked my computer apart with a bigger hard drive but when i turned it back on nothing happened. when i put the old hard drive back in it worked again so i was confused. doesnt the hard drive just have my files and music on it? so yeah i tried hackign my hard drive and that didn't work well, i guess im wondering how you hacked somenoe elses hard drive? do you just go to their house and plug it out and hope they don't notice their data is changed or missing?!?
Sell it to the second-highest bidder. The highest-bidder is always a trap.
Fuck em, you can't help people who can't help themselves. Let them suffer due to their negligence and inability to do risk analysis and management. I've been in a similar position so many times and tried various things, the best one is to just ignore it and advise your friends and family to avoid them like the plague. If you're still not convinced take the game theory normal form approach and gain an insight into how hopeless the situation is.
Most people don't like when people tell them they made a mistake. They will try to find a scapegoat and it will be you. But if you wanted to push it. I have had the most success when pressed with problems similar to this to go to a high up person. If the normal channels just don't work find the email of the highest person there and send it to them. A vice president, ceo, cio, who ever you can find and send it. They will take notice. Just make sure you protect yourself first.
Language evolves. You can fight the tide or swim with it. I know which way gets you drowned first.
That is all.
As can be concluded from earlier cases like this. Dont tell them anything, dont do anything, but let them have what's coming to them. However, you contacted them. When hacked, they may attempt to sue you. So, you may need to go to a notar or something to have it written that you warned these people, but they didnt take heed or something. You need to have solid documents to show blame may not be laid on you, in courts.
Read radical news here
1) emailing the vendor... if something goes wrong before this problem is corrected, you are the first suspect, and they already know how to contact you. 2) asking, publicly, if you should "hack" something. 3) asking slashdot instead of 4chan.* my advice would be to contact the EFF and install a keylogger on your computer. *humor!
where is sue? sue is idle.
Sell the exploit to the Russians. Corps don't give a shit about humans.
Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.
its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.
if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.
Read radical news here
Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.
Here's my advice:
1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.
2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.
You should never have notified them and used your own moral judgement to answer your "ask slashdot" question. What a dumbass... No one should have ever known regardless of what you planned to do.
We all know that pointing out a security vulnerability will get you in big trouble. Hell, back in high school, we had Win 98 machines running Novell. I found a way to launch solitare, minesweeper, etc. by creating a macro in Word and editing the VB code to call an executable. Very simple to figure out, but I was the only one in my hick ass school (Home of the Mustangs in the southwest corner of MO) that would know such a thing. I lost my computer privileges for the rest of the year when I immediately brought it to the IT guys attention. I did it after class with no one else present. Thought I was doing the right thing.
Fuck you, Mr. Jay. And fuck the idiots at that school. Enough info in this post for the pertinent parties to know who they are.
Soulshill
Consider not doing anything. You've probably already accessed the system in ways you are not authorized to, and publicizing that in ways that causes "harm" to their reputation ("blowing them up"), even if it's based in truth, is possibly going to draw the kind of attention to you that you don't want. If it was me and I had "stumbled upon" something and _already_ informed them, then I would keep a record of that fact, as they already have a record on their side, and then stop getting yourself deeper into a hole, e.g. by providing further evidence that you're intentionally violating their TOS or actual laws. This problem is not your responsibility to force them to fix and you only take further risk upon yourself by pursuing it. Once they're suitably notified I'd guess they have higher liability by failing to address it.
If you are actually their customer and you feel that there has been a threat to your own information, then you probably have recourse that could cause them to fix this, e.g. by disclosing findings to them as their affected customer, and perhaps to payment processors like Visa and Mastercard, who in turn will have rules around investigations, findings, risks and assessed disclosures to other customers. Again, depending on what's happened so far, you potentially dig yourself into a hole.
Vigilantism is dangerous. How much is protecting everyone else worth vs. protecting yourself?
IANAL, and none of this is advice of any kind, legal or otherwise.
You've sent the email, now send your concerns in writing - hard copy. Set up a meeting with those in charge and explain it in person, nicely. If they do not respond, then let them know that you have no choice but to report the lapse to the appropriate authorities. Under no circumstances, crack your employers service unless they ask for a demonstration.
When our name is on the back of your car, we're behind you all the way!
You know "good samaritan" was an oxymoron in it's original use.
I think you should keep its original context alive.
I'd say there has to be a proper chain of command which you can go through. I'd start with the IT department. A random email from an unknown address may be filtered or just ignored so if you don't hear back in a day or two, make a phone call. Tell whomever answers the phone you are calling regarding a potential online security breach and you need to speak with the head of the IT Dept. Heck, even speaking with regular security may get you started. In your email, and potential phone call, you need to sound professional, non-threatening, but insistent. As previously stated, credentials and jargon matter. Hacking has a malicious connotation. Also, "I'm sorry, but I need to speak with your supervisor" can do wonders. As each person answers the phone or email take down their name.
If you've gotten to the head of the IT Dept or the head of the company and the issue still hasn't been resolved then you definitely need to go to the investors and shareholders. They are definitely going to listen because this impacts their bottom line. If for some reason they don't, then contact local media.
As with anything it's not necessarily what you are saying but how you are saying it and to whom. I can't help but think you just haven't gotten through to the right person yet.
If a company you were using for services had crap security, and some cracker abused it to plaster *YOUR* CC number all over the internet, how would you feel?
Add to that, how would law-enforcement feel.
Add to that, how do you like prison, because the above two are not likely to have *ANY* sympathy towards you when your trial-date comes.
Seriously, "this hack is too easy to be respectable" makes you sound like the candidate for a news article, but it won't be able some great hacker who revealed a terrible breach, it will be about some jerk who caused a breach which caused a lot of people grief.
Report it to CERT. (Or other corresponding security organization if you are outside the US.)
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Dude, pretty much everything thing is crackable. Pretty much every program ever has been cracked. Everything is defeated at some point. Let me say that again, EVERYTHING is defeated at some point.
Don't act so surprised. Really, it's not surprising, at all.
Anyway, here we all are, looking at you.
Mission Accomplished.
Now go away.
No. unless you wnt to go to jail.
You reported your findings. If they don't fix the problem, discontinue your business with them and move on.
---- Booth was a patriot ----
...can we see some excerpts of these "confused, aloof and unconvinced" responses? Censored enough to protect your identity of course....
"If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."
The truth about Scientology, Xenu, and you: Operation Clambake
Don't publicly admit in a large forum like slashdot to committing a crime unless you're ready to be jailbait. Oops, looks like you failed the first step.
I can only hope you contacted them anonymously and covered your e-mail tracks (and/or are far outside--presumably--US jurisdiction) otherwise you just opened yourself up to a huge world of trouble. I'm going to assume you're a young person and haven't yet realized you are surrounded by a world of idiots and can't fix everything, you just need to keep your head down and pick your battles, this isn't one of them.
Hey, has Defcon put out its call for 2012 speakers yet?
It sounds like you're looking for someone who at least feels an ethical responsibility to help. Call the EFF; it's not their bailiwick, but they may be able to find the right tree to shake for you. Link to their webpage
Plus they're lawyers, it's always nice to have lawyers on your side.
I would recommend stealing as much money as you can, because you are going to need it to hire your lawyers when the FBI comes looking for you, now that you've identified yourself to them.
Not post it on /.
Oh.. crap
What if they get hacked now. Could they blame (send the feds after) you? Feels like by asking you put yourself in the spotlight.
I guess at minimum you now need to contact Visa (or MC) fraud. Maybe send a registered letter? So that in case they do get hacked you can show you did the honest thing.
Sad if you think about it, but that's how fucked up we are...
"...this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
At the risk of addressing a troll here, I should clarify that the FBI could give a rats ass about credit card numbers. But I can promise you that they will be interested in YOU if you proceed here with some sort of proof of concept.
Just thought I would clarify your felonious future for you before you become too disillusioned that you're doing the FBI some sort of "favor" here...
get 7 proxies, post details all over 4chan DO IT MAGGOT
seems to be to go to the investors. contacting the authorities doesn't seem warranted since the company is being irresponsible rather than criminal. if you hack yourself, you'll end up at risk of getting a large sentence and being on probation for most of your life even if you do get release early. the only "good samaritan" thing to do is to go to let the investors know that their investment is being mismanaged.
Any guest worker system is indistinguishable from indentured servitude.
You now have a tie to the company. They know how to get ahold of you. They know you hacked into them. Who the hell do you think they are going to go to when funny shit starts to happen regarding those accounts. Wrong answer, not you. The FBI. Now who do you think is going to show up at your door. Right answer. I would slow down and really think about this. I would also walk downstairs and tell your your parents what you have done when they get home.
at this point your only out is to maybe find a LEO buddy that can cover you just in case SomeBody does hack the place and they decide to come after you. They may not care about you now but when things go to that little town in georgia (and dig from there) you will need some sort of GOOJF card. This is the time to DOD erase any evidence of what was done that you can get to (your computer(s)).
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Would you mind if I broke into your house? Not to take anything, mind you, but just to check your security?
I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data.
Why?
Looking for a job in Portland, Oregon?
sixteen year old boy playing with computers was arrested today by the FBI...
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
Personally, I favor the Full Public Diclosure route. You have them a chance, you even told them how to fix it. The shareholders, yes they should know, but its the customers whose accounts are exposed, and the public who may become customers. Don't they really deserve to know what they are signing up for or trusting?
So, you can do a full disclosure.... but they know who you are...its a risk.
Another possibility.... wait a week or a month or so, and then anonymously release it to the public, swear up and down it wasn't you (use tor, etc etc)
Or, you could just leak it into some IRC channels where you can be sure it will be abused.... then come out later with a public disclosure after its found that they had a major breech, include your conversations with them.
Sure you could just walk away but.... don't the customers really deserve to know? They are paying for the service afterall.
"I opened my eyes, and everything went dark again"
By filing a lawsuit they would be admitting to wrongdoing/negligence. Since it's a startup, they probably want to avoid negative publicity. Your best option: STFU and carry on.
There is little difference between doing the proof of concept, proving that your idea works and taking credit card numbers to commit fraud. I would stay totally clear of both and not risk a legal problem. Do not publish or disclose the exploit to anybody who might try to commit fraud with it or communicate the information to others who might. Remember, you will initially be the prime suspect in the investigation should the worst happen and this exploit gets used and somebody loses money because they can document that you knew about the exploit.
All you can do is make sure you have exhausted all avenues to notify *somebody* at the company who will care and is in a position to address the issue and then let it go. Unless you work for this company or use their services there is not much else you can do.
That way you could address your concerns directly to the share holders.
Soulskill story submissions 100% from Ycombinator.
Dear Soulshill:
You have seriously misappropriated the use of the word "hack".
Burn in hell.
Yours In Moscow,
K. Trout
it's square, right?
Be very clear about what you want the outcome to be;
1. Profit for yourself
2. Better security for their customer data
3. Awareness of security within the company
Depending on your answer, I suggest going for a highly paid Security Consulting gig after working out the long term solution.
first off "how" did you contact them??
By email? --- probably went straight to spam or trash or ignored.
By post? see above.
Registered / Signed for letter? - companies tend to take notice of a letter that requires a signature, Also it gives to proof that the company did receive your letter. (helps with any legal problems you may face as a result)
Next step:
DO NOT ACCESS THE DATA AGAIN UNDER ANY CIRCUMSTANCE!!! AND I MEAN NOT IN ANY CIRCUMSTANCE!!!! is that clear!
by asking here you clearly are out of your depth and probably a short ride away from being "Bubba's bitch in cell block b"
Next:
In the typed letter detail the issue you found with their site/database/system.
In the letter politely explain the problem, how you came across it and let then know of a possible fix if you know of a sure way to do so (don't guess!)
BUT this is the important bits:
DO NOT offer to fix it for them (may be misconstrued as an extortion attempt)
DO NOT force them to fix it in a specified time (see above)
DO inform them that you may have to contact relevant authorities (i.e. local business guild/association or professional bodies they are a member of,) if they have not responded to receiving your letter within 14 days. Stress that you just want conformation that they have read the letter (Again you are informing them not extorting them!) and not forcing them to a time table for a fix.
Lastly
GET A FUCKING LAWYER!! BEFORE A "Flowers By Iris" VAN Parks across the street!
Remember you may have just committed a FEDERAL OFFENCE by accessing the data without permission (does not matter if they left it wide open! you're still not allowed to access it!).
I see no compelling ethical, moral, or legal defense for what he did. He's a criminal, and not in the kind of "causal" criminal sense of someone jaywalking. Nope, he explicitly went out and hacked someone else's system.
Now, I'm willing to maybe (and, that's a very big maybe) accept that it might have been discovered by a malformed URL typed in. If so, that's a different story, as there that's accidental, with no intent. But the OP's statement sounds exactly like he was doing something with intent to hack (even if that hack was URL manipulation), in which case, he's back on the hook for being a criminal. Period.
I'm old enough to have started out in the 80s, with the heyday of Phreaking. So I know all about "misbehaving". However, those times are long, long gone. The Internet has grown up, and the behavior we expect of people must also. This kind of behavior simply isn't acceptable anymore, and has been clearly criminalized. I can't see any compelling moral or ethical argument that outweighs the counters in terms of social good (that is, any moral or ethical argument in favor of this kind of behavior is outweighed by better moral and ethical arguments against it).
As a community, we have a social responsibility to educate the new (potential) members, and that includes social pressure to conform to basic standards of ethics. What was possibly acceptable 20 years ago isn't acceptable anymore, and people need to recognize that. Times change, and hacking/cracking has very strict boundaries if it is to be ethical. This guy has crossed all those, and need to be told in a very strong way that he's wrong, since he clearly doesn't recognize that is was wrong.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
Nobody likes a whistleblower. Trust me on this. I've done this several times, trying to "help" some group that had weak security. They never beleive you, they don't understand your explanations, and if they had a lawyer they'd go after YOU. After all, they think they're all swell and capable folks. You're the troublemaker.
Type (vice write!) several letters, tape (vice lick!) the envelopes closed, use stick-on stamps and send them out to the company, the FBI, the investors and several different news agencies. Include what the problem is and how it is accomplished. No handwriting analysis evidence nor any DNA evidence... job accomplished. Preferably, mail from a different city as well to throw the scent off.
Don't fuck with what ain't yours.
"My God...it's full of trolls!"
It's sad the kind of environment that exists in terms of privacy and security issues. When things that are clearly left vulnerable to savvy users, short-sighted laws are put in place to try and "stop" hacking, when all it does is pull the wool over people's eyes and fools the public into thinking that just because you don't hear about security related events, means you're actually secure.
The problem with reporting the issue is that (if it's a publicly traded company) there's the fear that that would drop the value of stock since shareholders would want to pull out. That's probably why these laws to prevent vigilante "vulnerability testing" were put into place, just in case someone DOES find something wrong, they can't (or are at least HIGHLY discouraged from) tell anyone because it would hurt the corporation's bottom line.
There needs to be a paradigm shift with hacking laws, and those that do find vulnerabilities shouldn't be found culpable unless they somehow profit from it (be it monetarily or not). It would probably be a generation before these old farts in Congress wake up to this kind of stuff.
Shouldn't he contact the Electronic Frontier Foundation? Isn't its purpose to provide advice in this cases?
The OPand people like him/her need to go to jail. This person obviously has no moral concerns about what they have done. There isn't an ounce of remorse in their post. I hope something funny starts happening with those accounts. The FBI will know where to look first. I would say good luck, but I won't. Good Riddance.
I'm frankly amazed that so many slashdotters are so dead set against this guy and what he's done. Yes, I agree that he needs to be very careful because of the legal ramifications, but I'd also be very concerned about the potential for misuse if he doesn't find someone to take him seriously. I say: GOOD FOR YOU SIR. I'm no lawyer and have no experience with this, but I wish you the best of luck.
When did /. get filled with egocentric *AND* incompetent pricks? The egos I expect...
Let's review what op said for all the idiots out there...
"I discovered how to hack into and secure user accounts of"
"Account info includes..."
At no point did they indicate they have done so, that they have personally verified, that they have watched or colluded with. "They discovered"
That sure suggests a lot of things, but it doesn't guarantee it. For all I know they stumbled onto a video on a forum.
Now, let's take all of you using the word felony. And...please go kill yourself. I'll wait. The computer fraud and abuse act may or may not apply at all here. Period.
It not only might not be a financial institution, but the command might not have caused loss of above a certain amount. We all know that the laywers and companies exaggerate losses, but bottom line is... they have to show it. If it was for example, a command sent in an HTTP GET, they're going to have a hard time showing that loss. Especially given the apparent attempt to notify them of a problem -- after which any further damages may have occurred as a failure of theirs to exercise reasonably prudent behavior.
So quit throwing the word felony around like you know your ass from the hole in your face.
He may be miles above his head. But frankly, I'm sick to death of watching programmers as incompetent as the laywers you're all pretending to be literally getting away with murder. Or at least negligent manslaughter. Incompetent programmers. Incompetent and wasteful management. Incompetent UI designers making confusing...everything. Incompetent sales leads.
I say the guy posts it all over the place from behind the proverbial 7 proxies (and one full disk encrypted platform), and blames it on someone else discovering the same problem.
That way you children can stop threatening him with the law and get on with acting like ethical responsible adults. Where we hold people accountable not just for creating dangerous things, but for making them readily available in a manner a reasonable person would have anticipated would cause harm. Instead you're blaming the guy yelling "Hey, that fertilizer is chemically equivalent to blackpowder...." for endangering who exactly?
I for one would like to see 'attractive nuisance' legislation applied to incompetent development.
And most of the comments I've read so far.
In the past *someone i may/may not know would detect port scans or breach attempts and do a dns lookup, email the admins from the compromised IP address and let them know they were cracked/hacked. Very rarely would it solicit even a reply, and the IP address would still show up in the logs. So this person would then either remotely shut down the box at said IP address or do some other next tricks (kiddie scripts work great sometimes for this). Which would get emails/phone calls/cease and desist/etc sent to them. At this point they would respond that the IP address had been compromised already, and they should fix it so it would stop bugging *my friends box. No response and no more attacks from the said IP address. Dont know if it would work in this case, but if the server was shut down no one else could exploit the hack and see/obtain credit card info. *my friend would probably tell you to do this from a IP address that may or may not be traceable to your friend.
-KI
#include bier;
And not just in the tech world. You can be sued if you do CPR and crack someone's ribs if you're not certified. You can be prosecuted for going on someone's property if you hear screaming coming from the house. You can be prosecuted if you shoot an invader in your house (at least in the UK).
There's no use in being a "good guy" anymore. Just trying to help someone will get you in trouble anymore. If you're a guy and talk to a kid you don't know, everyone gives you strange looks. A while back a kid was trying to put books into one of those big metal boxes libraries have for returns, but couldn't quite reach the handle to open it. I opened it for him, and his mom, who was sitting in the car at the curb gets out and starts trotting at us. Books go in, he starts walking back, and she is giving me the evil eye while she grabs the kid and nearly drags him back to the car. All the while I'm holding my own books.
So why the fuck would I try and help anyone I don't know?
Vote monkeys into Congress. They are cheaper and more trustworthy.
What you have done is ethically, morally, and most importantly LEGALLY wrong. Drive (or have your parents drive you) to the local police department ASAP and tell them what you have done.
...and get everything sent to the company/the CEO or whoever blew you off/that guy you don't like. lol all the way to the bank.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Give me the info and I'll take care of it.
-- I have a private email server in my basement.
Hack their system, go to jail for a few (many?) years. Then become a security consultant and go on a book tour.
Coder's Stone: The programming language quick ref for iPad
that 'atlanta' guy again. ATLANTA, eh ? why the fuck, ATLANTA ?
Read radical news here
Ask yourself: Have you passed it or not? Given that they are not getting what you are telling them, the best course of action would be to cover yourself. Wipe all evidence before somebody comes to you. Try to act cool.
But, if you feel that you have exposed yourself too much (you posted on /. after all), there's not much point to hide anymore. If you think you'll going to jail anyway, exploit your advantage while you can. For example - cash in, buy gold, bury it somewhere in the woods. You're a criminal now, don't be shy.
---
Just some guy from Eastern Europe.
Moreso in banking and other financial services where you have less and less choice not to use any.
I say, notify, and if they're not properly responsive, drop the entire thing into the public pool. "Properly responsive" would be answering within a week, within two weeks I'd expect an "alright we're fixing it" notice and an ETA. I'd tell them this expectation in the email. Disclosure withheld at their request extensible to two months, after that you go public anyway so they'd better have fixed it by then, and if they're smart, announced the whole thing so you won't.
Endangering customers? Weren't they covered by the company's guarantees in the first place? This is the company failing due diligence when it came a'knocking at their door. The only thing I'd worry about is them trying to retalliate and trying to shoot the messenger. So use a throwaway account to contact them, and go public anonymously. That is all.
First off, don't do anything more. Realistically, you could already probably be found guilty of criminal acts (accessing computer systems without authorization, etc). If you piss them off, they are likely to respond in the only they know how (with a lawsuit). What I would do is tell explain to them where their failures have been, advise them that they need to take security seriously.
With that being said, if you threaten to expose their issues, you will probably have crossed some legal lines that you don't want to cross. As of now, you are probably on questionable ground if they decided to take legal action against you (assuming they know who you are).
If they don't know who you are, and you are reasonably sure they can't find out, then I say tell them have 30 days to convince you that they are actively working to fix the problems, or else you'll announce their ineptitude to the world and let their company fall apart.
Assume you are in a honey pot. The FBI already knows about it, it is their system. They are waiting for you to do something that they can lock you up for, and that makes them look good in the papers. Alternatively, they want enough on you that you can be turned to inform on your hacking friends. So, your move. Do you "Blow them up?"
For that matter, why do you even care? Are you a customer? What is your standing? Don't you have something else to do?
Fuck 'em. Shooting the messenger is well established and you should never have said anything to anyone.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
It's been two hours since the OP. LEOs read /. too, so if he's still not heard from the locals, he should now be more concerned about less scrupulous visitors. He should hide, find a lawyer, and explain only that he has a tip to be passed along anonymously. At this point the truth is already going to come out, he just needs to survive until it does without digging his hole any deeper.
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
And not in that charming NY/Jersey kind of way. Seriously, just drop it and don't ever mention it again. Regardless of your good intentions, these assholes WILL come after you legally. It's best just to let them find out the hard way and let them pin it on somebody else (who hopefully isn't you).
1) Stop now. Do not access their data ever again. Don't even visit their web page.
2) Document everything you do from here on out. Take notes, record audio and/or video, remain in the presence of other people as much as possible. You are going to need an alibi.
3) Back up your machines and then wipe them. Place the backups on physical media stored in a safety deposit box. Do not ever access your backups unless compelled by court order or under the advice of your lawyer.
4) Contact the EFF, explain your situation and ask them to render aid. They will at least be able to recommend a good lawyer.
5) From now on you must operate as if everything you write, say, or do will be scrutinized by a team of psychopaths who want to fuck you as hard they can. You must behave as a model citizen in every aspect of your life until this is resolved. When they come after you they will use anything they can to portray you as the villain. Stay sober, be nice to your wife, don't speed, ignore any wallets you see laying on the ground. Keep your head down and your hands where everyone can see them.
6) Never do anything like this again without explicit prior consent from the other party or under the direction of a legally recognized chain of command.
Don't use your real name, your real email, your real internet connection. They won't care that you tried to do a good thing, there's been too many precedents of white hats being convicted for pointing out a flaw. Even responsible disclosure is a very risky way to make a name for yourself.
Just floating an idea here for people to discuss:
What about anonymously publishing the vulnerability, including the name of the company and their product? E.g. through WikiLeaks or similar.
You've reported the vuln so that they can fix it. Apparently, they aren't interested and would rather push a payment system that they know to be vulnerable on their big customers and an unsuspecting public. So publicly shame them and hope they learn their lesson - as well as other people who may have similarly ill-conceived business ideas.
That's not just the neighbors' doors.
Companies who do this are the ones who should be hauled into court, and their CEOs, CIOs, and anyone responsible for making the decisions should be the ones put in jail.
Unfortunately, right now, that's not what would happen.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Practically, that may be the path of expedience.
Ethically, you're telling him to become a co-conspirator with a company that is operating illegally.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
bites you from behind every time.
Hobson's choice: get screwed now or get screwed later, and it seems like the whole world these days thinks that getting screwed is fun.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
You've now Become The Man.
What a drag.
Truth isn't Truth - Guliani
Bad grammar, good idea.
Although, in this case, he has to be very very careful to use only the published legal access methods as a customer.
Better, really, to contact the credit card companies. Not about insecure web sites, about improper use of credit card numbers.
Several people have posted phone numbers or on-line links below, with quotes relative to the credit card companies wanting to be informed about improper use of credit card numbers.
Probably don't want to admit to illegal access, even to the credit card companies, just to having noticed the vulnerability. If you can leave some sort of record of your attempt to contact the credit card company, that will help if it does blow up in your face.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
You've crossed a line that can't be uncrossed. Now that you have notified them, you will be the first suspect when they do get hacked. And you will then have to prove that you didn't hack them. Soooo, short of just hacking them, you HAVE to get them to take action. Contacting a local journalist is a good idea. You might also trying to reach out to one the app developers directly. Until then, you are on guard duty.You were really stupid man. Sorry.
I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.
Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.
Taking stuff apart since 1969 (TM)
Publish and be damned
Sell it to the highest bidder on the black market and profit. Seriously.
If they don't take their security seriously even after trying to help them. Sell it and profit. Make it impossible to trace back to you. By being a good Samaritan the best thing that will happen is they fix it and move on (and probably sue you because they can). Worst case, you release a proof of exploit and they get their lawyer to throw the book at you. Fuck them all. Sell it on the black market and get something out of your work and their idiocy for ignoring you.
How long do you think it will be now before the blackhats start looking at the payment handling processes of 'a rising mobile payment start-up' with 'big-name financial backing' ?
I don't think there are too many companies that match your description...
Here's how I see things panning out if you do nothing after getting this far:
-> Blackhat reads this article /. article, and see that you ' almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data'
-> Blackhat sees opportunity
-> All companies matching description are scanned for vulnerabilities that are 'just too easy for it to be respectable'
-> One or more companies matching the description (the actual one you were referring to almost certainly among them) will be breached, and have data stolen/leaked.
-> Companies start looking at their logs and/or correspondence to find the kind of traffic that was generated by the attack
-> You show up quite prominently
-> You plead innocence.
->Cops find your
-> Jail time.
As I see it the only course of action to head off jail time is to ensure the breach never happens in the first place (Notify Visa/MC in a hurry, so that the company is forced into compliance before they get breached.)
Good luck,
Yep, I found it rather quickly myself. I'm not about to touch it myself with a 70 foot pole, but I wasn't looking to rip off any account info either.
As far as advice goes, you're in pretty deep already. Given the discussion here and the information that is already available, I don't think you're going to be able to back out now. You've already reported it to the company, but now it's publicly available and I worry that they might implicate you in damages. IMHO, get a lawyer. Now. They should be able to tell you what kind of liability you're facing. They should also be able to give you good advice on how to mitigate your own risk.
Frankly, I think it's stupid that someone pointing out a security flaw could be liable in any way, but that's the way our screwed up system works. Best of luck.
Step 2. Reveal the security vulnerability anonymously.
Step 3. Profit!
No good deed goes unpunished.
"If any question why we died, Tell them because our fathers lied."
Your answers have been duly recorded. Some participants may be included in a followup survey. Thank you for your time.
Check your premises.
Go to the local library, load up 4chan, and let the /b/tards know about the vulnerability. Anonymous will do it for you, and your hands are clean.
My sister opened a computer store in Hawaii. She sells C shells by the seashore.
Nuke their ass!
You have no moral obligation to tell anyone about anything.
If the clients affected by this include Canadians, the privacy office can legitimately look into your concern about the company. The privacy commissioner has teeth in Canada and can reach out of country. Remember facebook??? http://www.priv.gc.ca/media/nr-c/2010/nr-c_100922_e.cfm She can and does similar things with companies that process payments.
Ride recklessly only when safe to do so.
How long do you think it will be now before the blackhats start looking at the payment handling processes of 'a rising mobile payment start-up' with 'big-name financial backing' ?
I don't think there are too many companies that match your description..
No need to search to hard for the company. Our illustrious OP, aka Mr. Christopher Reed (http://seeread.info/) was naive enough to post this on twitter (http://twitter.com/#!/seereadnow).
"@TheLevelUp I think I found a trivial way to hack user accounts. Please get in touch to resolve."
At least he can point to the twitter feed as evidence that he was trying to contact them. This /. article where he considers "blowing them out of the water" would undoubtedly work against him though.
There's nothing more effective than an irate customer. Get into as many accounts as you can, grab an email address and the first and last 4 digits of their credit card info (or some other disambiguating information), then send emails to the customers from an email anonymizer, sharing whatever disambiguating information you obtained from their account, and stating the fact that the company won't fix their security. Step back and watch the customers make the company fix the problem.
I'd do it as one last effort. And then vanish and say nothing more about it.
try harder to get in touch with them. It's extremely obvious that you're talking about Square, so try tweeting at everyone on this list: https://twitter.com/#!/Square/team
Username taken, please choose another one.
Make large jewelery purchases and I will be glad to pick it up for you.
Dont be a willy willy lump lump your whole life.
As a good samaritan you are already past your point. If you want to pursue it further, find a reputable media outlet - I've heard Rolling Stone is pretty good - hand the info to them. They have the appropriate legal expertise to ensure a proper procedure is followed. If there is a "your real important" press thing, you'll get credit; if not, the job is done.
If you want to try a lone wolf approach, create an account with them, then hack it in such a way as you only damage yourself. Once done, sue them in a local small claims court for $1. That establishes the base for a class action suit once they fuck-up big time. Your exposure is minimal because you only, ahem, abused yourself. Even the US (in)?justice system would have trouble going after you.
Now that you are aware of the situation you have no choice but to make it known to the general population. If not, you will be complicit in the consequences to the company's clients' losses. The only question is how to do this without risking retaliation.
From what I read he hasnt done anything illegal. He said he found a hack. If he has a proper login and that login is not secure enough that the account leaks other peoples account info he has done nothing wrong. There is due diligence laws in a lot of states and that includes admins doing their job.
And some asses have hooves and like to kick
I've done this in the past for ISP's and organizations. I explained that I didn't modify or download any information I thought might have been confidential, but could have. The security holes were patched, but I never recieved any sort of recognition or response from the organizations. This was probably 13 years ago. I could now be prosecuted for this...so...be careful. Even if you're cool and trustworthy, some people are jerks and take this as a slight to their ability. I don't know exactly why, but some people are jerks. If I were to do this in todays climate, I would remain anonymous but report the issue only to them. Don't expect kudos or a job offer though.
You mention that this company doesn't have many in-house developers, but I would go to one in the small development team (prefereably anonymously) with a detailed report on the flaws, what they can expose and what types of attacks could be used.
Surely a fellow hacker must realise the severity of this and take it to the right places
Or am I dreaming ?
I discovered how to hack into and secure user accounts of a rising mobile payment start-up.
Euphemism of the year.
"What are you doing with these bags full of jewelry, sir?"
"I have to secure this stuff, it's too easily accessible for thieves"
I can't help notice how many posts on this thread have encouraged the poster to 'run and hide' since he's OBVIOUSLY broken the law.
I'm not so sure that's the case. Many vulnerabilities such as this (especially SQL injections) can be discovered using nothing more than Google dorks. In that scenario, It is Google that has (unintentionally) breached the company's security. The poster is simply accessing information that has been indexed by a search engine. Even if he found it directly, that doesn't mean he broke the law. I've found SQL injections on accident before simply by typing "O'Donnell" into a text box. (That single quote is a Bit**!)
I'm not saying that is what happened here. But don't assume that one has to break the law in order to discover a vulnerability. Google has indexed credit card numbers and other sensitive data in the past. And it's not Google's fault either. If their web spiders are able to scrape it, some web developer screwed up BIG-TIME...
As for advice, I'd say-
1. Document all communications with the company in question. It'll be harder for them to accuse you of wrongdoing if your first action was to inform them of the problem.
2. DO NOT EXPLOIT THIS VULNERABILITY! Or you actually are breaking the law.
3. Report the company in question to VISA, MC, AMEX, etc. You might have broken the law. But they are in violation of PCI-DSS. The company might not listen to you, but once they've got the card companies breathing down their neck they'll correct the issue. (Or they'll get shut down by their payment processor.)
4. Consult an attorney. You are in jeopardy of being blamed if the company does lose data, regardless of the facts. Regardless of legality, it doesn't sound like you have done anything immoral. Don't be their scapegoat.
5. If they do come after you, BE LOUD! The company in question has through their incompetence, screwed their customers. At some point they will have to weigh their options. The person who said 'There's no such thing as bad publicity.' did so before there was such a thing as the Internet. If coming after you means losing customers?
In any case, Good Luck! I've been where you are and it's not a comfortable position...
Release the hack if you want. If you have given them a month to fix it you have done your part in my opinion. If they have shown no interest in fixing it then just publish the details and they will be forced to fix it.
They are breaking federal laws when it comes to handling financial and credit data.
Go to the big name financial backers and the media.
We are the 198 proof..
You say you have had correspondence with them. Do they know who you are or can you be traced? If the answer is NO then get the fsck out of dodge. If they list you might want to option their stock price tanking at some stage soon.
The new right fascists are bilingual. They speak English and Bullshit.
Some discussion on responsible disclosure over in the Security Stack Exchange site: htt p://security.stackexchange.com/q/52/485
1. Make sure you have an anonymous connection. Neighbours' wifi or freespot works. Spoof you mac.
2. Not go back into the machines and erase any goddamn trace that you were there before. even though you didn't do nothing by your book, when shit will happen, the company will deal with it by simply sueing everyone in the logs and going after every ip. So be smart.
3. Make yourself a copy of that nice data. If there is any decision to be made which actually holds any relevance to YOU this is it.
4. Get the fuck out of there. Again, don't forget shell histories, lastlogs, tripwires etc etc etc.
my 0.02 eurocents
It's a sad day when a person who is sometimes accidentally caught up in viewing a method to breach a website (or DB) or accidentally breaches a website due to faulty programming/security will get years in a federal prison, yet the CxO's of that same company who theoretically are responsible for the integrity of that data, won't even see the inside of a courtroom.
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
Now, every day, you're going to get every script kiddie in the internet trying to poke holes in your network. In fact, if they get in, thats fine. They're allowed to look at everything your'e doing (trade secrets) and they can copy user data, since this is legal. You're going to be in hot water with your customers, fast.
The s.k.'s are already doing that. This is similar to the argument about outlawing guns. If you outlaw guns, only outlaws will have guns.
If you outlaw hacking, only outlaws will be hackers. Do you really want the BAD GUYS to be the only elite hackers?
You will not be rewarded for your help and may be prosecuted or otherwise legally bullied. Do nothing, fuck them. Until there is some sort of protection for good samaritans in the digital world the real world can do without digital good samaritans.
Since they probably know who you are now, in the event they have issues with this in the future you may be targeted in the ensuing witch hunt. I would encrypt all of my computers (full disk) and simply never leave them up. If they are seized you do not know (no matter how smart you think you are) what completely unrelated stuff they may be able to use against you. Everyone's a criminal, they just don't want to prosecute everyone. Now they may want to prosecute you, though.
Since this has to do with credit card processing, the application vendor has to abide by PCI / PA-DSS regulations whether they like it or not. My suggestion is reach out to Visa at cisp@visa.com and let them know what you have discovered. They will look into it and likely will alert them of the issue. If they still refuse to fix the hole, they will be placed on the "vulnerable application" list which basically says you are not allowed to process any Visa/MC transactions with that software.