Slashdot Mirror
Ask Slashdot: To Hack Or Not To Hack?
seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?
Maybe you could get the NSA to hack them?
Just brainstorming here...
If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.
For a 5 year tour of the federal penitentiary system, aren't you?
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
translated:
do you know how to steal? (implied yes as an answer)
do you know how to *hide*?
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Maybe the company doesn't care, but the people with money on the line will. And when they start to care, the company will start to care. Don't go hacking to try and prove a point, that's just gonna cause you more trouble than it's worth. And if, at the end of the day, no one cares or does anything about it, no sweat off your back.
Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.
U.S. – (650) 432-2978 or usfraudcontrol@visa.com
How do I make my amazon wishlist available to you?
Drop everything, wipe the files you have, reformat and reinstall your computer, create a plausible deniability claim to any account you used of this that can be tied to you.
Then go to an internet cafe and post somewhere.
The Singularity is closer than you think
Quant
I think you're fighting a battle that was lost long ago. In the minds of most, what was once called cracking is now hacking.
You should probably hire a lawyer. It doesn't matter how good you're trying to be. Anything you did to come to your conclusions that was illegal is going to be frowned upon... severely. And if you do go public, you'll likely be hit with a C&D letter.
Now just forget about it and hope no one hacks them before they forget about you.
The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.
Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!
I am the penguin that codes in the night.
Send them a link to this website: http://ask.slashdot.org/story/11/12/02/2124215/ask-slashdot-to-hack-or-not-to-hack
This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM? People can't just go around doing things without permission like that. If your internet connection crosses a state line, (and due to packet routing it probably is and you might not even know) then you are committing a FEDERAL CRIME. That means that not just the police, but the FBI will come knock on your door. History is just FULL of people who though, hey, I'm pretty clever, I'll hack these people and get a job. NOBODY WILL HIRE A CRIMINAL I PROMISE YOU.
Cannot stress this enough. Jeeze.
Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.
Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.
My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.
It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.
But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is
1) legal
2) professionally done
3) likely to get taken seriously by the developers at the affected company.
Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!
You could consider contacting one of the major credit card companies like Visa. That's assuming you haven't done anything which could be construed as actually testing or exploiting the hole. If you have, it's a pretty sure bet the FBI will be on you like white on rice. They might anyway, but that would be a one way ticket to Club Fed.
You're such a geek no I mean nerd no wait.... what where we talking about?
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
Language evolves. You can fight the tide or swim with it. I know which way gets you drowned first.
That is all.
*sigh* man, I feel you. The word "hack" is just gone, lost from our culture. The mainstream has twisted it far too much.
Reading Aaron Barr from HBGary talk to anonymous and then talk to his "programmer" about all his sweet "hacks" nearly killed me.
The 95 Hackers film has become reality. I can't shake em, he's right behind me! Crash overdrive! Acid Burn!
Ooh, plus there's Swordfish "dropped a logic bomb through the trapdoor" and the wonderful CSI "programmed a GUI interface in Visual Basic to track the IP".
We really need to start educating the non-technical public on some technical things. Treating computers and technology as a whole as a black box ends up in all KINDS of misunderstandings and misinterpretations.
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.
its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.
if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.
Read radical news here
Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.
Here's my advice:
1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.
2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.
Absolutely wrong. "Hacker" is defined, and differentiated from "cracker," in RFC 1392:
"National Security is the chief cause of national insecurity." - Celine's First Law
IF the poster actually used the discovered methods of intrusion (which is likely) then you are absolutely right.
If on the other hand the poster simply noticed a problem but did not test it actively, then notifying the company is the decent thing to do.
In either case, it's now time to walk away.
WALSTIB!
You're being a bit harsh on the guy. A lot of people started their IT careers in the computer underground, myself included. If it were not for LA 2600 meetings and the first few Defcons, I would not have developed the skills and background that landed me my first job as a sysadmin fifteen years ago. More recently (within the last year), the head auditor for my company told me that my background reassured him because he knew that I had a better perspective on computer security and the threat landscape than most "professionals" who picked up all of their knowledge in a classroom.
WRT the OP, it was dumb for him to go to the company. As everyone else stated, he exposed himself to some liability. Any information that he provides to the company could be used to build a case against him for computer trespass, unauthorized access, etc.
To call the OP morally and ethically criminal is overboard. He did not do any damage to them and did not profit from his activities. It was a real world learning exercise. It was not the brightest move in the world, but doing a security audit on a random computer system does not make someone morally bankrupt. If he had taken the data and sold it for profit, or even just posted it for fame and notoriety, that would be a different story. Instead he naively did "the right thing" without fully understanding the liability it exposed him to.
First off, QUIT FUCKING TRESSPASSING.
I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.
As he explained it, it sounds as if he's concerned about the outfit's customers. It's not unheard of -- that people care about the wellbeing of other people. (That Christ guy you mention in the subject line did, for example)
You've sent the email, now send your concerns in writing - hard copy. Set up a meeting with those in charge and explain it in person, nicely. If they do not respond, then let them know that you have no choice but to report the lapse to the appropriate authorities. Under no circumstances, crack your employers service unless they ask for a demonstration.
When our name is on the back of your car, we're behind you all the way!
I'd say there has to be a proper chain of command which you can go through. I'd start with the IT department. A random email from an unknown address may be filtered or just ignored so if you don't hear back in a day or two, make a phone call. Tell whomever answers the phone you are calling regarding a potential online security breach and you need to speak with the head of the IT Dept. Heck, even speaking with regular security may get you started. In your email, and potential phone call, you need to sound professional, non-threatening, but insistent. As previously stated, credentials and jargon matter. Hacking has a malicious connotation. Also, "I'm sorry, but I need to speak with your supervisor" can do wonders. As each person answers the phone or email take down their name.
If you've gotten to the head of the IT Dept or the head of the company and the issue still hasn't been resolved then you definitely need to go to the investors and shareholders. They are definitely going to listen because this impacts their bottom line. If for some reason they don't, then contact local media.
As with anything it's not necessarily what you are saying but how you are saying it and to whom. I can't help but think you just haven't gotten through to the right person yet.
Report it to CERT. (Or other corresponding security organization if you are outside the US.)
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
"If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."
The truth about Scientology, Xenu, and you: Operation Clambake
Don't publicly admit in a large forum like slashdot to committing a crime unless you're ready to be jailbait. Oops, looks like you failed the first step.
Please use the appropriate term. It's "GNU cracking".
- For the complete works of Shakespeare: cat
I would recommend stealing as much money as you can, because you are going to need it to hire your lawyers when the FBI comes looking for you, now that you've identified yourself to them.
Are you implying that security related research is not legitimate? Or that this guy's attempts to warn the company about their problems are a black-hat thing? Because it sure sounds like you just called this guy a "cracker" for analyzing and then disclosing a security vulnerability. Is that really what you meant?
fifteen years ago
It isn't 1996 anymore. The days when people hacked into systems and where then hired into computer security consulting jobs are long since gone.
Looking for a job in Portland, Oregon?
Would you mind if I broke into your house? Not to take anything, mind you, but just to check your security?
Personally, I favor the Full Public Diclosure route. You have them a chance, you even told them how to fix it. The shareholders, yes they should know, but its the customers whose accounts are exposed, and the public who may become customers. Don't they really deserve to know what they are signing up for or trusting?
So, you can do a full disclosure.... but they know who you are...its a risk.
Another possibility.... wait a week or a month or so, and then anonymously release it to the public, swear up and down it wasn't you (use tor, etc etc)
Or, you could just leak it into some IRC channels where you can be sure it will be abused.... then come out later with a public disclosure after its found that they had a major breech, include your conversations with them.
Sure you could just walk away but.... don't the customers really deserve to know? They are paying for the service afterall.
"I opened my eyes, and everything went dark again"
Shouldn't he contact the Electronic Frontier Foundation? Isn't its purpose to provide advice in this cases?
Jesus Christ got crucified too, and that's a serious risk for this guy as well. In the metaphorical sense, true, but it could still get pretty unpleasant. He really should quit tresspassing because it does not improve the disclosure, is no longer needed and finally, provides anyone who knows about it with a pretty big lever against him to shut him up. Don't give them more ammo than they already have.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
This is some idiot asking for advice on an absolutely terrible scheme which has been explained before
Isn't that what Ask Slashdot is all about?
I think you're just getting old. ;)
What the OP did is no different than what you or I did. The environment is different due to the criminal statues on the books and the willingness of the authorities to prosecute them. Other than that, it is just a kid / young adult pushing the boundries and seeing what they can get away with.
Given that the OP had the good sense to post here and ask for guidance shows that they have their head on mostly straight. The phone phreaking that you did was more objectionable than what the OP did. You stole services. The OP just found a flaw, reported it and then realized that the vendor had no interest in taking the problem seriously. By doing that, they are exposing their customers to fraud.
I agree with you about needing to emphasize ethics. I think the OP has shown ethics and a conscious awareness of responsible disclosure. Back in the day, the exploit would have been all over various underground forums, and everyone and their mom would be poking around the site.
And not just in the tech world. You can be sued if you do CPR and crack someone's ribs if you're not certified. You can be prosecuted for going on someone's property if you hear screaming coming from the house. You can be prosecuted if you shoot an invader in your house (at least in the UK).
There's no use in being a "good guy" anymore. Just trying to help someone will get you in trouble anymore. If you're a guy and talk to a kid you don't know, everyone gives you strange looks. A while back a kid was trying to put books into one of those big metal boxes libraries have for returns, but couldn't quite reach the handle to open it. I opened it for him, and his mom, who was sitting in the car at the curb gets out and starts trotting at us. Books go in, he starts walking back, and she is giving me the evil eye while she grabs the kid and nearly drags him back to the car. All the while I'm holding my own books.
So why the fuck would I try and help anyone I don't know?
Vote monkeys into Congress. They are cheaper and more trustworthy.
Give me the info and I'll take care of it.
-- I have a private email server in my basement.
Hack their system, go to jail for a few (many?) years. Then become a security consultant and go on a book tour.
Coder's Stone: The programming language quick ref for iPad
I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.
Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.
Taking stuff apart since 1969 (TM)
Step 2. Reveal the security vulnerability anonymously.
Step 3. Profit!
If the clients affected by this include Canadians, the privacy office can legitimately look into your concern about the company. The privacy commissioner has teeth in Canada and can reach out of country. Remember facebook??? http://www.priv.gc.ca/media/nr-c/2010/nr-c_100922_e.cfm She can and does similar things with companies that process payments.
Ride recklessly only when safe to do so.
How long do you think it will be now before the blackhats start looking at the payment handling processes of 'a rising mobile payment start-up' with 'big-name financial backing' ?
I don't think there are too many companies that match your description..
No need to search to hard for the company. Our illustrious OP, aka Mr. Christopher Reed (http://seeread.info/) was naive enough to post this on twitter (http://twitter.com/#!/seereadnow).
"@TheLevelUp I think I found a trivial way to hack user accounts. Please get in touch to resolve."
At least he can point to the twitter feed as evidence that he was trying to contact them. This /. article where he considers "blowing them out of the water" would undoubtedly work against him though.