Slashdot Mirror
Australian Teen Reports SQL Injection Vulnerability, Company Calls Police
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.
If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.
From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
He hasn't been arrested.
If you smiled at a safe, and it burst open... its not your fault the safe was faulty...
from the article: "Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
Hardly arrested then...
Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.
Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.
you hold data or communicate it, write your code accordingly
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.
Not all conservatives are stupid,
but it is true that most stupid people are conservative.
- Hume
Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.
But for how long?
I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.
All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.
If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.
Most of the reporters are spineless creeps who suck up to the power-that-be.
Instead, you have two options -
1. Keep quite.
2. "leak" the info to some hacking circle and let others do the job for you.
If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.
Muchas Gracias, Señor Edward Snowden !
http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-transport-victoria-website-20140107-30fkg.html
For anyone who is interested
Not all conservatives are stupid,
but it is true that most stupid people are conservative.
- Hume
The World belongs to America.
thats when you play stupid and say the reporter showed you some hack....
just be dumb after that....
give right back at the jerk off...
tak eyer pc to a trusted friend and calim you don't even have one.
We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.
Anyone with me?
and if you are just visiting and by accident do something local that causes the hack , it would be like looking at the safe on 45 degree angle and it opened
or opening your window which shine slight on it and it opens...
all not under your control most people would say HEY your safe is light sensitive....
YOU DONT call the cops
... and gets arrested.
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
I expect sensational, laziness and haha u didn't RTFA gotchas... yet ... even in the WWF you don't see wrestlers running over each other with monster trucks, wielding ninja swords or shooting their opponent with machine guns... there are LIMITS...
Now if you'll excuse me I have some endangered turtles to cook.
He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.
Victoria is not an American state, retard.
No but Australia is so that would make Victoria a mere county.
.. modded -1 Offtopic
Go watch all of CSI, et cetera
Well I'd learn that evidence collectors who play detective always go with the first idea that pops into their head and ignore all other possibilities, plus are full of wisdom like "a man will always cut himself whenever he stabs his victim".
I see what you there.
Find a person who practices law or even better an organisation that specialises in law relating to computers and the internet and get their opinion on what to do. If your going to be doing something with legitimate intentions that could be considered as illegal in the eyes of some people, then you better play the game and get legal advice before doing so. Just like when the guitarist of The Who Pete Townshend decided to investigate child pornography, he got legal advise before doing so (He was still arrested for accessing a child pornography site, but in the end he was only given a caution) Just my 2 cents...
My sig has no nature
To hide from the law, he changed his name to Drop Table All.
Table-ized A.I.
Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.
I'm pretty sure most western countries have a complaints department for law enforcement.
Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.
Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.
While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.
I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.
I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
if that were true, there wouldn't be that many users or readers left here, certainly not enough to amass 83 comments to a story in under two hours.
In America they arrest you and take all your stuff without a warrant. Then they put you on trial where the prosecutor declares that an example must be made of you because bad things are happening in this day and age. If they break your stuff and you make a complaint to the complaints department they tell you to shut up and stop complaining or they will blow your head off. So yes the complaints department does exist.
mod UP - and load rifles for /. 'editor' FIRING line -grin-
redneck geek
There are already 51 real states, the three most recently added being Hawaii, the UK, and Alaska.
Damned if you do. Damned if you don't.
Back in 1997 I knew of a guy/hacker/WTAMU Student that once discovered a security hole on a website run by an ISP in Amarillo, TX (ARNet). He had informed the system admins of the security hole several months before it was exploited by someone else. Unfortunately the sites that were hacked belonged to several of the local TV stations in Amarillo; who did NOT report the issue objectively.. Instead of the ISP fixing the issues when they were initially reported, the sys admins denied the exact details and instead filed charges naming the "hacker" as the culprit, getting him arrested and almost destroying his career in IT..
Lessons learned: Report issues anonymously and let the world take care of the problem with a big cluestick and a bang. There is NO other way to report issues safely. And one wonders how the group "Anonymous" got its hold within society need to go no further than having someone they know get into a situation like this when they had tried to do "The Right Thing" tm.
Victoria is not an American state, retard.
Duh. I welcomed to a place like America, you dumbass.
As a matter of fact, my skills in geography are premium quality, thank you very much.
They will write a GUI in Visual Basic to see if they can track you?
They should have a "security hole" reporting department (or just one guy) at the police station. ..."
Take your laptop (and some coffee) to the policestation, hand coffee to policeman, then say:
"hi officer. i want to report a criminal website that exposes personal information, including credit card numbers to anyone. here let me show you
-
with the rights to edit the initial submission and either:
a. edit the title
or
b. add some text which corrects the mistake about the arrest?
If he lived in South Australia, detectives could confiscate his computers without having to obtain a search warrant (they are issued a "general warrant" removing a layer of oversight that most other states have).
He hasn't been arrested. The company called the police. Big deal.
Now can we talk about 'responsible disclosure'? He was a kid, so it isn't surprising that he would go about some things in a bit of a silly way, but he identifies as a white hat so he really needs to get his head around it if he doesn't want to get arrested at some point in the future.
What happened:
1. He e-mailed the company about the issue on boxing day, in the middle of the Christmas holiday period. Which e-mail address? (i.e. security, webmaster, customer support, who knows; writing content, who knows).
2. He didn't get a response for [i]more than a week[/i], so he contacted a newspaper
3. The newspaper contacted the company, gave them time to fix the problem, and then published. Publication was on 8/01/2014 - 14 days after the kid sent the original email.
Maybe I'm a bit odd, but in my head the step right after 'not receive response to e-mail that I sent about security problem in the middle of the holiday period' is not 'contact newspaper'. It is 'send another email, and specifically request a response when received and that it be forwarded onto IT staff'. Followed by 'make a phone call to customer support'. Sure, maybe if there is no response from the company in a couple of weeks then e-mail again and say 'If I don't receive a response, I will be passing this on to the newspaper', but that isn't step 2 of responsible disclosure.
This isn't to absolve PTV (the company) of responsibility. They should have processes in place such that an e-mail about a security issue will find its way to the right people as a matter of priority, and they should respond immediately to at least confirm receipt of the e-mail. If that didn't happen, then PTV needs to look at why and how to make sure it doesn't happen in the future.
The kid is a kid, so it is understandable that he didn't really follow a good procedure for disclosure. However, can we at least acknowledge that contacting a newspaper because you haven't had a response to your (one) e-mail in just over a week (sent during a major holiday period) isn't responsible disclosure?
No, no. I mean the police were contacted, but the reader was never arrested. Or at least that's what the journalist stated.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I'm not sure what else to say. I figure if you are smart enough to come across some whistle blowing material you are smart enough not to look for advice on slashdot posts.
I think that "Australians" could return to their own country to be stupid ( to scotland etc. ).
I am a professional pentester, coincidentally from the same city as this kid.
People can harp on about responsible disclosure all they want. The fact of the matter is the kid didnt 'stumble' onto this vulnerability. He was actively looking. He used SQL Injection on a government production website which is full of peoples personal data (PII).
Regardless of his true intensions of trying to do the right thing, he is young and stupid. What he did is illegal under current law. He will probably get off after a court hearing but in this case no one should be rushing to his defense.
Over the years I have played around with systems for fun and sometimes found some bad flaws, I am not naive enough to then contact the company in the hopes to get a reputation with my peers and a cool job, when in fact you have purposely broken the law to find it.
Joshua Rogers here. The kid that this article is about.
I want to clear something up..
I have _not_ been arrested(yet).
I have _not_ been questioned(yet).
I have _not_ been officially told that I've been reported to the police(yet).
I'm completly in the blank, as much as the rest of you. .. .... ........
What I'm expecting to happen:
They show up at my doorstep asking questions.
That's it.
They might ask me to sign something that says I have deleted all the data that I saw.
If you have any questions, I can be contacted @megamansec..
1. pass contract to build "secured" site to lowest bidder ...
2. blame some spotty kid for vulnerabilities that he himself reported to you, get him arrested and settle out of court for some seven digit sum which he'll be paying off the rest of his life
3. use some of that money to fix that single problem
n. PROFIT! Reputation intact but when this hits the wires don't expect to hear of any more vulnerabilities until the next audit.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
IANAL, but I my understanding is that, at least in English law, the law actually does protect the Good Samaritan who engages in minor property damage to save a baby. The prosecution would almost certainly not prosocute, but if they did, the defendent would be able to exercise the Defence of Necessity. http://en.wikipedia.org/wiki/Necessity_in_English_law
Victoria is not an American state, retard.
Oh, but it is! Like it or not, together with the rest of the other 6 states.
Have a look over the TPP, recall how quick one of the former prime-ministers declared CableGate unlawful (turned that it wasn't), google a bit for David Hicks history (in a time when UK got their citizens out of Gitmo quite quick), etc.
The story and the many of the comments make mention of the 'company' that called the police on the kid that reported the vulnerability. It wasn't a company. I was the, as the article makes clear in it's first sentence:
"A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police."
As much as the dominant culture of Slashdot is the sort that will take every opportunity to implicate private businesses in all manner of evil, distorting reality in this manner doesn't serve the anti-corporate cause. More to the point it demonstrates that whatever the drivers of the anti-business feelings of Slashdot editors and readers are, commitment to truth isn't amongst them.
For years people from the AFP have been saying to contact them about stuff like this. Sometimes they know and are watching others. Most of the time they aren't aware but having someone contact them as "I'm Joe Cool from the AFP, you have an issue we need to address now" works much better than "1'M ELEL7e H4X0R 7h@ PH0Und 4 1sSuE" when talking to anyone. Good crackers go on to other targets. Very good criminals break legs.
Another Assange on the way.
Is why management at Target should be prosecuted/sued for the large data breach there. Large companies almost always ignore the little guy, then exact vengeance when he can no longer be ignored. These bullies always hide behind the corporation and put shareholders (that's peoples retirement funds) at risk. Its time to start prosecuting individuals and holding the ceos responsible when this stuff happens. We blame the president when things like the affordable care act site doesn't work. Likewise, we should hold the leadership of corporations personally responsible. The board of directors clique certainly won't. Its all rigged against the little guy.
Disclaimer: I'm an extreme capitalist; therefore I find this reverse fascism that the west is living under to be repugnant. It is producing oligarchies.
you must be new here. We also take every opportunity to implicate the twisted and evil organs of government
I speak from experience (and a lot of it). Never, ever report this type of bug to the owner of the website, specially if this is a big company (a single person websites are different). Since most of the people who are responsible (in many cases) for the website know nothing of computer security, internet or technology in general. The best thing to do is to forget this issue and the website in question fall victim hackers and ID-theft. It is only after such scandal that something is done about it.
This people don't understand good faith and they do not understand how internet security works. It's easier just the let them literally crash and burn, rather then telling them anything about the security flaw.
The Slashdot RSS feed was reporting this headline ended in "Gets Arrested", but it now reads "Company Calls Police". I point this out for the benefit of future readers of this segment of the discussion.
goes unpunished. Poor Mr. Rogers. I feel for him.
Does reading a PERL script that implements company phone book and taking plain text user and password to implement a better phone book for personal use constitute hacking?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Joshua, a self-described ''white hat'' security researcher, said he was motivated by a desire to improve online security. He first contacted PTV by email on Boxing Day, but received no response. He later contacted Fairfax Media.
Schoolboy hacks Public Transport Victoria website
The Age is owned by Faitax Media.
Boxing Day in Australia is a public holiday.
It's a very strange time of year for an sixteen year old kid to be trying to gain the attention of anyone in or out of government. People are on vacation. Offices are closed or very thinly staffed...
Unauthorized access to systems and data --- white hat or black hat hacking --- is a crime under Australian law.
The end doesn't justify the means.
There are already 51 real states, the three most recently added being Hawaii, the UK, and Alaska.
You forgot to include Canada and Mexico. The canadian state is protected by the U.S. military from the rest of the world, which allows them to afford to give all of their population (half the size of New York) health insurance. The incompetent mexican state officials are able to maintain their position by actively promoting to its people to use the jobs and welfare programs offered by the other states and the U.S. federal government.
If everyone starts checking all the servers they use ...
This is done in some commercial settings. When some companies enter into a relationship periodic 3rd party security audits may be required. However the key point is that the owner of the machines have consented to the penetration testing and other audits.
Basically one company is told we won't do business with you unless you allow these 3rd party audits. Consumers could get together and do the same.
When Randal Schwartz probed security at Intel, they made him a convicted felon. See http://www.lightlink.com/spacenka/fors/
Morals:
1. Finding security holes is dangerous
2. You should buy AMD CPUs
This is really stupid of both government and companies. Yes having a security hole discovered in your website is embarrassing. But if you punish the people that tell you about it, then people with stop talking and we'll end up with another really huge Target style breach. Then politicians will rub their hands together and exclaim "How could this possibly have happened, why didn't someone tell tell them they had a security problem. We'll have to pass a law..."
It goes to show that we live in a culture of "shoot the messenger" (to divert attention away from the actual security/privacy issue).
Canada? I think you mean North Montana.
Blue fucking ruin mate, the lousy mongrels gone and dobbed him in! Be a cobber and get me a tinny out the eski and chuck another abbo on the barbie while yer up, will yer?
Nope. Probably not a troll.
But I thought I'd throw in my 2 bits anyway.
I haven't posted on slashdot for years.
So I guess this is a great opportunity to test if I can use the new GUI.
The new GUI is nice.....
Anyway....
The best policy is out-in-the-open.
Bruce Schneier doesn't use pseudonyms.
My only pseudonym on the internet is this slashdot account.
My other slashdot account has my real name...
AUK.
It looks like positive coverage to me.
http://www.neowin.net/news/teenager-reported-to-police-after-reporting-vulnerability-in-government-website
There are just a couple of comments speculating about where the boundary between "having a look" and hacking lies. Ultimately, I think it's PHP that must be blamed for 90% of all of the hackable sites, and the programmers who use PHP in a weakly structured way. And maybe the maximum blame goes on the software outsourcing managers who think only of budgets and deadlines, while forgetting about security. So-called "risk management" by insuring against intrusions and making the contractors take out liability and indemnity insurance is a very ignorant way to protect a web site. The best form of protection is well-structured code which passes all HTTP and SQL interface events through well engineered security modules.
Couple of points:
1) Who is likely to militarily invade Canada other than the US?
2) Last I checked we contributed a fair bit to various military efforts including WW2 and Afghanistan.
I'm sure it's a little more complex in countries like the US and Australia
I cannot speak for Australia, but here in the US if you know of something like that it's better to keep your mouth shut and let it be. If they ever do come by and ask, it's best to say that you didn't see or know anything, or if that's not plausible, that you don't remember.
First, it's not that odd that teenagers are doing a bit of recreational hacking over the holidays. For some people it is a hobby, and what better time to indulge in one's hobby than over the holidays. Take into account also that during the holidays, one does want to check out holiday specials on the Met Link web site, especially if one is a poor teenager. And if that teenager just happens to know the basics of HTML, PHP, MySQL, etc., one does tend to notice that a site has a vulnerability. I often see these sorts of blunders by web developers, but when I report them, nothing happens and they are not fixed a year later. I don't "have a look" to see if the vulnerability is serious because that is not my hobby. But for some people, that's a hobby. When I was young, we used to hack radio and TV sets over the long Xmas holidays in Adelaide because summer holidays are very long if you can't afford an away-from-home holiday.
And on the subject of the ethics of saving 600,000 people's private data from falling into the hands of black-hats, look at this example.
1. You see a house on fire and a kid is trapped inside.
2. You break the window, grab the kid and bring it out to safety.
3. You get arrested for breaking and entering, and abducting a minor.
Of course, all burglary is criminal and all abduction of minors is criminal.
Solution: Let the kid die in the fire.
Nope. Luckily the police and judges are not idiots.
Sometimes between the age of 15 and 16 years, one's point of view may change. Maybe like King Asoka, who killed 100,000 people and then became a peaceful Buddhist because he realised the futility of destruction.
I had asked a security expert on how to best report a vulnerability and was told...."With great caution, as some will be grateful, others will be embarrassed and bury you"
The act of reporting the vulnerability likely isn't the problem with the police. The fact that he found the vulnerability is probably what caused the problem the police. Using the website as it was intended to be used almost certainly wouldn't reveal an SQL injection vulnerability. For him to have found it meant he was doing something that may have been illegal.
Just because a website exists does not mean that you have the right to poke at it to find its vulnerabilities. Unless you've been authorized by the owners to conduct vulnerability testing, your actions will be viewed as malicious and may be illegal depending on where you live, and may result in serious consequences even if your intents were not malicious. Unfortunately, the days of something like this being viewed as "harmless" are pretty much gone.
In some ways, this reminds me of the "Kasper Holmberg incident" in Canada in 2008, in which a "well-intentioned" student at Carleton University identified a vulnerability in their student card system and exploited the vulnerability to access email accounts and financial information of a number of students so he could write a paper he sent to the university. He was charged with a number of violations of the criminal code of Canada, sanctioned by the university, and ultimately ended up dropping out of the university. The criminal charges were withdrawn several months later, but that doesn't change the fact what he did was illegal, even if it was well-intentioned.
Hate to remind all the flame bait commenters, but this had nothing to do with the US or Russia. This was in AUS.
This brings to mind the time when Randall Schwartz reported a vulnerability to a client and ended up with three felony convictions (see http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case). His record has since been expunged, but at time the Internet community was outraged simply because he was doing his client a favor. You try to do good and you get arrested for doing so. It sucks.
Unfortunately this actually does happen in South Africa http://mybroadband.co.za/news/security/94614-website-security-flaws-in-sa-shooting-the-messenger.html
"Well I guess the key question is why he was doing the "research" to begin with"
I guess the key question is why is a public facing website that will respond to any request considered inviolate for any reason whatsoever?
Don't ever again put the T word on the link, newbie! (yes, you, Mr. Editor)
We are in year 2014 and there are still "pro" sites that SQL Injection works on? It is so easy to use Prepared Statements that this points to laziness like in banking.