Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

Posted by timothy on from the charged-with-public-embarrassment dept.

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

6 of 287 comments (clear)

  1. Was not arrested by F'Nok · · Score: 5, Insightful

    The article says he was reported to police, but not arrested or even contacted by the police.

    He only even knows he was reported to the police because the journalist told him.

    Seriously, can we at least read the article before making up wrong headlines?

    1. Re:Was not arrested by F'Nok · · Score: 5, Insightful

      Perhaps you missed the point, so I'll make it more clear.
      While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

      See how that kinda changes the overall theme?

      Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
      But it sounds like they actually might have done just that, because the police did not arrest him.

      They did not arrest. The overall theme should be about the idiot company, not the police.

    2. Re:Was not arrested by Anonymous Coward · · Score: 5, Insightful

      And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.

  2. This is BS by Anonymous Coward · · Score: 5, Insightful

    Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.

  3. Brilliant, make them coconspirators by Anonymous Coward · · Score: 5, Insightful

    2. "leak" the info to some hacking circle and let others do the job for you.

    Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.

    If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.

  4. Re:Metlink IRP by waynemcdougall · · Score: 5, Insightful

    He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

    No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.

    Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz