Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

The law does not care ...

[perpenso]

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.

The correct way to "inform the authority"

[Taco+Cowboy]

I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.

All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.

If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.

Most of the reporters are spineless creeps who suck up to the power-that-be.

Instead, you have two options -

1. Keep quite.

2. "leak" the info to some hacking circle and let others do the job for you.

If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.

Re:Never put your name to it

[YttriumOxide]

Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.

I'm pretty sure most western countries have a complaints department for law enforcement.

Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.

Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.

While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.

I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.

I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.