Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

Was not arrested

[F'Nok]

The article says he was reported to police, but not arrested or even contacted by the police.

He only even knows he was reported to the police because the journalist told him.

Seriously, can we at least read the article before making up wrong headlines?

Re:Was not arrested

[F'Nok]

Perhaps you missed the point, so I'll make it more clear.
While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

See how that kinda changes the overall theme?

Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
But it sounds like they actually might have done just that, because the police did not arrest him.

They did not arrest. The overall theme should be about the idiot company, not the police.

Re:Was not arrested

This. Fucking scummy submitters. Go write your reports to some fantasy news website. I'm not even going to mention the /. "editors"...

Re:Was not arrested

Yeah, but regardless, this kid went out of his way to help out this company, and they repay him by having the cops toss him in the clink. The overall theme SHOULD be the idiot company, but in the meantime lets not forget about the cops who arrested him.

Re:Was not arrested

[jones_supa]

I cancel that comment. If you read the line "He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age." carefully, you can see that he only heard from the reporter that the kid had been reported to the police (by TD). D'oh!

Re:Was not arrested

And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.

Re:Was not arrested

The article says he was reported to police, but not arrested or even contacted by the police. / He only even knows he was reported to the police because the journalist told him. / Seriously, can we at least read the article before making up wrong headlines?

This is Slashdot; so what do you expect? In the end though, the article is good lesson. Never use your own name to report a bug. Never report a bug directly yourself. Always use an anonymous mail account. When doing the actual security testing to through Tor (and for the love of god, use an isolated machine created only for that and which you later destroy when connecting to the site). Always go through a local CERT or similar after getting a guarantee of anonymity.

Simply make sure there is no way to trace yourself to the bug report and, unless the company already has a bug bounty program, if you want to get paid for a vulnerability then sell it to someone other than the original company.

The responsible disclosure movement, which basically worked so that companies were allowed to blame security researchers, has very much to answer for. They have made us all much more insecure.

Re: Was not arrested

[dwarfsoft]

What clink? He wasn't arrested. He hasn't even been approached by the police.

Re:Was not arrested

[H0p313ss]

in the meantime lets not forget about the cops who arrested him.

The non-existent ones? This is getting very meta-physical, I may have to make some coffee.

Re: Was not arrested

Then how did he wind up in prison? He certainly didn't place himself under arrest. I guess we'll just have to hear the rest of the story once he's out on parole, the cops certainly aren't talking.

Re:Was not arrested

I may have to make some coffee.

Probably a good idea, it should help clear up some of that wooshing noise you've likely been hearing.

Re: Was not arrested

[Darinbob]

He's not in prison...

Although the article does make a mention about someone else who was arrested in the past, an old story that was already here in slashdot. Maybe readers of the article aren't reading for comprehension?

Re: Was not arrested

Hopefully he'll be available to clear all of this up one the police release him from custody.

Re: Was not arrested

You know, I really admire your patience with the GP. I can't believe how stupid the GP is, misreading the article like that. If I were you, I'd have thrown the GP in the same jail the hacker kid is.

Re: Was not arrested

I don't see what's so funny about a kid getting arrested.

Re: Was not arrested

[Rational]

You know what's even more messed up? To throw someone in a vat of acid for reporting a problem. Like the arrest, that did not happen either, but since facts don't matter it would have made a better headline, right?

Re:Was not arrested

[bloodhawk]

Actually the lesson should be never run a pen test against a web site you don't have permission to do against, it really is that simple, especially a government body.

Re:Was not arrested

[umghhh]

this is OT but for a change I had a portion of a good lough this morning while reading this part of the thread. Luckily I do not have to read this from the prison like this kid.

Re:Was not arrested

[Caesar+Tjalbo]

I wouldn't be surprised if it was the journalist though, an arrest would make the headline a little more juicier.

Re:Was not arrested

[gtall]

For all you know the cops were told the kid was breaking into their systems, not that he discovered a security vulnerability. And from their point of view, they see someone attempting to break into their systems, not that he was some shining white knight attempting to help them to better security. Once the cops sorted it out, they seem to have let the little wiggler go.

Re:Was not arrested

[FuzzNugget]

According to where I originally read this (Boing Boing) it says he was.

However, I now see this at the bottom of the Wired article:

Update: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned heâ(TM)d been reported to the police from the journalist who wrote the story for The Age.

My apologies, title should read someone: Victorian Transportation Department Calls Police After Teen Reports SQL Injection Vulnerability

`sudo mods edit title`

Re:Was not arrested

[FuzzNugget]

"The title should read something like..."

Fucking autocorrect.

Re: Was not arrested

Please, stop with the self-righteous posturing. Where were you when this kid was spending his best years in jail ? Where where you when his mother committed suicide ?

Re: Was not arrested

[isorox]

Maybe readers of the article

LOL

You must be new here

Re:Was not arrested

[cffrost]

The article says he was reported to police, but not arrested or even contacted by the police.

He only even knows he was reported to the police because the journalist told him.

Seriously, can we at least read the article before making up wrong headlines?

Please, you've been here longer than I have. Surely you know that the "news" items here aren't meant to be an expression of reality, but a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs. ;o)

Re:Was not arrested

[Bing+Tsher+E]

they repay him by having the cops toss him in the clink.

To repeat again. He was not arrested or 'tossed in the clink.'

The technique of repeating something that is untrue over and over and over again is called the 'Big Lie.' It was a cold war propaganda technique.

Possibly now that he was reported to the police, he will become a go-to person for the police when they need help on computer/cracking issues. He's certainly a person of interest to them now. But then again, as it says in the title of this topic on Slashdot, he is a 'security researcher.' Researchers publish their work. Shouldn't published research be free (we hear that every day on Slashdot). So the police should be entitled to know what he's researching.

Re:Was not arrested

[Bing+Tsher+E]

Well kids, now you know what the smart thing is to do: don't run pen tests against websites without permission.

Similarly, don't walk down the hall in apartment buildings you don't live in wiggling the door handles. Sure, it's just innocent fun, and you were just doing it so you could write letters to the addresses of doors you found unlocked warning them, but it looks bad.

Re:Was not arrested

[mark-t]

Perhaps you are missing a key factor in that the article specifically says that the source "doesnâ(TM)t say whether the police took any action against Rogers", and that there is certainly precedent for people who have done something similar ending up getting arrested, some of who are still in prison.

Re: Was not arrested

This entire thread makes me think I've somehow visited Reddit instead of Slashdot. Regardless, let us know when the kid gets out of jail, please?

Re:Was not arrested

[wolrahnaes]

Except that many important security holes affecting the general population have been found this way. "Grey hat" pentesting (which I'm defining as unapproved but without malicious intent) is of critical importance for pretty much any public-facing system. The "black hat" crowd will be hitting it anyways, and who would you rather have find the problem? The one who'll report it or the one who'll exploit it?

Sure it's a risky thing to do and I sure wouldn't intentionally associate any such behavior with my real identity, but its something we should be encouraging because the other option is worse.

Re:Was not arrested

[Sique]

Perhaps you missed the point, so I'll make it more clear. While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

See how that kinda changes the overall theme?

No, it doesn't. It was the decision of the police to not arrest him (good act of the police by the way). The Transportation Departement is still a dork for a) ignoring the bug report and b) acting silly when the information got aut.

Re:Was not arrested

[SuperDre]

as is said, he was not arrested.. messing the stuff up WILL get you arrested, there is a difference between misusing an exploit or only reporting it..

Re:Was not arrested

[flyingfsck]

Well, he should have been tossed in the clink. Not tossing him in the clink makes this whole Sloshdat thread meaningless. We cannot have that. I'll report him to the RIAA now, just to be sure he gets tossed in the clink.

Re:Was not arrested

[bill_mcgonigle]

a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs

I'm nominating this to replace "News for Nerds. Stuff that Matters."

Re:Was not arrested

[Jawnn]

Yeah, but regardless, this kid went out of his way to help out this company, and they repay him by having the cops toss him in the clink. The overall theme SHOULD be the idiot company, but in the meantime lets not forget about the cops who arrested him.

RTFA. The police have done no such thing. The police have not even contacted Mr. Rogers. Apparently they (the police) have a bit more security acumen than does the idiot who decided to involve them.

Re:Was not arrested

[Fnord666]

a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs

Really? I thought it was a "a hypothetical interpretation of reality meant to maximize the number of ad impressions garnered".

Re:Was not arrested

[mysidia]

Nice how the editors CHANGED the headline Without posting a proper retraction and apology, like a reputable media organization or news source, should have.

Re:Was not arrested

[cffrost]

Thank you. :o)

Re:Was not arrested

[cffrost]

a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs

Really? I thought it was a "a hypothetical interpretation of reality meant to maximize the number of ad impressions garnered".

I suppose you're right — it doesn't take me long to forget about the (b)ads I never download or lay eyes on.

Re:Was not arrested

[tepples]

What's the best practice for obtaining permission to perform a pen test?

Re:Was not arrested

[HiThere]

So he was arreseted, but not charged. The company, however, tried to have him prosecuted. The message is nearly the same, modified only by "not all cops are brutal idiots", which is true enough. But all too many of them are.

Re:Was not arrested

[HiThere]

You need to look up the definition of arrested. He was arrested, but not booked or charged. The company tried to have him jailed. The cops didn't cooperate, this time.

Re:Was not arrested

[HiThere]

Sorry, my mistake. He wasn't even contacted, so he also wasn't arrested. Doesn't make me any happier with the company, however. And doesn't make me any more likely to report a vulnerability.

Re:Was not arrested

[tepples]

What's the best practice for finding an opportunity to become asked?

Re:Was not arrested

[Bing+Tsher+E]

Ask to be asked.

Good old-fashioned salesmanship.

It's not passive-aggressive enough to count for geek cred, I know...

Re:Was not arrested

[metaforest]

I second this ^^

Re: Was not arrested

[Billlagr]

Well that would make her, what, 11 when she had sex? Maybe they should be investigating the father for possible jail time?

Re:Was not arrested

[Occams]

In reality he was showing off by penetrating the security of Metlink. I think that we nerds too readily attribute him the noble motivation of helping them to improve their security, which clearly should have been better. Why did they need to keep all that information? So, the company deserves a kick, but so does the kid-hacker, who knowingly broke a state law that should be taken very seriously. He should have been arrested, but I doubt that he actually was. From Christmas Eve to Australia Day, 26 Jan, during the heat of summer, most Australians are on holiday, and it is very difficult to get any sense from many businesses or government agencies. It is also a slack news time where little stories get big coverage. Metlink is the much-hated, greedy marketing arm of the Melbourne public transport system that the populist media love to kick. So this kid chose his time to report the "problem" very well. If you ever try to catch a tram in Melbourne, you will hate Metlink too. You are required to buy a ticket from a machine on the tram under pain of heavy fines, but to do that you are required to have an intimate prior knowledge of the system so that you can choose the right number of "sections" for the fare. "Hurry up Yank!

The law does not care ...

[perpenso]

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.

Re:The law does not care ...

[sabri]

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

Re:The law does not care ...

[perpenso]

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

Your analogy is flawed. The vulnerable data is not in plain sight to an innocent bystander as the baby in the car is. A better analogy would be someone sees a panel van and wonders if they can break into it. They do and once they have opened the door they find a baby in distress. They were not aware of the baby until after the break in.

Re:The law does not care ...

[deviated_prevert]

So the Aussies will be fine?

So the conclusion we must draw here is that Aussies are not hooman beins'? Or just maybe all their mothers was a dingo? I have met a few and called their mothers one, but that led to one hell of a bar fight. They tell me that the Cannabis in the outback is worth a walkabout, just maybe that's what you guys are smokin'. By and large they seem all too hooman to me. Though I tend to think the reporter was a certified son of a dingo and 'rooshit latecomer coward to boot one huge disgrace to the good people of Botany Bay!

Re:The law does not care ...

[SuricouRaven]

That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.

It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.

Re:The law does not care ...

[umghhh]

I dare to disagree. This is speculation but judging how fucked up many gov projects are maybe he heard somewhere how messed this particular system was or maybe he saw evidence of leaking data and checked himself whether it is so. After all if that is government then it is your property too as a citizen. The way the authorities work these days is another reason why he did that - to be sure that they fulfill their obligations to customers. Were this a private enterprise it could be that they would have a more white hat friendly policy.

Re:The law does not care ...

[gnasher719]

That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism.

Breaking into a car to get a baby out that is suffering from heat (especially in Australia, where this could be quite severe in some places) is not vandalism, it is self defense. Self defense covers protecting others as well, and allows use of an appropriate amount of violence. Breaking into a car to safe a baby from a heat stroke seems appropriate.

Re:The law does not care ...

[amorsen]

The problem is that virtual and physical security work differently.

If a window does not close properly, that is not something to be all that much concerned about. The number of people who will find out is likely small, and any burglar will have to find out about the broken lock and be near the window to exploit it. Even if there is a break-in, the loss is probably going to be less than $10000, easily affordable for society as a whole. If everyone starts checking all the windows they pass by, society as a whole is likely to spend too much money and effort on window security without actually becoming much safer overall.

In contrast, if a computer is vulnerable on the Internet, that IS a real concern. Any bad guy is likely to find the problem sooner or later with an automated scan, and exploitation can be done from any corner of the world. It is likely that the attack will be done at practically no cost to the attacker. If everyone starts checking all the servers they use, society as a whole is likely to get quite a bit safer over all, at a relatively small cost (because known vulnerabilities are typically reasonably easy to fix, particularly SQL injection).

Re:The law does not care ...

[ihtoit]

no, this is running into a burning school and coming out with an unconscious child who was not marked in the register. Nobody knows he was in there, not even you, but notwithstanding the fact that you're a fucking hero to the kid, his friends and his parents, technically you had no business being in the building and therefore stand to be arrested and charged with trespass.

Re:The law does not care ...

[KingOfBLASH]

Well I guess the key question is why he was doing the "research" to begin with

If he was actively using portscanners and other tools to try to find exploitable systems on the internet, his intentions are questionable.

I guess with SQL injection it's conceivable he could have simply been filling in something like a comment form, and gotten an error when the form wasn't properly handled....

From TFA "Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability"

However, TFA also states "The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site"

So maybe he stumbled innocently onto this. But somehow he got around to seeing exactly WHAT he could find in the database. And that's where it get's fuzzy if he's really doing a good deed or not.

Re:The law does not care ...

[Bing+Tsher+E]

just change the &user=foo to &user=bar. That really is "in plain sight" as far as web exposure goes

Not if Mozilla has their way. They keep obfuscating URLs, sort of vigorously, actually, in Firefox. Granted, there's a setting to turn the address bar back to the URL in mobile Firefox. For now.

Re:The law does not care ...

[steelfood]

On the other hand, the Russians and Chinese can penetrate virtually risk-free.

Re:The law does not care ...

[bill_mcgonigle]

On the other hand, the Russians and Chinese can penetrate virtually risk-free.

The Law is security theatre, not security. This is the one fault I find when reading Schneier's blog - he'll correctly diagnose security theatre and then call for more laws or regulations to 'deal' with it (paper over it, that is).

Re:The law does not care ...

[laird]

That's only a valid complaint if laws do not affect people's behavior. Of course, in the real world, laws do affect people's behavior, which is why people care what laws are passed. For example if a regulation defines proper security procedures, and it's enforced with proper penalties, audits, etc., it will lead to increased security.

Incorrect.

[jamesn]

From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

He hasn't been arrested.

Idiots

[Mistakill]

If you smiled at a safe, and it burst open... its not your fault the safe was faulty...

Re:Idiots

[im_thatoneguy]

If you put a high powered microphone to a safe, pick the lock and then rifle through the contents to see if they're valuable... it's not your fault it was possible for you to break in.

Re:Idiots

[KingOfBLASH]

It's entirely possible he might have stumbled accidentally over SQL injection. Maybe he was filling in a "Contact Us" form and used some quotation marks or something.

But instead of stopping there he went in to nose around and see that there were 600,000 users, credit card information, etc., available.

So it was sort of a cache-22 on his part. He knew, maybe based on the fact that some idiot spit out the output of all SQL statements into some debug statements on the page, that he could just use SHOW TABLES; or SELECT * FROM ; or any other number of things to get the data.

But without trying, he couldn't have known if perhaps the database was secured in the back end : the user did not have privileges for a SHOW TABLES statement or to select system tables, or to do anything except insert a comment.

Best case should have been to email and say "Hey I can't submit a form using quotes, what gives?" However, that only will be helpful if the person answering the help email understands the ramifications to this.

And if no one looks at it, perhaps it's only fixed when 600,000 people have to be informed their credit card information was stolen by malicious hackers.

So it's a tough question. And there is no simple answer.

Re:Idiots

[Quirkz]

cache-22

The technologist's humorous paradox. Brilliant.

did he learn his lesson?

Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.

This is BS

Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.

Re:This is BS

[Darinbob]

We've known for many years now that Timothy can't actually read.

Re:This is BS

[crossmr]

I'm not shocked at all that this came from Timothy, I can only guess he must have been on the phone with kdawson at the time he posted it.

Re:This is BS

[phayes]

It's not that he can't read, it's that he either
actively edits the article summaries to be misleading and/or controversial, or
ignores story submissions that aren't misleading & controversial and promotes the later submissions that are (as can be seen by reading the /. firehose)

Re:This is BS

[Bing+Tsher+E]

Actually, they were in a heavy Facetime(tm) session together.

From TFA

[AlanS2002]

"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.

Re:From TFA

[Brett+Buck]

More likely, he figured it wouldn't get accepted if it was utterly uninteresting. Faux outrage is far more compelling.

Re:From TFA

[AlanS2002]

You would of thought that who ever accepted it to be posted would of read TFA article and realised it was a crock.

The correct way to "inform the authority"

[Taco+Cowboy]

I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.

All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.

If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.

Most of the reporters are spineless creeps who suck up to the power-that-be.

Instead, you have two options -

1. Keep quite.

2. "leak" the info to some hacking circle and let others do the job for you.

If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.

Re:The correct way to "inform the authority"

[maxwell+demon]

1. Keep quite.

This sentence is quite incomplete.

Re:The correct way to "inform the authority"

[VortexCortex]

If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you'll be every bit as much a suspect as the crackers doing harm.

The problem is that the computer fraud and abuse act is too harsh -- It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn't do any hacking at all. They'd like to have a monopoly on that, so the laws won't change.

If you're not browsing by proxy in this day and age, you're screwed.

Re:The correct way to "inform the authority"

[MrNaz]

So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".

We now know that there is no "right way" to deal with government, other than kick them in the ass.

Re:The correct way to "inform the authority"

If you're not browsing by proxy in this day and age, you're screwed.

But baby, proxies don't feel natural! I'll pull out before I post my comment, I promise.

Re:The correct way to "inform the authority"

[chromas]

[Premature enunciation]

Re:The correct way to "inform the authority"

[jcr]

>2. "leak" the info to some hacking circle and let others do the job for you.

Meh... Just post it on 4chan.

-jcr

Re:The correct way to "inform the authority"

[SuricouRaven]

What about sending the information anonymously?

Though this will likely result in a low-level communications clerk dismissing your message as some paranoid crank before it even gets to the technical staff.

Re:The correct way to "inform the authority"

[umghhh]

How true. Sometimes you have to break the law either because there is no other way or because the law is corrupted already. You have to watch your steps while you do it. Sometimes you only pay, sometimes you achieve something and pay anyway and sometimes you get lucky as you achieve your goal and get a reward. The later option is the rarest of course.

This may be OT but still. It seems to me we in the West are facing something bigger than usual incompetence and corruption which society can fix itself by standard means (voting opposition into office for instance). It seems to me that we raised over that level and are now at the level where government and big commercial organizations always know better than citizens, have means to be always right and if not then they can make you a criminal by interpreting the existing laws 'properly'. Coming from a country where I could see now fallen communist regime in action I find it really troubling that western countries use methods I know from there. I could maybe understand if they at least try to catch the web criminals and terrorists but sadly this hardly ever happen and all the losses of privacy and our rights and costs of the whole surveillance apparatus seems to be just supporting a move towards police state and not towards more security. It is a strange world.

Re:The correct way to "inform the authority"

[Zamphatta]

Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity is a viable way of business.

This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.

Re:The correct way to "inform the authority"

[amorsen]

No. You only have option 1. It is unlikely that you are able to hide your traces well enough that no one can find you. If you discovered an SQL vulnerability, you can be reasonably certain that the request was logged. If no one else exploits it around the same time, that log entry will likely never be found -- if they were diligent, they would not have an SQL injection problem in the first place.

If the vulnerability gets widely known, there will be people looking for the first instance it was exploited. There is a good chance that no one smart enough to find you will be assigned to the case, but you are taking a risk with zero gain.

So keep quiet and let the corporation or government ruin the privacy of everyone. It is the only responsible path.

Re:The correct way to "inform the authority"

[Shienarier]

Or British.

Re:The correct way to "inform the authority"

[jd2112]

Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity is a viable way of business.

This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.

Keeping your car secure isn't always in your best interest.
I once had a $1000 convertible top cut in order to steal a (broken) $150 radio.
Since then I made it a practice to never lock the doors on a convertible. (and never leave anything of value inside)

Re:The correct way to "inform the authority"

[cffrost]

Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.

The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.

I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).

I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).

Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state, not to be trifled with without extreme precautions for one's own well-being.

As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.

Re:The correct way to "inform the authority"

[K.+S.+Kyosuke]

You have a third option: Post it as an AC on /.! ;)

Re:The correct way to "inform the authority"

[amiga3D]

Maybe he just didn't want the thief to break his window. If you leave it rolled down they can take what they want without damaging your car.

Re: The correct way to "inform the authority"

seems he's here himself

Re:The correct way to "inform the authority"

[GoChickenFat]

I don't get it. None of your options speak of integrity. People can complain about the downfall of society all they want but if we promote ideas that contain little integrity then we add to the problem. You shouldn't expect others to respond with integrity if you don't use it yourself.

Re:The correct way to "inform the authority"

[kelemvor4]

The first rule of fight club is "you don't talk about fight club."

Re:The correct way to "inform the authority"

[bill_mcgonigle]

I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed.

Wow - you're quite right, though I haven't seen it so clearly explained. Such a shame - people need to get over this default reaction of retaliation.

Re:The correct way to "inform the authority"

Bzzzt... Wrong!

1) Boot up a laptop with LiveCD, alter mac address and machine specific information appropriately.
2) Log on to random public wifi hotspot.
3) Create burner email account, and email site maintainer and owner in question, and cc no less than 2 or 3 media sources on the matter.
4) Give just enough instruction that the maintainer and owner can figure out the problem, but that the media sources can not.
5) Check back under steps 1 & 2, 8 days later to see if anything has been done.
6) If nothing has, do step 3 and email again, adding even more sources, and wait 6 days before checking again.
7) After that next 6 days, if nothing has been done, send direction specific instructions on the vulnerability to high-profile tech-site, and and hope they can convince the site in question to fix their shit.
8) Move on to something else.

Re:The correct way to "inform the authority"

[Hoi+Polloi]

Or, more likely, he never contacted anyone (he says he never got a response) and should have made another effort to contact them maybe by directly calling. I wouldn't be surprised if he just used some webmaster email address on the site that gets checked once in a blue moon or his email got caught in a spam filter. Either way, to escalate it by going to the press was a bit of a rash jump to make.

I agree that them responding by having him arrested was a petty act that showed more petulance than professionalism.

As a developer myself I understand the inertia fixing security holes could face, especially if they subcontracted all of it out and that would mean asking for bids, spending $, etc. That is no excuse though for just ignoring it. There is also little excuse for allowing a public facing DB to have SQL injection holes like this in this day and age. The proper coding standards for dealing with this should've been followed from the start.

Re:The correct way to "inform the authority"

[cffrost]

I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed.

Wow - you're quite right, though I haven't seen it so clearly explained. Such a shame - people need to get over this default reaction of retaliation.

Thank you. :o)

I remember that in an exchange with mcgrew, you put forth a self-developed technique, which you'd named and detailed on your website (which isn't working for me today — though I'm experiencing DNS failures and timeouts in recent days). All I can remember is that it involved an increasingly-adversarial arrangement imposed upon the responsible entity, it was less adversarial than "zero-day exploit" but more adversarial than "responsible disclosure," and it was quite persuasive. Do you remember it, (and if so, can you please recite it here)? Have you abandoned your idea? I hope you haven't — it was certainly preferable, I think, to "responsible disclosure," though I can't remember the level of risk it exposed the reporter to.

Re:The correct way to "inform the authority"

[HiThere]

It is extremely unfortunate, but the way things are heading that's becoming less of a joke.

It is not in my nature to trust strong authority, and evidence is repeatedly showin that my nature is correct. OTOH, anarchy is an unstable condition, and tends to quickly devolve into islands of strong authority that are at war with each other. That's probably worse. What is needed is a modified federal system, where the federal government has NO power over the citizens, but only over it's constituent governments. Perhaps that would work better. Or perhaps governments run by humans are inherently untrustworthy.

FWIW, I propose, as a less drastic measure, replacing elections by a lottery. That way the candidates can't be corrupted during the process of their selection.

Re:The correct way to "inform the authority"

[fractoid]

You've already broken rule one, idiot. Stop telling people things! You're going to regret it!

Quite.

Re:The correct way to "inform the authority"

[Doomsought]

I've got a better response, skip the company and call the police. Use five words: Criminal Negligence with Confidential Data

Re:The correct way to "inform the authority"

[HiThere]

What response that includes integrity do you recommend that has not been reported to be harshly punished?

If you want to be a martyr there are plenty of opportunities. Most martyrs, however, don't receive ANY benefit in this life. Do you have a religious faith that promises that revealing computer vulnerabilities responsibly will be rewarded in the next? (A Hindu might have such a belief, I can't think of any other off-hand. A Buddhist might say "right livlihood" and "all is suffering", and not care, but I don't think any Buddhist that dedicated would be hacking in the first place.)

Re:The correct way to "inform the authority"

[HellCatF6]

Have we all forgotten how to use paper, pen, envelope and stamp? Just leave off your return address - and don't sign it!

Re:The correct way to "inform the authority"

[Zamphatta]

I can see that logic for a convertible, but I don't see how it could ever be better for businesses to leave security vulnerabilities in place.

Re:The correct way to "inform the authority"

[Hognoxious]

I'm British and I assure you most of us know the difference between an adjective meaning "making very little noise" and a rather vague adverb.

Re:The correct way to "inform the authority"

[Aighearach]

3. Leak the info anonymously to a known white-hat security researcher.

Re:The correct way to "inform the authority"

[knorthern+knight]

> Have we all forgotten how to use paper, pen, envelope and
> stamp? Just leave off your return address - and don't sign it!

And don't forget to buy envelopes and paper in plastic wrappers at the store and wear thin gloves while you
* unwrap the paper and envelopes
* write the letter
* stuff it into the envelope
* seal the envelope (using a damp cloth)
* put on the stamp (using a damp cloth)

And don't lick the envelope or the stamp, otherwise they could get your DNA from your saliva... sounds like an episode from CSI

Oringial article on The Age

[AlanS2002]

http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-transport-victoria-website-20140107-30fkg.html

For anyone who is interested

Re:Oringial article on The Age

For anyone who is interested

No thanks, we like being uninformed here.

Re:Oringial article on The Age

[camperdave]

No thanks, we like being uninformed here.

What did you say that for? I was perfectly happy not knowing.

We need a Kickstarter campaign for Timothy

[JohnA]

We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

Anyone with me?

Re:We need a Kickstarter campaign for Timothy

No. Education is too expensive. Just replace him with a monkey.

Re:We need a Kickstarter campaign for Timothy

We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

Anyone with me?

Nope... 't's a lost cause, timothy's cognitive skills are in the atto- range

Re:We need a Kickstarter campaign for Timothy

[thegarbz]

You assume Timothy is a person rather than an automated computer program that generates summaries.

Re:We need a Kickstarter campaign for Timothy

[BringsApples]

I think it'd cost a lot, and may take waay to much time, as apparent this isn't "Timmy" but rather Timmmyyhh!

Re:We need a Kickstarter campaign for Timothy

[Keyboard+Rage]

Why bother with a living creature?

Use an industrial robot, or even better, a simple reposting script written by the company in the article.

I bet Slashdot will instantly get much more interesting newsposts!

Slashdot reader points out error in headline ...

[Grismar]

... and gets arrested.

Brilliant, make them coconspirators

2. "leak" the info to some hacking circle and let others do the job for you.

Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.

If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.

Re:Brilliant, make them coconspirators

[cffrost]

2. "leak" the info to some hacking circle and let others do the job for you.

Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.

I agree that involving potential minors presents a moral conundrum, but I think this is mostly a problem with how harshly minors are treated nowadays. Perhaps it's best to include an advisory with any vulnerability details that outline the potential penalties and risks involved with using the information provided. I believe it is the case that "the kids" have shown themselves to be very adept at this work, but I'm dismayed by what happens to them when they're caught (i.e., as though having done something terribly wrong, instead of having helpfully contributed to the security process).

In the meantime, maybe some kind of anonymous WikiLeaks-style clearinghouse for zero-day exploits would be ideal, until the harsh penalties are removed, or the market chooses something other than "zero-day exploit" as the most effective form of security vulnerability disclosure (what with "responsible disclosure" resulting in inaction and/or harsh penalties applied to actors in good faith). (I'm unaware of the current release platform, but I suppose it's an unorganized mixture of web sites and P2P platforms with varying and unknown degrees of risk — a centralized point would make it easier for users and vendors to check if systems important to them have been compromised. News media could also extend its reach.)

If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.

That sounds like a fun learning activity for people who have the time and interest, but sometimes security vulnerabilities are discovered by those who may be regarded as lay-people. Increasingly so, I would guess, as more people are exposed to more technology. I wish they were always aware of the harsh penalties that are often involved in helping to repair security vulnerabilities, — until ideally — harsh penalties are removed as a likely possibility.

Metlink IRP

[SJ2000]

He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

Re:Metlink IRP

[waynemcdougall]

He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.

Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

Re:Metlink IRP

[SJ2000]

No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported. Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

It all depends on the IRP, most Australian transport organisations do not have a incident response plan for this report from a member of the public (I.T. or otherwise), but they do have them for various PR issues such as public disclosure of security issue (I.T. or otherwise). I'm not saying it's right I'm just explaining how it occurs, and given the public profile of the incident, I'm not sure I'd want to be the one deviating from the established IRP even if it wasn't written with this in mind.

Re:USA

[crimson+tsunami]

I see what you there.

Alias in hiding

[Tablizer]

To hide from the law, he changed his name to Drop Table All.

Re:Alias in hiding

[laejoh]

It's pronounced Drop Table All, but it's written as:

'); DROP TABLE All;--

Re:Alias in hiding

That's "little Bobby Tables".

Re:Never put your name to it

[YttriumOxide]

Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.

I'm pretty sure most western countries have a complaints department for law enforcement.

Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.

Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.

While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.

I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.

I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.

Slashdot reader points out error in headline ... (

[rickyslashdot]

mod UP - and load rifles for /. 'editor' FIRING line -grin-

52 state

There are already 51 real states, the three most recently added being Hawaii, the UK, and Alaska.

Isn't there some moderator,...

[Selur]

with the rights to edit the initial submission and either:
a. edit the title
or
b. add some text which corrects the mistake about the arrest?

Re:Isn't there some moderator,...

[ihtoit]

this is fucking Slashdot, where the editors mangle the shit out of submissions, injecting spelling and grammatical errors where there previously were none, inject links where there were none, and take submissions completely out of context and repost them as original work. I won't be doing that again. Fuckers.

Lucky he's in Victoria

[Cinnaman]

If he lived in South Australia, detectives could confiscate his computers without having to obtain a search warrant (they are issued a "general warrant" removing a layer of oversight that most other states have).

Responsible disclosure, anyone?

[gnoshi]

He hasn't been arrested. The company called the police. Big deal.

Now can we talk about 'responsible disclosure'? He was a kid, so it isn't surprising that he would go about some things in a bit of a silly way, but he identifies as a white hat so he really needs to get his head around it if he doesn't want to get arrested at some point in the future.
What happened:
1. He e-mailed the company about the issue on boxing day, in the middle of the Christmas holiday period. Which e-mail address? (i.e. security, webmaster, customer support, who knows; writing content, who knows).
2. He didn't get a response for [i]more than a week[/i], so he contacted a newspaper
3. The newspaper contacted the company, gave them time to fix the problem, and then published. Publication was on 8/01/2014 - 14 days after the kid sent the original email.

Maybe I'm a bit odd, but in my head the step right after 'not receive response to e-mail that I sent about security problem in the middle of the holiday period' is not 'contact newspaper'. It is 'send another email, and specifically request a response when received and that it be forwarded onto IT staff'. Followed by 'make a phone call to customer support'. Sure, maybe if there is no response from the company in a couple of weeks then e-mail again and say 'If I don't receive a response, I will be passing this on to the newspaper', but that isn't step 2 of responsible disclosure.

This isn't to absolve PTV (the company) of responsibility. They should have processes in place such that an e-mail about a security issue will find its way to the right people as a matter of priority, and they should respond immediately to at least confirm receipt of the e-mail. If that didn't happen, then PTV needs to look at why and how to make sure it doesn't happen in the future.

The kid is a kid, so it is understandable that he didn't really follow a good procedure for disclosure. However, can we at least acknowledge that contacting a newspaper because you haven't had a response to your (one) e-mail in just over a week (sent during a major holiday period) isn't responsible disclosure?

Re:Responsible disclosure, anyone?

[silas_moeckel]

Seems very responsible he contact one third party with a good track record. Or do you expect people to wait months/years? SQL injection is pretty low end who is the PCI auditor who missed this?

Re:Responsible disclosure, anyone?

[qzzpjs]

I completely agree. He has no way of knowing his email to any of the company addresses wasn't just tossed in the spam box, or if it ever did reach someone who could understand it and act on it. If he wanted to properly disclose a security issue, he should have picked up a telephone and called them and asked to speak to their security department. Never trust an email to get through especially if you're putting a response time limit on it.

I'd bet the newspaper reporter picked up the phone when he contacted them about it and that's the first that PTV got the notice about their problem.

Re: Responsible disclosure, anyone?

[gnoshi]

I don't expect people to even wait weeks. I just expect someone to make at least a modest effort to make sure his single email sent on a public holiday during a major holiday period was seen rather than making step 2 'contact newspaper'.
If he had, in that week, emailed twice and called on the phone once and been ignored then contacting a newspaper prior to the problem being addresses wouldn't be so nuts, but that isn't what happened.

Re:Slashdot reader points out error in headline ..

[complete+loony]

No, no. I mean the police were contacted, but the reader was never arrested. Or at least that's what the journalist stated.

what a honeypot this is

[Infestedkudzu]

I'm not sure what else to say. I figure if you are smart enough to come across some whistle blowing material you are smart enough not to look for advice on slashdot posts.

Naive

I am a professional pentester, coincidentally from the same city as this kid.

People can harp on about responsible disclosure all they want. The fact of the matter is the kid didnt 'stumble' onto this vulnerability. He was actively looking. He used SQL Injection on a government production website which is full of peoples personal data (PII).

Regardless of his true intensions of trying to do the right thing, he is young and stupid. What he did is illegal under current law. He will probably get off after a court hearing but in this case no one should be rushing to his defense.

Over the years I have played around with systems for fun and sometimes found some bad flaws, I am not naive enough to then contact the company in the hopes to get a reputation with my peers and a cool job, when in fact you have purposely broken the law to find it.

Re:Naive

[mars-nl]

I am a professional pentester, coincidentally from the same city as this kid.

What he did is illegal under current law. He will probably get off after a court hearing but in this case no one should be rushing to his defense

Maybe the law is wrong. We need people "who break the law" just like we need whistle blowers. As a professional pentester you probably know you are only hired by the top 0.01% the companies who have a website which should be secure. The rest doesn't realize or doesn't care about any potential security problems they have and therefor will not think of hiring a professional pentester. So (non-professional) white hat hackers are doing us a favor and need protection from the law.

Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

Joshua Rogers here. The kid that this article is about.

I want to clear something up..

I have _not_ been arrested(yet).
I have _not_ been questioned(yet).
I have _not_ been officially told that I've been reported to the police(yet).

I'm completly in the blank, as much as the rest of you.
What I'm expecting to happen:
They show up at my doorstep asking questions. .. .... ........
That's it.

They might ask me to sign something that says I have deleted all the data that I saw.

If you have any questions, I can be contacted @megamansec..

Re:Not Arrested, Not Questioned, Not Contacted.

[BringsApples]

Wow. All I can say is wow. You, the person (if that's true, which I have no way to verify) with any real information regarding this, submit information as it is to you (the only one with any actual information regarding this), and you get modded only to +4 Informative. Hell, I've been modded +5 Informative in the past, simply for copy/pasting some information from a link in the summary.

Ok, so then let's try to verify what happened. How did you find "...a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department."? Why would the cops be 'after' you?

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

I saw an MySQL error on the page I was viewing. That's it, lol.

Re:Not Arrested, Not Questioned, Not Contacted.

[bill_mcgonigle]

I saw an MySQL error on the page I was viewing. That's it, lol.

If the database driver errors are making it out to the public then it's the systems' developers who should be questioned.

It's a shame you were trying to be helpful and these dorks don't know how to be gracious.

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

I just saw a MySQL error on the page, and knew what had happened. My guess is that they don't have staff that can review apache logs to see what I actually viewed.. So, they want to know I don't have 600,000 records on my computer, basically.

Re:Not Arrested, Not Questioned, Not Contacted.

[JesseJMH]

Haven't you, in the past been responsible for hundreds of user accounts being stolen and sold for numerous sources including Runescape as well as used vulnerabilities in sites to deface them? If this is true, have you tried to make amends to your past actions? I am genuinely curious as the online name MegaManSec is tied to these past actions.

Re:Not Arrested, Not Questioned, Not Contacted.

[JesseJMH]

The name MegaManSec is tied to these events and you claim the name here on slashdot. I apologize if I seem accusatory and I in no way intend to offend. Rather, I was attempting to clarify the username usage.

Re:Not Arrested, Not Questioned, Not Contacted.

[BringsApples]

Well, other than it being really cool that you responded to a slashdot article, as the guy involved, it's also really cool to know that you, the company and the police are all doing what seems to be the right thing. In my country (USA) you'd be handled by the FBI ( I guess, even though they're now only handling "national security") and be told that you're a criminal, and charges would mount until you'd rather be dead.

Glad to see that the whole world isn't fucked up. And thanks again for posting!

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

Actually, my username is not linked to any of that. Which means you know me.

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

Furthermore, the fact this is the only story you've posted on, shows that you are a troll.

Re:Not Arrested, Not Questioned, Not Contacted.

[Winamp]

You may be interested in Neowin's coverage of the story:

http://www.neowin.net/news/teenager-reported-to-police-after-reporting-vulnerability-in-government-website

Some people basically accuse you of hacking (cracking, specifically) the database as opposed to passively noticing the SQL error. Then again a heck of a lot of the commenters there are idiots and enjoy jumping to conclusion, but if you want some cheap humour feel free to read it. :)

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

Thanks for the link. I hadn't seen that one yet. I agree with Swordfish. I think there are perhaps 10% of readers that have the attitude that any hacking is bad. I've been monitoring the comments sections on all of the articles, and it seems most people that say that I should go to jail for hacking are downvoted to oblivion.

Re:Not Arrested, Not Questioned, Not Contacted.

[JesseJMH]

No, not a troll. I actually post anonymously on articles frequently. I actually chose to create an account for this post because I was genuinely curious. I sympathized with the article the first time I read it. It happens all too often that someone does something generous and gets stabbed in the back. But after some research it was pretty easy to link the nicknames "megamansec" and another well known name used by an annoyingly infamous internet troll to the real name Joshua Rogers. After learning this and knowing some history behind the other name, I sympathized much less.

way to cover your arses

[ihtoit]

1. pass contract to build "secured" site to lowest bidder
2. blame some spotty kid for vulnerabilities that he himself reported to you, get him arrested and settle out of court for some seven digit sum which he'll be paying off the rest of his life
3. use some of that money to fix that single problem ...

n. PROFIT! Reputation intact but when this hits the wires don't expect to hear of any more vulnerabilities until the next audit.

Re:Another Possibility

[ihtoit]

yet he is still villified as a paedophile.

To borrow from the contemporary slang: smh.

The law does care

[almclean]

IANAL, but I my understanding is that, at least in English law, the law actually does protect the Good Samaritan who engages in minor property damage to save a baby. The prosecution would almost certainly not prosocute, but if they did, the defendent would be able to exercise the Defence of Necessity. http://en.wikipedia.org/wiki/Necessity_in_English_law

Company? This involved a government agency, not a

[steve+buttgereit]

The story and the many of the comments make mention of the 'company' that called the police on the kid that reported the vulnerability. It wasn't a company. I was the, as the article makes clear in it's first sentence:

"A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police."

As much as the dominant culture of Slashdot is the sort that will take every opportunity to implicate private businesses in all manner of evil, distorting reality in this manner doesn't serve the anti-corporate cause. More to the point it demonstrates that whatever the drivers of the anti-business feelings of Slashdot editors and readers are, commitment to truth isn't amongst them.

Those Ozzies!

[Haluk+Yildirim]

Another Assange on the way.

Re:Company? This involved a government agency, not

[iggymanz]

you must be new here. We also take every opportunity to implicate the twisted and evil organs of government

Let them burn

[jonfr]

I speak from experience (and a lot of it). Never, ever report this type of bug to the owner of the website, specially if this is a big company (a single person websites are different). Since most of the people who are responsible (in many cases) for the website know nothing of computer security, internet or technology in general. The best thing to do is to forget this issue and the website in question fall victim hackers and ID-theft. It is only after such scandal that something is done about it.

This people don't understand good faith and they do not understand how internet security works. It's easier just the let them literally crash and burn, rather then telling them anything about the security flaw.

Re:Let them burn

[Pinky's+Brain]

Just anonymously mail them and CC it to your countries data protection agency and some newspapers, you can let the newspapers worry about what constitutes responsible disclosure, the company can't deny liability so it will get fixed and you can forget about it.

Re:Let them burn

[eyenot]

Previous comment mentions using an anonymous drop to inform the relevant companies or newspapers. That is the most immediate solution, I would have to agree.

But I also wonder if anything would have been said or done about this vulnerability if there hadn't been a name or identity to target and make an example of?

(Example being, "don't get smart with us".)

I am starting to think that what you say is the best solution. If you find a system if vulnerable, perhaps it's best to withdraw your funds, close your account, deny all services, and stop doing business with the vulnerable. In this case, time to stop refreshing your name in their database and start buying your transit cards or tokens in person using cash. Cancel the card you used with them or report it stolen to get the card number associated with your account regenerated. Leaving something behind (address, phone number, mother's maiden name)? Make sure to change (scramble) your "account details" before jumping ship.

What good is being done any more by free-lance white-hatting or the old vanguard of "let the company know and when you get the inevitable silent treatment, tell the public"? It's being treated like "vigilantism" even though no real victimization is being perpetrated. It's only against the law because of either idiotic legislators or weird "new world order" style agendas.

Consider a company which would press charges against you for revealing their own vulnerability to them or for forcing the vulnerability into the open to get it fixed. We can easily say that's a company being run ignorantly. Consider a police department that would agree to handle those charges and throw you in the slammer in agreement with some lame law. Consider the obtuse lawmakers who gavel'd that idiot law into being. Consider the largely computer-illiterate -- nay, computer-superstitious -- population that regularly produces all of these idiots. Take all of that into consideration for a moment and ask:

Whom are you going to save, from what, for the benefit of whom, on behalf of whom, as an upstanding citizen of what exactly, and with what as your reward?

You're going to protect a moron company from "criminals", for the benefit of that moronic company lording it over a moronic population manhandled by a moronic police department, on behalf of said moronic police department (in their stead, on their behalf, same thing), as an upstanding citizen of a moronic state featuring a moronic population its moronic legislature passing moronic laws and the moronic police department that enforces those laws, and you're going to be branded a "criminal" and thrown in prison with a bunch of morons as a result.

So, maybe re-think the whole old-school, "for the betterment of civilization" style of white-hatting at all, for anybody, whatsoever. Whether you protect your identity, get thrown in jail, or get heard out and get to see your suggestions taken seriously and resulting in a more secure website, the people you are trying to "help" obviously:

(1) don't need it

(2) don't or can't truly appreciate it

(3) don't deserve it

Pick any combination of the 3, even having one of those 3 present in the relationship calls for an end to the relationship.

If they can't pay -- money, attention, time -- for real competent and intact security, let them get run over. Stop trying to "help". It's probably only contributing to the dumbing down of society, any way.

Question

[mapkinase]

Does reading a PERL script that implements company phone book and taking plain text user and password to implement a better phone book for personal use constitute hacking?

Something feels a little off here.

[westlake]

Joshua, a self-described ''white hat'' security researcher, said he was motivated by a desire to improve online security. He first contacted PTV by email on Boxing Day, but received no response. He later contacted Fairfax Media.

Schoolboy hacks Public Transport Victoria website

The Age is owned by Faitax Media.

Boxing Day in Australia is a public holiday.

It's a very strange time of year for an sixteen year old kid to be trying to gain the attention of anyone in or out of government. People are on vacation. Offices are closed or very thinly staffed...

Unauthorized access to systems and data --- white hat or black hat hacking --- is a crime under Australian law.

The end doesn't justify the means.

Re:Something feels a little off here.

[mars-nl]

Did he do anything bad? I mean ethically, I don't mean according to the law?

Mandated security audit

[perpenso]

If everyone starts checking all the servers they use ...

This is done in some commercial settings. When some companies enter into a relationship periodic 3rd party security audits may be required. However the key point is that the owner of the machines have consented to the penetration testing and other audits.

Basically one company is told we won't do business with you unless you allow these 3rd party audits. Consumers could get together and do the same.

Re:Mandated security audit

[amorsen]

However the key point is that the owner of the machines have consented to the penetration testing and other audits.

Exactly. Unfortunately, owners obviously do not consent to sufficiently

Consumers could get together and do the same.

It is possible, but unfortunately unlikely. Considering that consumers cannot even stop parabens, it does not seem like network security audits have much of a chance.

Lucky that it wasn't Intel

[Strange+Attractor]

When Randal Schwartz probed security at Intel, they made him a convicted felon. See http://www.lightlink.com/spacenka/fors/

Morals:

1. Finding security holes is dangerous

2. You should buy AMD CPUs

Probably not a troll

[Swordfish]

Nope. Probably not a troll.
But I thought I'd throw in my 2 bits anyway.
I haven't posted on slashdot for years.
So I guess this is a great opportunity to test if I can use the new GUI.
The new GUI is nice.....

Anyway....
The best policy is out-in-the-open.
Bruce Schneier doesn't use pseudonyms.
My only pseudonym on the internet is this slashdot account.
My other slashdot account has my real name...
AUK.

Re:Probably not a troll

[Alan+Kennington]

Josh,

This is the real name behind the Swordfish.
Alan Kennington is user 33546.
Swordfish is user 86310.

I made up the name Swordfish for my second slashdot account in the late 1990s (approximately) because of the Marx Brothers movie Animal Feathers or something, where the password for the speak-easy was "SwordFish". One of the best Marx brothers sketches ever! A couple of years later, someone made a nerd movie called Swordfish, which really really annoyed me. They stole my name!!!!
AUK.

Neowin.net positive coverage

[Swordfish]

It looks like positive coverage to me.

http://www.neowin.net/news/teenager-reported-to-police-after-reporting-vulnerability-in-government-website

There are just a couple of comments speculating about where the boundary between "having a look" and hacking lies. Ultimately, I think it's PHP that must be blamed for 90% of all of the hackable sites, and the programmers who use PHP in a weakly structured way. And maybe the maximum blame goes on the software outsourcing managers who think only of budgets and deadlines, while forgetting about security. So-called "risk management" by insuring against intrusions and making the contractors take out liability and indemnity insurance is a very ignorant way to protect a web site. The best form of protection is well-structured code which passes all HTTP and SQL interface events through well engineered security modules.

The ethics of saving babies from burning houses.

[Swordfish]

First, it's not that odd that teenagers are doing a bit of recreational hacking over the holidays. For some people it is a hobby, and what better time to indulge in one's hobby than over the holidays. Take into account also that during the holidays, one does want to check out holiday specials on the Met Link web site, especially if one is a poor teenager. And if that teenager just happens to know the basics of HTML, PHP, MySQL, etc., one does tend to notice that a site has a vulnerability. I often see these sorts of blunders by web developers, but when I report them, nothing happens and they are not fixed a year later. I don't "have a look" to see if the vulnerability is serious because that is not my hobby. But for some people, that's a hobby. When I was young, we used to hack radio and TV sets over the long Xmas holidays in Adelaide because summer holidays are very long if you can't afford an away-from-home holiday.

And on the subject of the ethics of saving 600,000 people's private data from falling into the hands of black-hats, look at this example.
1. You see a house on fire and a kid is trapped inside.
2. You break the window, grab the kid and bring it out to safety.
3. You get arrested for breaking and entering, and abducting a minor.

Of course, all burglary is criminal and all abduction of minors is criminal.
Solution: Let the kid die in the fire.
Nope. Luckily the police and judges are not idiots.

Asoka conversion

[Swordfish]

Sometimes between the age of 15 and 16 years, one's point of view may change. Maybe like King Asoka, who killed 100,000 people and then became a peaceful Buddhist because he realised the futility of destruction.

More caution

[giveen1]

I had asked a security expert on how to best report a vulnerability and was told...."With great caution, as some will be grateful, others will be embarrassed and bury you"

How/Why did he find the vulnerability?

[gdewis]

The act of reporting the vulnerability likely isn't the problem with the police. The fact that he found the vulnerability is probably what caused the problem the police. Using the website as it was intended to be used almost certainly wouldn't reveal an SQL injection vulnerability. For him to have found it meant he was doing something that may have been illegal.

Just because a website exists does not mean that you have the right to poke at it to find its vulnerabilities. Unless you've been authorized by the owners to conduct vulnerability testing, your actions will be viewed as malicious and may be illegal depending on where you live, and may result in serious consequences even if your intents were not malicious. Unfortunately, the days of something like this being viewed as "harmless" are pretty much gone.

In some ways, this reminds me of the "Kasper Holmberg incident" in Canada in 2008, in which a "well-intentioned" student at Carleton University identified a vulnerability in their student card system and exploited the vulnerability to access email accounts and financial information of a number of students so he could write a paper he sent to the university. He was charged with a number of violations of the criminal code of Canada, sanctioned by the university, and ultimately ended up dropping out of the university. The criminal charges were withdrawn several months later, but that doesn't change the fact what he did was illegal, even if it was well-intentioned.

Shooting the messenger

[darksabreza]

Unfortunately this actually does happen in South Africa http://mybroadband.co.za/news/security/94614-website-security-flaws-in-sa-shooting-the-messenger.html