Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

Posted by timothy on from the charged-with-public-embarrassment dept.

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

36 of 287 comments (clear)

  1. Was not arrested by F'Nok · · Score: 5, Insightful

    The article says he was reported to police, but not arrested or even contacted by the police.

    He only even knows he was reported to the police because the journalist told him.

    Seriously, can we at least read the article before making up wrong headlines?

    1. Re:Was not arrested by F'Nok · · Score: 5, Insightful

      Perhaps you missed the point, so I'll make it more clear.
      While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

      See how that kinda changes the overall theme?

      Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
      But it sounds like they actually might have done just that, because the police did not arrest him.

      They did not arrest. The overall theme should be about the idiot company, not the police.

    2. Re:Was not arrested by Anonymous Coward · · Score: 5, Funny

      Yeah, but regardless, this kid went out of his way to help out this company, and they repay him by having the cops toss him in the clink. The overall theme SHOULD be the idiot company, but in the meantime lets not forget about the cops who arrested him.

    3. Re:Was not arrested by jones_supa · · Score: 4, Informative

      I cancel that comment. If you read the line "He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age." carefully, you can see that he only heard from the reporter that the kid had been reported to the police (by TD). D'oh!

    4. Re:Was not arrested by Anonymous Coward · · Score: 5, Insightful

      And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.

    5. Re:Was not arrested by H0p313ss · · Score: 4, Funny

      in the meantime lets not forget about the cops who arrested him.

      The non-existent ones? This is getting very meta-physical, I may have to make some coffee.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
    6. Re: Was not arrested by Anonymous Coward · · Score: 5, Funny

      Then how did he wind up in prison? He certainly didn't place himself under arrest. I guess we'll just have to hear the rest of the story once he's out on parole, the cops certainly aren't talking.

    7. Re: Was not arrested by Darinbob · · Score: 4, Informative

      He's not in prison...

      Although the article does make a mention about someone else who was arrested in the past, an old story that was already here in slashdot. Maybe readers of the article aren't reading for comprehension?

    8. Re: Was not arrested by Anonymous Coward · · Score: 5, Funny

      Hopefully he'll be available to clear all of this up one the police release him from custody.

    9. Re: Was not arrested by Anonymous Coward · · Score: 5, Funny

      I don't see what's so funny about a kid getting arrested.

    10. Re:Was not arrested by umghhh · · Score: 5, Funny

      this is OT but for a change I had a portion of a good lough this morning while reading this part of the thread. Luckily I do not have to read this from the prison like this kid.

  2. The law does not care ... by perpenso · · Score: 4, Interesting

    The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

    If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.

    1. Re:The law does not care ... by SuricouRaven · · Score: 4, Insightful

      That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.

      It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.

    2. Re:The law does not care ... by gnasher719 · · Score: 4, Insightful

      That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism.

      Breaking into a car to get a baby out that is suffering from heat (especially in Australia, where this could be quite severe in some places) is not vandalism, it is self defense. Self defense covers protecting others as well, and allows use of an appropriate amount of violence. Breaking into a car to safe a baby from a heat stroke seems appropriate.

  3. Incorrect. by jamesn · · Score: 5, Informative

    From the article:
    "Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

    He hasn't been arrested.

  4. Idiots by Mistakill · · Score: 4, Funny

    If you smiled at a safe, and it burst open... its not your fault the safe was faulty...

  5. This is BS by Anonymous Coward · · Score: 5, Insightful

    Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.

  6. The correct way to "inform the authority" by Taco+Cowboy · · Score: 4, Interesting

    I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.

    All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.

    If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.

    Most of the reporters are spineless creeps who suck up to the power-that-be.

    Instead, you have two options -

    1. Keep quite.

    2. "leak" the info to some hacking circle and let others do the job for you.

    If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:The correct way to "inform the authority" by maxwell+demon · · Score: 5, Funny

      1. Keep quite.

      This sentence is quite incomplete.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:The correct way to "inform the authority" by VortexCortex · · Score: 4, Informative

      If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you'll be every bit as much a suspect as the crackers doing harm.

      The problem is that the computer fraud and abuse act is too harsh -- It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn't do any hacking at all. They'd like to have a monopoly on that, so the laws won't change.

      If you're not browsing by proxy in this day and age, you're screwed.

    3. Re:The correct way to "inform the authority" by MrNaz · · Score: 4, Insightful

      So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".

      We now know that there is no "right way" to deal with government, other than kick them in the ass.

      --
      I hate printers.
    4. Re:The correct way to "inform the authority" by Anonymous Coward · · Score: 5, Funny

      If you're not browsing by proxy in this day and age, you're screwed.

      But baby, proxies don't feel natural! I'll pull out before I post my comment, I promise.

    5. Re:The correct way to "inform the authority" by chromas · · Score: 4, Funny

      [Premature enunciation]

    6. Re:The correct way to "inform the authority" by cffrost · · Score: 4, Insightful

      Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.

      The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.

      I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).

      I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).

      Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state, not to be trifled with without extreme precautions for one's own well-being.

      As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.

      --
      Thank you, Edward Snowden.

      "Arguments from authority are worthless." —Carl Sagan
  7. Oringial article on The Age by AlanS2002 · · Score: 4, Informative

    http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-transport-victoria-website-20140107-30fkg.html

    For anyone who is interested

    --
    Not all conservatives are stupid,
    but it is true that most stupid people are conservative.
    - Hume
    1. Re:Oringial article on The Age by Anonymous Coward · · Score: 4, Funny

      For anyone who is interested

      No thanks, we like being uninformed here.

  8. We need a Kickstarter campaign for Timothy by JohnA · · Score: 4, Funny

    We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

    Anyone with me?

    1. Re:We need a Kickstarter campaign for Timothy by Anonymous Coward · · Score: 5, Funny

      No. Education is too expensive. Just replace him with a monkey.

  9. Slashdot reader points out error in headline ... by Grismar · · Score: 5, Funny

    ... and gets arrested.

  10. Brilliant, make them coconspirators by Anonymous Coward · · Score: 5, Insightful

    2. "leak" the info to some hacking circle and let others do the job for you.

    Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.

    If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.

  11. Re:Metlink IRP by waynemcdougall · · Score: 5, Insightful

    He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

    No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.

    Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
  12. Alias in hiding by Tablizer · · Score: 5, Funny

    To hide from the law, he changed his name to Drop Table All.

    --
    Table-ized A.I.
  13. Re:Never put your name to it by YttriumOxide · · Score: 5, Interesting

    Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.

    I'm pretty sure most western countries have a complaints department for law enforcement.

    Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.

    Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.

    While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.

    I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.

    I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.

    --
    My book about LSD and Self-Discovery
    Also on facebook as: DroppingAcidDaleBewan
  14. Not Arrested, Not Questioned, Not Contacted. by MegaManSec · · Score: 5, Informative

    Joshua Rogers here. The kid that this article is about.

    I want to clear something up..

    I have _not_ been arrested(yet).
    I have _not_ been questioned(yet).
    I have _not_ been officially told that I've been reported to the police(yet).

    I'm completly in the blank, as much as the rest of you.
    What I'm expecting to happen:
    They show up at my doorstep asking questions. .. .... ........
    That's it.

    They might ask me to sign something that says I have deleted all the data that I saw.

    If you have any questions, I can be contacted @megamansec..

    1. Re:Not Arrested, Not Questioned, Not Contacted. by bill_mcgonigle · · Score: 4, Informative

      I saw an MySQL error on the page I was viewing. That's it, lol.

      If the database driver errors are making it out to the public then it's the systems' developers who should be questioned.

      It's a shame you were trying to be helpful and these dorks don't know how to be gracious.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Not Arrested, Not Questioned, Not Contacted. by MegaManSec · · Score: 5, Informative

      I just saw a MySQL error on the page, and knew what had happened. My guess is that they don't have staff that can review apache logs to see what I actually viewed.. So, they want to know I don't have 600,000 records on my computer, basically.