Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Lesson learned for him

Never try to help souless corporation.

Re: Lesson learned for him

It's a public transport ticketting company. You could buy out a train's seats or something, but not a concert.

Re:Lesson learned for him

[ma1wrbu5tr]

Seems like they just CNNed themselves. Bwahahaha!

Re:Lesson learned for him

Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

Re:Lesson learned for him

Like Breitbart they died of shame.

Re:Lesson learned for him

[AmiMoJo]

This is much worse. CNN didn't go through with its threat.

Re:Lesson learned for him

And never call the cops or invite conservatives over for dinner!

Re:Lesson learned for him

Also, the CNN teenager was in his 40s.

Re:Lesson learned for him

No, CNN was worse. Instead of reporting the kid (not that he did anything illegal) they BLACK MAILED him. I big news organization... black mailing a teen.. you don't do much worse then that.

Strike that, a SMALL news organization that might not be around much longer.

Re: Lesson learned for him

What teen?

Re:Lesson learned for him

[Gondola]

Something similar happened to me in college 20 years ago. I reported that they had an insecure network mount, and they gave me a written warning that went on my record, and almost banned me from the computer services entirely -- which would have made writing papers and doing research impossible since I didn't have them at home.

This is why people aren't nice to each other.

Re:Lesson learned for him

A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

What does the bold-face portion mean??? Why race has anything to do with this??? Can't it only be "hackers" instead?

Re:Lesson learned for him

[Atrox+Canis]

Either you forgot your /s at the end or you didn't recognize that "white-hate" was a typo for "white-hat".

Re:Lesson learned for him

[Fuzi719]

Not only did CNN *NOT* "blackmail" a teen, there was no teen. The guy is a middle-aged neo-NAZI.

Re:Lesson learned for him

And that makes it better how exactly?

Re:Lesson learned for him

Did you miss the memo? "Middle-aged white male" is now a synonym with "Nazi". Nazis, being inhuman monsters, don't have rights and you can do whatever you like to them.

Re:Lesson learned for him

The poster never mentioned a teen. I guess blackmailing an adult is OK with you as long as you call them a neo-Nazi afterwards.

Re: Lesson learned for him

The blackmail consisted of don't do it again. The sheer evil.

Re:Lesson learned for him

The poster never mentioned a teen. I guess blackmailing an adult is OK with you as long as you call them a neo-Nazi afterwards.

Oh really?

I big news organization... black mailing a teen.. you don't do much worse then that.

Re:Lesson learned for him

I'm a middle-aged white male, and no one calls me a Nazi.

Maybe it's because I'm not a closeted racist.

Maybe all it takes to not be called a Nazi is one simple thing--just don't adopt their attitudes. That's all there is to it. Fancy that.

Re:Lesson learned for him

[erapert]

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

Ayn Rand, is that you!? We all thought you were dead! How did you--? I mean, seriously, we thought you were dead!

Re:Lesson learned for him

Kill them all.

Re:Lesson learned for him

just don't adopt their attitudes.

Or engage in devil's advocacy, or make a crass joke, or entertain hypotheticals, or point out uncomfortable results from empirical studies, or in any way challenge the current orthodoxy in ways that have nothing to do with fascism. Nobody calls you a Nazi, either because you live in a bubble, or you're unfailingly supplicating and apologetic everywhere you go.

Re:Lesson learned for him

[eric_harris_76]

Never try to help souless corporation.

Unless I'm misinterpreting "Budapest's public transportation authority" or this is a mistranslation, we're talking a government agency, or a business enterprise wholly owned by a government or set of governments.

Not a corporation in the usual sense of a company with stockholders who can sell their shares, but more like a "corporation" such as the FDIC or FSLIC.

Re: Lesson learned for him

Chilla / Hilla, A bulldozer needs to be taken to their current Newsa organization . I'm surprised Anderson Cooper has not resigned in disgusta

Re: what would of a negative number done?

it would have to told you the correct grammar is:

"What would be the result of changing the price to a negative number"

and then it would have positively fucked your mother

Re:what would of a negative number done?

"would of" How do people still make this mistake? Do you just never read?

Ahh those humanity majors.

New topic at business schools: Shut the fuck up and talk to IT before opening your mouth. This course should be mandatory; no graduate should be without it, much less reach management levels.

Re:Ahh those humanity majors.

Nah, find a flaw, drop it on /b/. Force them to fix it, and post a link to petitions that demand good samaritan laws for white hats.

hah

now that's a long stride for that little company lol..

Re: what would of a negative number done?

When being a grammar Nazi, first learn the purpose of shift keys and periods.

That's embarrassing

[bjdevil66]

That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

Re:That's embarrassing

This is how communism works.

Re:That's embarrassing

[edtice1559]

This could just as well be a US government agency so maybe it's just how all government tends to work. It's stories like this that make me more sympathetic to the anti-government crowd.

Re:That's embarrassing

[Sique]

The manager who authorized that embarrassment was the owner of the shop himself. So he has to fire himself.

Re:That's embarrassing

[martinfb]

I'm pretty sure those incompetent managers had something to do with that open fly!

"Unjust arrent"

While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

Re:"Unjust arrent"

Proper journalism also checks headlines.

Re:"Unjust arrent"

Also a bit of a stretch maybe to call some kid stumbling into an exploit a "security researcher".

Re:"Unjust arrent"

Wrong.
That is shitty "neutrality", instead of objectivity.
Some things really are black and white, where there is a clearly correct side.

Re:"Unjust arrent"

Why?

Re:"Unjust arrent"

While i am amused by your spelling
i'm also amused that you think you know what journalism is, yet you expect it from slashdot.

Re:"Unjust arrent"

[thsths]

Proper journalism is less profitable than click bait, and therefore not well represented on Slashdot.

Re:"Unjust arrent"

Proper journalism is less profitable than click bait, and therefore not well represented.

FTFY. After all, it's important to be fair.

Re:"Unjust arrent"

Wrong.
That is shitty "neutrality", instead of objectivity.
Some things really are black and white, where there is a clearly correct side.

Wrong.
For better or worse, we've established a justice system where laws are interpreted by courts and now to some extent public opinion. If you want to talk black and white, he exploited a bug and bought a greatly discounted ticket which is a crime, regardless of the reasons. He did not have permission to do security testing against their website and any white hat will tell you that without permission in advance from the company you're breaking the law. LEGALLY, it's a cut and dry as that.

That said, I agree that this is asinine, the company could not have handled this worse and the manager should be fired immediately. It will likely result in far more backlash than some bad press. There are plenty of less honest and more talented hackers out there who may take this as personally offense. The hacking community as a whole is generally not a group you want to piss off.

Re: "Unjust arrent"

I ran to catch the train yesterday, does that make me an athlete?

Re: what would of a negative number done?

I was informative to the nice man

Devil's advocate

[FeelGood314]

This company has no clue how eCommerce works. They actually are double handy capped in that they don't even know what they don't know so they likely had a false sense of thinking they actually did understand things. If you use the website as intended you can't change the price. I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Kálmán Dabóczi, BKK, the police and the judge who issued the warrant all owe this kid a big apology. However, not everyone can understand everything and it is reasonable to expect that sometimes you will get unlucky and get a company and a few members of the police who have almost zero understanding of a subject and make a stupid mistake. The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib. Hopefully they were professional about the entire thing. Kálmán Dabóczi has likely learned a very hard lesson so let him apologize and get to work. He now has a pile of free penetration results to deal with and possible the job of selecting a new supplier for the website.

Re:Devil's advocate

Did Kálmán Dabóczi? I hadn't heard that. If he has, you make a good point. If he hasn't, you're making an unwarranted assumption, and I'm going to have the police roust you out of bed in the wee hours.

Re:Devil's advocate

Here's what you (and other people, including the judge who issued the warrant) don't seem to get: He doesn't have anything to apologize for.

Re:Devil's advocate

[Luthair]

Actually, you need permission of the site to test their security. Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Re:Devil's advocate

[stephanruby]

I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

Re:Devil's advocate

[FeelGood314]

I control the client. It does what ever I want. The Server should have no expectation of my behavior, it just expects a string of 0s and 1s. The server is asking how many tickets I want and how much I should pay for them. This kid pointed out that the server is trusting the client to tell it what the correct price is. The client is being dishonest if it lies about the price but this isn't like changing the price stickers, here the server is actually asking the client for the price and this 18 year old pointed it out. He bought a ticket that he never intended to use to demo the bug. True, his demo might have caused an error in the backend accounting that could have brought down the entire BKK system. That is generally why you ask permission before hacking something, but this seems so trivial that I would give the kid a break and I would expect him to get a thanks.

Re:Devil's advocate

[FeelGood314]

Kálmán Dabóczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him.

Re: Devil's advocate

No, this was more like someone leaving a note for me that my door was wide open.

Re:Devil's advocate

Actually, you need permission of the site to test their security.

I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him in. And the fact that the crazy ex is a soulless computer shouldn't cause blame to shift to the guy in my living room. It should cause it to shift to me.

Re: Devil's advocate

[KGIII]

Instead of a thanks, they could have offered him a job, money, or help to further his education.

Re:Devil's advocate

[fafalone]

The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib.

They would have, had this taken place in the US (or, tellingly, a 3rd world totalitarian state) instead of Hungary. If little Bou Bou gets a flashbang in his crib because they're looking for someone with petty non-violent drug charges, and shooting dogs is the police's favorite sport (one cop has shot 60 himself now)... imagine an evil computer hacker interfering with an American company and their God-given right to earn profit, a far more serious offense.

Re:Devil's advocate

No.

Re:Devil's advocate

If the server asks WHATPRICE() I obviously have permission to answer.

Oh, and try that bullshit on openly broadcast documents. It doesn't matter if you "accidentally" published your browser history to the neighborhood signboard instead of your muffin recipe, you stapled it to something I have every right to walk up to and every right to read.

Don't talk about this stuff if you can't distinguish the exact line where something is explicitly or even implicitly private space.

Re:Devil's advocate

[turbidostato]

"KÃlmÃn DabÃczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him."

Sure. The employees call the police over a non-urgent company issue without before rising it to management.

In Hungary.

Re:Devil's advocate

[TheReaperD]

Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

Re:Devil's advocate

AHAHAHAHAHAH

this is like saying that i need to pay you for looking at your wife naked when she was standing in the street.

Re:Devil's advocate

[SimonTheSoundMan]

Car analogies only at /. please!

This is like a car dealership putting the price of the car on the outside of the windscreen, you go up to the car and changed the ticketed price by changing the price form £9,000 to £8,000 by joining the 9 up. You then go tot he salesman and purchase the car at the price you changed it to, salesman sell it to you at that price. You later tell the dealership they should put their pricing behind the glass in the locked car so the price cannot be manipulated.

Re:Devil's advocate

It would be lazy design but it's perfectly possible for the front end system to allow the client to present a price, but still have the backend system validate it before processing payment; the only way to know the poor design was exploitable would be to process an order.

Re: Devil's advocate

Only pussies throw stun grenades into cribs. Real men throw frags. And Manly Men throw thermite.

Re:Devil's advocate

[Dog-Cow]

And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

Re:Devil's advocate

If anything you should say: they send an advertisement to you, you cross out the old price and write your own on it, and they accept it.
Because what you say can be illegal (for reasons like you modifying they price tag they own), crossing out a price and writing your own next to it on an advertisement in contrast is just normal price negotiation.
Their web site made a price offer, he changed it, and their web site was designed to blindly accept any price offer. They don't have to honor such contracts if it is unintentional, and taking advantage of it when you know it is by accident can in some jurisdictions cause you legal trouble, but bargaining is not suddenly illegal just because it is done with a web browser.

Re:Devil's advocate

[DontBeAMoran]

Or you could expand that to "Trust no one".

Mulder was right.

Re:Devil's advocate

It would be lazy design but it's perfectly possible for the front end system to allow the client to present a price

This particular kind of lazy design enrages me. We had a web app built by some contractors where 99% of the data fields are read-only. Every single one of the read-only fields was output as a populated text-input set to read-only, because that produced the visual style they wanted (a bordered box around the value). In IE, which is our departmental standard browser, hovering over any of those field changes the mouse to a big no-entry icon. It's gives the entire app a cheesy and unprofessional feel. That's what $600/day buys you.

Re:Devil's advocate

[Midnight+Thunder]

To use the restaurant analogy, it would be cool if the waitress accepted any price I give her for the meal, but it would probably be shoddy business. Oh, it wasn't normal operating procedure? The waitress accepted it, but now I am being accused of hacking the waitress. How about training her properly to not accept everything the client talks her?

Re:Devil's advocate

[Luthair]

You could make the same argument about any network request you craft.

Re:Devil's advocate

This is slashdot reader 1.0, with no intention of upgrading in the near dim future. I am asking everyone forthwith to please stick to car analogies, and I will in turn refrain from using words like forthwith henceforth.

Note that version 1.2 of slashdot reader will delete the words "forthwith" and "henceforth" from his vocabulary

Re:Devil's advocate

[PatientZero]

By that logic, shoplifting is not a crime. If a store is going to be stupid enough to just leave its wares lying unattended on the shelf with no security at the door, who are they to complain when I walk out with an armload without paying?

A prosecutor would be stupid to bring charges against this man, but this is technically hacking their system, even though he didn't penetrate it in the usual sense. The software worked perfectly well under normal circumstances, but he chose to tinker with the underlying data structures exposed by the browser. Of course, involving the police given that he sent an email explaining the problem and how to solve it was just asinine, and I hope they do something to compensate him for their overreaction.

This hack was akin to changing the price stickers on items in a store and then buying them for the lower price. Should the sales associate know the prices of everything in the store? For a small clothing store, sure, but for a giant place with hundreds of thousands of products like WalMart, that's a big ask.

Re:Devil's advocate

[edtice1559]

And what purpose would it be for the client to present a price? If you have to calculate it anyway? And what do you do if the two don't match? All you're adding here is complexity. I can see having the client *calculate* a price for experience reasons. i.e. a page where I indicate 2 adults and 1 child and JavaScript updates an estimated total. But there should *always* be an order confirmation screen with a price calculated by the server and presented back. You don't need to submit the result of the client-side calculation to generate this page. In the best case you're wasting a trivial amount of bandwidth. In the worst you're introducing needless complexity. Sorry but I don't see any good reason for this.

Re:Devil's advocate

[edtice1559]

More interesting, what happens if I use a browser that doesn't respect the read-only field or if I show a trivial amount of sophistication and just submit my own POST request. Does the server accept the changes? If this is just a cosmetic issue, that's no so bad. If the data can actually be altered with minimal effort, you should ask for your money back!

Re:Devil's advocate

[edtice1559]

It's a good analogy, but don't try this at home. It's possible that one or both of you could get prosecuted. No, I'm not a lawyer. If for no other reason, the waitress could lie and say you left without paying and she never agreed to the alternate price. Unless you have it in writing, I wouldn't want to face a judge saying that the waitress agreed to give me a discount.

Re:Devil's advocate

[hattig]

The judge was probably told 'hacker!!!', the police didn't know better. The business needs to apologise profusely (although if they refuse to fix their systems, they'll soon run out of money from people abusing it, or people avoiding them).

All the kid did was the equivalent of changing the price on a paper order form before sending it to the business.
He did not access any of their systems.
It is not his fault that their systems blindly accept the price he changed.

Intent is key in these things, and as reporting the issue can clearly show no malicious intent, there should be no case. But hey, crappy country, anything involving police, angry embarrassed business, who knows...

Re:Devil's advocate

[nephilimsd]

Have you learned nothing from your literature classes? Trusting No One is exactly what got the cyclops blinded!

Re:Devil's advocate

Oh... nice. Odyssey what you did there.

Re:Devil's advocate

This hack was akin to changing the price stickers on items in a store and then buying them for the lower price.

But if you take the item with the original price sticker to checkout, and the person asks what price you would like to pay, where you answer "zero" and the person indeed rings it up for zero dollars *despite the sticker price*... Then what?

Is that theft?
From the store owners perspective, it probably is, unless they explicitly instructed the cashier to do this.
From the customers perspective, no it isn't, as there is no real reason to assume the cashier would be doing something like that if not authorized to do so.

But more importantly, who is at fault?
You argue the customer is at fault, for simply answering a question they were asked.
I argue the customer is NOT at fault, again because there is no reason to expect a store to do this if that wasn't their intention.

I argue the fault lies with the store.
Very likely with the cashier in the above example, again at least assuming she wasn't explicitly authorized to do that by the owners, and that should be a matter between the store owners and that cashier.

In the actual case being discussed, the website is much more akin to the cashier.
At least under the assumption the owner wasn't the person that wrote the thing. Which is a likely assumption, it was probably outsourced to some other company, and the responsibility of this "error" falls squarely on whomever was contracted to make the online web store.

Re:Devil's advocate

[Ironlenny]

But I want to believe.

Re:Devil's advocate

All of the pages with the read-only fields could not be submitted - there was no target url and no backend logic to process those fields. There was only a single, separate page where data could be entered and that particular one was properly implemented.

Re:Devil's advocate

[DontBeAMoran]

The truth is out there. You just have to find it.

Re:Devil's advocate

[mattack2]

And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

You're "trusting" that your CPU is calculating the math to verify the cryptographic signature correctly.

Re:Devil's advocate

[PatientZero]

But if you take the item with the original price sticker to checkout, and the person asks what price you would like to pay...

Either the shop owner is horrible at training and needs to sell the business if it hasn't gone under already, or they need to retrain/fire the clerk. No other store does this so I don't know why the clerk would think it reasonable.

Is that theft?

Of course not. The clerk asked you, and you answered. It was a dumb question to begin with and certainly not your fault.

But more importantly, who is at fault?

The shop owner is at fault for poor training or hiring an untrustworthy clerk. Given that I can think of no reason a clerk should think this a reasonable question to ask customers, it's probably their fault unless the shop keeper specifically trained them to do so. But if that's the case, obviously there is no problem as it was intended. Again, you'd be out of business as soon as word got out.

You argue the customer is at fault, for simply answering a question they were asked.

No, I don't that at all. The website isn't asking the customer how much they would like to pay. It's presenting the price to be paid (the sticker), and the customer is changing that price (with a counterfeit sticker), and the site is trusting that the price is the same as what it sent to the client. Most clerks would be trained to apply brain power to decide if the sticker is correct, and you'd be an idiot not to have your server do the same thing in 2017, something it could do with 100% accuracy and minimal development effort.

But that doesn't make it acceptable any more than applying counterfeit price stickers in a brick-and-mortar store would be.

I argue the customer is NOT at fault, again because there is no reason to expect a store to do this if that wasn't their intention.

Online stores have no expectation that their shopping cart will work the way they implemented it? That's a tough sell. Do you think they also expect their site navigation links to fail and their images not to load? If so, can you please email my boss and tell him that all those bug tickets the QA team submitted last week are invalid because we should have no expectation that our code works.

You're equating trusting that the data sent from the server was not altered by the client with a cashier ignoring the price stickers and asking every single customer what price they'd like to pay. Those simply aren't the same case—not even close. The end result may be the same, but that would apply to having the stocker attach the wrong prices to the products. I think we can both agree that would be the fault of the store owner or stocker, using the same reasoning I laid out above.

Re:Devil's advocate

[dddux]

What kind of understanding do you need to imprison a person who helps you with something? ;)

Well then

I guess security researchers and hackers now learned a lesson.

Find a bug? Exploit the f**k out of it. Don't bother reporting it.

Re:Well then

[Solandri]

No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.

Re:Well then

Caveat: report it, but do so anonymously.

Re: Well then

Lynching is, by definition, illegal.

Re: Well then

Wait, in your analogy, you've painted the corporation as the poor black guy getting lynched?

Re: Well then

Lynching is, by definition, illegal.

Not if the person being lynched is black.

Re:Well then

[Uberbah]

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see

Wow. Where any shrooms involved in the formation of this analogy? Why don't you go pay a visit to Eric Garner's family and tell them that taking advantage of a web site's shitty security to get cheap tickets is just like their dad being strangled to death on the street. You might wanna bring a cup and a mouth guard.

Re: Well then

The analogy doesn't make sense at all. It was modded +5 by idiots. The analogy can't even be easily changed into a form that does make sense.

Neither does the conclusion. The person reporting the vulnerability got lucky that his case went viral this time. The next might rot away in prison. There is no way to tell in advance and thus no way to justify always "doing the right thing" by disclosure. You might end up in handcuffs. You might not. Even if the case is dropped you will likely be out of a job and find it very difficult to find another because your name was in the news as being a criminal. On the other hand, you could exploit the vulnerability all you want, get away with it thanks to the same inept team that made it possible, and profit from it. As a third option, choose to do nothing. No reward and no punishment.

Which choice would a sane person make? Not the first one.

Re:Well then

Why are you advocating assault and battery?

Re:Well then

[AmiMoJo]

My policy is to report the bug if the company has a reasonable looking bug bounty programme. Such a programme demonstrates that they probably have the right attitude, and even if it's just a trap you can point to it in court as evidence of your good faith.

If there is no bug bounty programme I'll either ignore it or report it anonymously to a relevant mailing list. If the company has a contact email address (not a web form) then I'll CC them in.

Anything else is too risky. If you want responsible disclosure, be open about it, set up a proper mechanism and offer at least a token amount of cash.

Re:Well then

[houghi]

Several years ago I found childporn and reported it to both police and the ISP.
ISP was not allowed to do anything by order of the police, even if they already know who placed it there. The police called my company (from where I had done the report) to ask for my data and told them it was concerning an investigation about childporn.
When I was helpful and went to them they tried to get me for:
1) Obstruction of the law, because I informed the press after a week, because the site was still up and they where working on it.
2) Fraude, because I had given a fake address at the free email company
3) Spreading of childporn, because I had done a reply on Usenet and had forgotten to remove the URL

I am happy that my company was understanding and I did not lose my job.

Since then I have NEVER seen anything remotely illegal on the Interwebs, ever. If I would I would obviously report it, but somehow since that 15 years ago, it seems as if there is nothing illegal going on online. Really absolutely nothing. Weird.

Re:Well then

[apoc.famine]

Make an infographic of how to do it, and post it to 4chan. The company will find out they have an issue in no time if you do that!

Re:Well then

[edtice1559]

I could never recommend exploiting a found defect. Its unethical and really the reason that we have to have laws. Obtaining free tickets this way isn't really much different than shaking them out of a vending machine (assuming you don't damage the machine). But if a company doesn't have an established bug bounty program, I would *never* contact them with a defect report. I would definitely sell it on one of the markets for these. It's just less risky. Until there are laws protecting people who report bugs, it's just not a safe activity. If there's a bug bounty in place that's somewhat of a contract (IANAL) and means that the recipient is interested in handling defect reports correctly. Not a legal shield but at least something. If there's nothing in place, reporting honestly is a fool's errand.

Re:Well then

Why do you have ten pounds of shit in a five pound cranium?

Client-side validation?

[whoever57]

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

Surely no e-commerce site should rely on client-side validation? That seems like asking for trouble.

Re:Client-side validation?

[DivineKnight]

But JavaScript can do anything!

Re:Client-side validation?

[Solandri]

Client-side validation is needed to insure the data isn't corrupted in transit. e.g. You want to buy 2 tickets. A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets. With client-side validation, the server sends the requested transaction back to the client for validation to make sure it's been received correctly. You see the system has glitched, and you stop the purchase before your card is charged for 128 tickets. (You could continue this in perpetuity, but with the low data corruption rates in modern networks, two validations is usually enough.)

Both the client and the server need to validate the transaction is legitimate and what they want. And only when they both agree that it's correct should the transaction be processed.

Re:Client-side validation?

[Greyfox]

None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.

Re:Client-side validation?

[geoskd]

A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets.

Umm, No.

TCP/IP (specifically the transport layer) handles packet integrity. What gets sent is what is delivered or nothing at all. Client side validation's only purpose is to ensure that the user is informed when they have entered invalid information so that they can correct their mistake. If you are trying to use it any other way, I hope you are not a professional web developer.

Re: Client-side validation?

It works fine on the server end.

Re:Client-side validation?

I think Slashdot's moderation system is one of the best on the web for forums, but posts like yours should not exist above a score of zero. Your understanding of what client-side validation means is so wrong, it's causing my head to spin trying to work out exactly how you could arrive at such a conclusion.

The only thing you could remotely be describing is preventing the same form from being submitted multiple times. That is typically prevented by using a unique token that gets submitted with the form, though. And the server, of course, verifies the token is valid.

Re:Client-side validation?

Back in the dial-up days of the internet, client-side validation was performed so the user would know instantly if they entered something incorrectly instead of having to wait for the page to be sent to the server and back, plus they would have to reenter all the information again if there was an error because sites weren't smart enough to save it and you could only reload the entire page at a time. The purpose of client-side validation hasn't changed.

The confirmation pages are provided to let the user fix any of their typos. They are not meant for the user to validate that the software hasn't screwed up their order. If your software is that bad, well I guess you must work in the billing department of an ISP. I've never seen an actual store mess up an order, only telecom companies and banks screw people over with billing mistakes daily.

Re:Client-side validation?

[gravewax]

You should not rely on it but you definitely should use it. Client side validation is something you use to help pre filter information that is going to be rejected by your server and can be very handy, e.g. users setting a username or password or even an address, if the format is invalid and will be rejected server side then you may as well save the server the processing time.. You don't use it as a security mechanism though!

Re:Client-side validation?

A network glitch turns this into 128 tickets, and the server charges your card for 128 tickets.

Umm, No.

TCP/IP (specifically the transport layer) handles packet integrity. What gets sent is what is delivered or nothing at all. Client side validation's only purpose is to ensure that the user is informed when they have entered invalid information so that they can correct their mistake. If you are trying to use it any other way, I hope you are not a professional web developer.

It's not quite so white and black.

There are several layers of data integrity checks, so having them all fail at the same time is highly unlikely. Transmission errors tend to result in dropped packets that get quickly retransmitted, rather than corrupted requests.

However, bugs in application code happen all the time. The corruption can totally, and quite likely, happen at the application level. Having the user be able to visually do his own data integrity checks is important. It happened to me, in fact, that a cinema ticket system swapped the day in the ticket. I was trying several days in several tabs, the mixup was understandable, sessions got mixed up, and it was only at the billing step that I could notice. Without that confirmation, I would have ended up buying tickets for the wrong day.

Re:Client-side validation?

your correct in that client side validation is not for integrity. But fuck me I hope you are not a developer if you rely on TCP/IP as your integrity check,

Re:Client-side validation?

If you think TCP/IP's packet integrity is perfect protection, I hope you are not a professional developer of networked software.

Instead of being an insufferable cunt you could explain why. You could explain what a "professional developer of networked software" would do to resolve the issue.

You chose to whine like a petulant teenager with ego issues. Not professional in the slightest.

Re: Client-side validation?

[guruevi]

No it doesn't. It handles error correction/detection and even then, very weakly which is why most systems have more error detection both in higher and lower layers. You cannot assure data integrity in TCP (or IP), that's handled very much above those layers, typically in application.

Re:Client-side validation?

If you were a professional developer working in this area you would know, just because you a foul mouthed whiny little kid in your mothers basement isn't a reason to spoon feed you. Go do some basic research if you are interested and learn about the limitations inherent in the TCP checksums, this isn't some mythical hidden or difficult to find information, stop being lazy and educate yourself rather than bitching about others.

Re:Client-side validation?

They were teaching the flaws in the TCP checksums 20 years ago when I was at university and warned about why you would NEVER rely on it for data integrity due to the potentials for multi bit flips being undetectable to the protocol. Any basic networking or client server programming class would point this out.

Re:Client-side validation?

[gravewax]

TCP/IP provides some very basic integrity, sequence, error control and delivery checks. Though their are many holes in the protocol that mean you cannot rely upon it for integrity, data validation must be done at other layers or in the application itself as the TCP/IP layer does NOT handle anything but the very basics of packet integrity, it is extremely easy to change a packet in ways that it will pass all its TCP integrity checks.

Re:Client-side validation?

you hide (or show) your embarrassment at not knowing by getting pissy about something. and that something is professionalism.

rich.

Re:Client-side validation?

[gl4ss]

.. not really.

no amount of client side checking fixes the problem that the customer can alter anything that happens client side.

what you're describing is some sort of crc/data integrity check which doesn't really help you with if the data is on purpose wrong.

Re:Client-side validation?

BTW: Both names and addresses can be anything, you should accept it pretty much without checking and store it in the database without modifications.
There are two websites dedication to the mistakes that where made with assumptions about names and addresses.

Did you for example know that some addresses can be descriptive, like "The house at the end of the gravel road starting at the water tower" or even GPS coordinates. Because sometimes there isn't even a street name?

Or a names that contain more than 256 characters, or just a single character. or mixed case, or symbols from different languages, or even a picture (Although if your name is a picture, then all bets are off anyway).

Re:Client-side validation?

[gl4ss]

If you were a professional developer working in this area you would know, just because you a foul mouthed whiny little kid in your mothers basement isn't a reason to spoon feed you. Go do some basic research if you are interested and learn about the limitations inherent in the TCP checksums, this isn't some mythical hidden or difficult to find information, stop being lazy and educate yourself rather than bitching about others.

maybe you dumb fucks don't understand that even this site probably used https and how many layers of crc checking do you really need?

I mean the issue at hand was trusting information that comes from the client side. integrity checking that information does not help at all when what was missing was SANITY CHECKS. integrity of the data was JUST FINE.

seriously.

you guys sound like the kind of dumb fucks who think that adding a signature that is done at the client end into a http post adds ANY SECURITY WHATSOEVER when what you really would need to do is to sanity check the input - not that it has a matching hash to the data the client end sent on purpose.

seriously, I have seen in the industry people actually think that if you do that then only your client app can send data - when they are giving that client app to whoever user to analyze. it doesn't apply just to web pages....

Re:Client-side validation?

Client-side validation is needed to insure the data isn't corrupted in transit.

Ensure, you fucktard.

Re:Client-side validation?

Christ where do fuckwits like you keep coming from. The OP made a blatant false statement that TCP/IP provides data integrity, everyone was pointing out this was in fact completely false, SSL is another layer and has been repeatedly pointed out you definitely need more layers if you want to catch corruption as you can't ensure it at the TCP level.

Re:Client-side validation?

[AmiMoJo]

Last week another company set up an FTP server for one of our older products to send data to. I know, FTP, but this thing predates my joining the company and it does actually work quite well. Anyway, they were having trouble so we logged in and found ourselves dumped into the root of their Linux server. We could see everything and seemed to be running at root.

I emailed them about it and they said it was fine because the machine was "isolated".

Re:Client-side validation?

Including running server-side!

Re:Client-side validation?

If you are not using TLS then your JavaScript isn't any protection from all the other ways this could go wrong, not to mention that your JavaScript running on the client is probably more likely to introduce corruption itself (CPU don't always work 100% either) than to fix any corruption from the network stack.
If you are using TLS and your packets still get corrupted in the network without you noticing, you have bigger problems.
(and if you are not using TLS you are doing it wrong anyway)

Re:Client-side validation?

[edtice1559]

This is not a function for client-side validation. This is what a confirmation page is for. The server repeats the data back and the client then hits accept. Now there is no risk of communication issue even with corrupt data. Listen to air traffic control sometime. The pilots always repeat back instructions. Same principle. The pilots don't make their own ATC decisions. And this is a very apt analogy because humans communicating over radio frequency do get a lot of corrupted data.

Re:Client-side validation?

[gravewax]

No names and addresses can't be anything in all systems at all. many have restricted characters, e.g. your address can't contain ^*$~? etc, or sometimes multi byte characters if your site doesn't support it. Many have very specific requirements for addresses in that they must be resolvable. Names are exactly the same.

This is cute and all

[rsilvergun]

I'd be more impressed if the facebook hive mind did something about this.

Re: This is cute and all

I think I killed an antifa once. Hit him in the back of the head with my baton. He fell on his kneed and started bleeding from the nose and mouth. I quickly grabbed him by the ears and smashed his face in with my knee. He bled all over my armoured kneepad. What a mess. He had a bottle with him so it was justified. I like messing up those dipshits. A guy I know once hit one in the head with a tear gas canister. Must have been a hoot.

Re: This is cute and all

Please die in a fire.

I know this will be an unpopular opinion, but...

[BitterOak]

I know already this will be a very unpopular opinion on Slashdot, and I know this analogy has been made before, but just because someone leaves their front door unlocked, it doesn't mean you get to go in, root around the house, and leave a note saying the owner really needs to lock their door.

A better analogy here might actually be walking into a store, swapping price stickers on two products so you can buy one at a lower price than it was actually selling for. Now that most stores use barcode scanners and the register displays the product name, that isn't so easily done anymore, but it used to be possible and it was illegal. I don't see how what this kid did was any different. He may have had good intentions, and he did point out the flaw, but that doesn't give him the right to do this in the first place.

...and here's their FB page...

[mpoulton]

...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu...

Re:...and here's their FB page...

Ironic that, though the kid was probably innocent when he reported the bug, pasting 45K false 1-star reviews (all with the same message) is a real case of misuse in most countries.

Re:...and here's their FB page...

This sort of "activism" is what makes online reviews worthless. Just remember, if you can destroy a company's reputation for one fucked up action, it can just as easily be inflated by one superficially good one.

Re: what would of a negative number done?

He should of known that already.

Re:what would of a negative number done?

"would of"

How do people still make this mistake? Do you just never read?

Yep, that's what happens, and WA LA! Stupid mistakes, eck cetra.

Re:I know this will be an unpopular opinion, but..

[Stormwatch]

No, a better analogy is: the store forgot a price sticker printer in the shelf, so any client could just get it and print new prices freely. This kid found the printer and took it to the cashier, and rather than getting thanked, he got accused of stealing the printer.

Re: I know this will be an unpopular opinion, but.

No, the equivalent here is going into a store, noticing that you can easily get things for free by saying âoethatâ(TM)s free, rightâ to one of the cashiers, and then telling the manager âoehey, that seems weird, you might want to look at thatâ.

That seems like exactly the kind of responsible behaviour a customer should have.

Re: I know this will be an unpopular opinion, but.

How would he know that the flaw existed at all, if he hadn't tried it and found that it worked? It's not like he cashed in on it; he merely and duly reported it. No, the company's actions were maximally counterproductive.

Re:I know this will be an unpopular opinion, but..

Stores know about swapping price stickers -- that's why they have those stickers that come off in pieces. But if a store didn't know about it, and still used price stickers, and didn't have the kind that come off in pieces, it might be helpful to mention the vulnerability to them, without exploiting it.

That's what this kid did. Having him arrested was outrageous.

So what

[sunking2]

It's a train page. If people want to get from A to B and the train is the best option they're still going to buy a ticket. Who the hell cares about likes and dislikes on some stupid FB page. Talk about a useless endeavor.

Re:So what

I expect to hear about many more people taking the train now. After all, tickets pay YOU a refund instead of having a cost. Well, they do if you know about the exploit. And apparently everyone does now.

Re:So what

yes but thanks to the review now they might go from A to B for 1 penny.

Re:I know this will be an unpopular opinion, but..

> Now that most stores use barcode scanners and the register displays the product name, that isn't so easily done anymore

This exactly: with server-side checking of product pricing, it would not be so easily done either.

Only apps can app apps!

If this LUDDITE company used modern appy app apps instead of LUDDITE software, then LUDDITE hackers wouldn't be able to hack the app! Only apps can app apps!

Apps!

Re: Only apps can app apps!

Mod parent up!

Re: Only apps can app apps!

[KGIII]

Off topic, I know, but I like apps guy. I miss the cows guy.

I know, some don't like them. However, they are a part of what makes this site what it is.

Re: Only apps can app apps!

Yes, many of /.'s badges of identity from the past (I won't trot them out) are now only echoes, and simply aren't here to welcome us. Even if cows guy is an eyesore, familiar things are homey.

And while too inarticulate to make his point well, I would agree with apps guy's hate for a couch that can only be adjusted by smartphone.

Re: Only apps can app apps!

[Highdude702]

apps guy is the best so far IMO, unfortunately he misses a lot of golden opportunities lately. Maybe he himself is getting tired of the same ol dribble on slashdot.

Re: Only apps can app apps!

[RavenLrD20k]

All your base are belong to me.

Re: Only apps can app apps!

I miss BadAnalogyGuy. He was having a Dodge Omni with fuzzy dice on the mirror

Re: Only apps can app apps!

All your base are belong to us.

FTFY.

Re: Only apps can app apps!

[RavenLrD20k]

I know what the real phrase is. I just don't like sharing.

Re: Only apps can app apps!

[TechyImmigrant]

And while too inarticulate to make his point well, I would agree with apps guy's hate for a couch that can only be adjusted by smartphone.

There's an app for that.

Re: Only apps can app apps!

Oh, man, I forgot about BadAnalogyGuy. Now that was a troll!

Re: Only apps can app apps!

I'm appy to hear that !

Opportunity for improvement

The company published the web page source code when they put the web page.
If they didn't want to do this, they could have used a different method of making a web page.
The kid read it and could not believe that they had made such an elementary error.
Certainly, not something a professional should do.

So he tested it just to make sure, then notified the clueless what they had done.
The test involved buying a ticket at a reduced price and then not using it.
Not sure how the company was harmed, except that those running it were exposed as not doing their job.

So , instead of thanking him and fixing the bug, they filed a complaint which got him arrested.
The police followed up on this even thought the intent was clearly not to cause a problem.
Seems like there is room for becoming less clueless for both the company and the cops.
Either one could review the situation and change the outcome.

Re:what would of a negative number done?

I think I found someone who writes worse than creimer. Seriously dude, could you make a bigger mess ??? I couldn't make heads or tails of that subject.

Re: what would of a negative number done?

I will be informative again

unlike slashdot poster chewbacon, slashdot poster chewbacon's mom has gotten laid at least once

Re: I'm a big gay baby... apk

it's true, I have perfected version 2.0 of my hosts file security tool. It is a local DNS recursor that CNAMEs everything to imabiggaybaby.com.

I then use v1 of my hosts tool to resolve slashdot properly so I can post. This is excellent security and enables me to visit imabiggaybaby.com with almost every single get request. Truly the wave of the future.

APK - AKA a big gay baby

Re:I know this will be an unpopular opinion, but..

[Dutch+Gun]

We don't need a bad analogy or two to understand this. The kid saw an exploitable flaw, let the company know in a responsible manner, and was punished for it. Other companies would thank him, and perhaps even pay him a bug bounty for his trouble, because he just did them a huge favor. This is not anything unprecedented in the modern world. Only the backwards and punitive reaction is.

This reaction represents the mindset of companies from decades ago, where they thought that security through obscurity was a valid methodology. All it does it discourage white hats from disclosing bugs. The black hats will gleefully exploit the flaws they discover.

Re: Trump

I didn't vote for anyone because all the candidates were insane or trash or both.

45,000 posters can't all be wrong

That's what we're supposed to conclude. Right?

Re:what would of a negative number done?

America's education system is spiraling down the toilet bowl, look no further than who they elected to be their president.

The Empeors new clothes

The IT company was embarrassed; some kid pull their pants down, and showed to the world that $1 million contractor is incompetent and also has very small dicks.

Re: Trump

I didn't vote for anyone because all the candidates were insane or trash or both.

That makes you the biggest pussy of all. If you had any balls you'd have decided which one you thought would be the most fun to watch fuck things up, and voted for them.

But you didn't vote, because you are a worthless useless pussy who should be converted to feed stock for your betters.

Re:I know this will be an unpopular opinion, but..

Ah the old sticker swap. The good old days. Used to buy model airplanes this way.

Re:what would of a negative number done?

"what would of a"?????

How the fuck does that even make any sense to you?

Re: what would of a negative number done?

Is there even a legitimate way to use "should of" or "would of" in a sentence?

Re: what would of a negative number done?

[KGIII]

"should of"

Subtle. I like it.

He should have _increased_ the price

[gweihir]

That way, no accusation of getting financial gain from the "hack" would have been possible.

As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.

Re:He should have _increased_ the price

Sort of, but what if they had a check that was IF (PriceOfTicket MinimumPriceOfTicket) { Invalid Purchase() } then he would have not had the full picture. Best to test it all, its just one ticket.

Perhaps best to just buy a ticket for 5 cents less.

Re:He should have _increased_ the price

[gweihir]

That test he should have done in a fashion they could not have traced back to him. What he should have given them in evidence (clearly attributable to him) should have had him paying more. The problem is that making a hacking charge stick is a lot easier if the hacker gained something, however small.

Re:He should have _increased_ the price

[jabuzz]

Buy a dated ticket don't use it and keep it, then report the bug *AFTER* the dated ticket has expired.

Re: what would of a negative number done?

[KGIII]

At least twice, because I know I'm not his father.

I couldn't resist.

Don't report bugs

[Andy+Smith]

I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

Re:Don't report bugs

[martyros]

I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.

Re:Don't report bugs

My heart tells me to report them, but my head tells me no.

Now you will get arrested for negligence to a potential public security incident. This is what getting the "hearts and minds" of the population is really about, after all.

Re:Don't report bugs

at least they didn't throw your ass in jail for having the decency to tell them of their web site bug. fuck them, though. they should have let you keep it for what you initially paid. not like your order was blatant inventory-clearing abuse of the bug.

and no, do not be 'sad' for them either. it's their fault. just like if you made a mistake and ordered the wrong tile, you'd have to pay to ship it back plus ship the correct stuff to you. they fucked up. they need the financial incentive to learn from it. it's the only way companies 'learn'. both are potentially expensive lessons learned. you should have kept your mouth shut or at most, dropped 'em an email later from a different connection, browser and account and simply pointed out that their online cart doesn't appear to limit samples to qty 1.

Re:Don't report bugs

[houghi]

These things happen. We had an item for sale where you would get another item for free. You would then have 2 items in your basked. You could delete the one item you had to pay for and thus receive the other item for free (+ shipping). So we cursed a bit, honored the orders and put it in as cost of doing business.

Notb that much different as having the wrong price in the store. Things happen. Does not mean they will have to honor it if the standard price is 10.000 and they put it up by accident as 10, because that should be obvious as being an error.

Re:Don't report bugs

I once went to a site to buy a picknick basket and wanted to see how much it would be after shipping was applied so on page 1 I entered in my address and went to page 2 where the price and credit card info were. Deciding against buying from that store I went to another one. A couple weeks later a picknick basket showed up on my doorstep and I never paid a dime. They never contacted me and I didn't report it so it could be active to this day for all I know. It's still in the box, because really who needs 2 picknick boxes let alone one?

Re:Don't report bugs

That wasn't a JavaScript bug. It was a fundamental problem in design, signifying fundamental problem in management.

Re: Impersonating me? Please... apk

[KGIII]

Can confirm that APK predates the Android packages.

Re:Trump

It's unfortunate that you derive your own self-worth from the displeasure of others. Some of us aspire to bring everyone up a level or two in life. You and your ilk aspire to drag everyone else down into your cesspool, instead of finding a way to crawl out. That's your problem and not mine.

Don't get too comfortable on your high horse, though. You'll be pitching a fit soon enough when you have no health insurance, your ISP is charging $50/month extra to access 4chan, and your mobbed up Dear Leader is dragged out of office kicking and screaming while his entire extended family's assets are seized by the state of New York.

Have fun watching - I sure will.

They seem to be so clueless

That if he had raised the price, they just would have said "Oh, so what? We get more money! That's good!"

Re:what would of a negative number done?

I wonder if they handle NaN or Inf.

The profit for the day was NaN. The profit for the year was NaN.

Re: Impersonating me? Please... apk

[omnichad]

But never got asked out on a second date.

Legislation needed?

[seoras]

I'm not one for advocating laws but looking at this and seeing the obvious effect it's going to have on white hat security vigilantes (saying nothing or being turned grey/black hat by corporate, egotistical, twats covering their own arse) the only solution seems to be to create laws to protect the white hats.
Laws like those which protect freedom of press and speech.
If you haven't benefited from your discovery and research then you can't be prosecuted.
Instead of reporting to the corporation report to a government watch dog who covers for you.
Better still fine the corporations to fund the watch dog and pay out a bug bounty.

Re: Legislation needed?

What about we simply ban hacking like Germany did? Ban tools, ban discussion of tools and techniques, shut down forums and magazines (they did exist, no more). Problem solved. Honest citizens know their place: what about you?

I don't report bugs

[buss_error]

I don't report bugs to the company. I may report it to their ISP, but usually I don't bother in the sense I don't go looking for bugs.

I don't know, but isn't there a bug reporting system that will allow anonymous communication? If not, maybe that's something CERT could look into sponsoring.
Sort of like the old abuse.net system, where you could register "Hey, this is where we take spam reports seriously." That way the clued in sites will let the whitehats know their reports are taken seriously, and the white hats know they at least have a simi-clued in contact and won't let slip the dogs of war because there's something wrong.

Again, all I'm interested in are my own sites, and I'll hardly dox myself.

Re:I don't report bugs

I don't report bugs to the company.

my GOD have we really gotten to the point where there is ONLY ONE COMPANY???

Re:I don't report bugs

[Dread_ed]

No, there's still just the two. Though they are owned by the same family...

Verizon wireless TCP,

at least in the past, was regenerating CRC on TCP packets instead of dropping packets with bad CRC. People were reportedly unable to transfer more than about 120MB without corruption. You shouldn't assume anything sent on the internet unencrypted has perfect integrity.

Re:I know this will be an unpopular opinion, but..

It's all in the technique. Peel slowly at a sharp enough angle and it does not matter that the sticker is perforated. Did it many times when I was a kid.

But nobody uses price stickers anymore.

Still upset I burnt you on hosts?

See subject: Yes, obviously https://science.slashdot.org/comments.pl?sid=6881923&cid=48958885/ & projecting your issues on me? Please: IS YOUR FAVORITE COLOR "TRANSPARENT"?

* Must be since I see RIGHT thru you...

APK

P.S.=> Omnichad, grow up! I've probably had more women between 1984 & 2000 than you will in your ENTIRE LIFE... apk

Re:Still upset I burnt you on hosts?

[omnichad]

Wait...did you just link to a post where I proved you wrong? Why? DNS amplification attacks use DNS servers to attack YOU - whether you use DNS resolution or not.

I wonder how much of this will happen

10,000,000 tickets at $0 each please.
Better yet, 10,000,000 tickets each for $-1.

45001 now

[omar_armas]

With my vote.

Security Researcher?

[GodfatherofSoul]

I haven't been on Slashdot much lately, but is that the new euphemism for hacking?

The simple rule is don't poke around someone else's defenses and then get mad when they treat you as a threat. How would you feel if someone told you "Hey, I've been trying to break into your house lately and just realized your bedroom window is unlocked!" ?

Re:Security Researcher?

[Sabriel]

A lot less appreciative than if they'd told me "Hey, sorry, I have an obsessive-compulsive disorder about checking locks and yours aren't working."

One is a burglar in search of a Darwin Award, the other is a good samaritan in need of therapy; having the police arrest the latter is the act of an asshole.

Re:Security Researcher?

[LoneTech]

No, it's not new, and this isn't poking around in defenses, simply because there was a complete absence of defenses. The programming terms for the missing class of checks are input validation and sanitation.

This was the equivalent of someone handing you an order form where you fill in both price and quantity, you filling in the wrong price and handing it back, then them reading your price and going with that, no comments. And after you instead of using the incorrectly priced service told them they should perhaps check against their catalog prices, they sent the police after you. Note that until the subject was brought up they had no clue of either how many or how severe these mismatches had been, nor was there any indication why they happened. The only confirmed case was also one where no service was used and thus no loss was involved.

To make your analogy more fitting, the other day a neighbour walked up to my door and called in "hello, did you forget to close the door?" because it was ajar. My visitor had indeed failed to pull it shut. Nobody was jostling my fourth floor bedroom window. The purpose of the door is to let people in; I had opened the door to let someone in; and I was alerted that perhaps it was open for more than I had planned.

The adage for this type of behaviour is shooting the messenger.

Re:Security Researcher?

[Dread_ed]

Not a good analogy at all. He wasn't in someone else's house. Nor on their porch, nor their property.

Everything he modified was on his computer. They dropped a bunch of stuff into his browser, he modified it on his end, and they loaded the info from his computer back into theirs and took it as true.

That is not at all similar to breaking and entering. In your analogy he never left his own house.

Re:Security Researcher?

except that the customers are expected to use the website (or poke through your windows in your analogy) to buy tickets. If they find the website has loopholes (or if your window glass is broken)..the best legal response would be to notify the owner which is what this kid did. Just like if a ATM dispenses double cash, you are expected to call the bank and report it instead of walking away with extra cash.

Re:I was born w/ those initials... apk

Were you born with the `tism too or did it develop along the way?

Can I get that on Credit?

[Nabeel_co]

Since they are so insistent on their system being secure when it clearly isn't, wouldn't it be funny if someone sold themselves a ticket with a negative value attached, thereby crediting themselves a large sum of money?

Re:Can I get that on Credit?

[Hal9000_sn3]

Didn't Amazon have a similar flaw for quite a while? A negative number in the quantity would credit you back, if I remember correctly. http://www.youtube.com/watch?v...

Lol losers

Like 45000 bad reviews will mean anything for a STATE company. They don't care.

in Bulgaria

[D,Petkow]

the subway token system can get EASILY hacked -i.e. you pay for 5 rides and they never "expire". This is all documented in a public website by a programmer dude who discovered it. Nobody did anything it has been like that for years, apparently. I suspect people could be even selling fake prepaid tickets etc. It's just Bulgaria in general country is so corrupt on all levels, that a scam of such magnitude is not threaded as something serious lmao Millions of EU funded money get laundered and stolen into corrupt politicians's own pockets. In Bulgaria the average salary is 400 euro, but you see Brabus and AMG Mercedes S 600 and Bentleys and Panameras everywhere all day...

Re: what would of a negative number done?

People like you are why anonymous speech is a good thing.

Re:what would of a negative number done?

"that's what happens, and WA LA! Stupid mistakes, eck cetra." .. must be a Quebec accent. Someone who knew French would use "Voila".

At least I was born! You?

See subject: You were hatched, lol.... & why do I say that? You're an UNIDENTIFIABLE trolling CLUCK, RoTfLmAo...

APK

P.S.=> Hahahahahahahaha... apk

Re:I know this will be an unpopular opinion, but..

[91degrees]

It's only natural, when finding a bug, to test it and confirm that it is a bug. If a front door is unlocked, you might reasonably push on it, poke your head in and shout "is anyone home?". And then leave a note on the doormat.

I'd say he did the minimal possible to confirm there was a problem.

Curious why this is marked "EU"

as if this is what the EU does.. this was just the case of one most likely corrupt head of a local transportation branch. This pro-American outlet looks for any chance to make something seem like an incompetent EU police state's evil doings.

Some deeper background info concerning incident.

The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

Re: what would of a negative number done?

Yes: He thought "should of" was correct grammar, but he was just a fucking idiot.

Re: what would of a negative number done?

Celloooo, I know right? And viola! Just like that he suddenly turned violint.

Re:Some deeper background info concerning incident

Since I'm a local, let me also add this for the human resources aspect of the story:
Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...

Re: what would of a negative number done?

Enjoy it while it lasts.

Hungary...

Taking into account how much fucked up is the political system, the guy is lucky to not have "disappeared"

Re:Trump

[SharpFang]

How fucking corrupt (or clueless) must one have been to have cast a vote for Hillary Clinton?

We had a similar situation in Poland recently. A party of ass clowns was voted in, in place of one of very competent *thieves* that kept robbing the country blind with impunity over previous 8 years. And while the ass clowns aren't a good government, they certainly cause far less harm than the thieves did.

Re:I know this will be an unpopular opinion, but..

very bad analogy. There are literally millions of bad faith actors on the net, both human and automated, trying to break in to every public web site. To assume everybody should/will "behave" when accessing a website is delusional.

It is a statistical certainty that that people out of the legal jurisdiction of a public web site will attempt to break into it and anybody who creates a high profile web site like that in the story is being criminally negligent if they assume otherwise. Particularly a web site with serious money involved.

A better analogy would be if the driver of an armored car left the back door open when they went of to lunch and a passerby noticed it and reported it to the armored car company. Quite rightly they'd fire the driver for negligence. And probably sue them for any lost property.

Of course it's buggy

Coming from a place quite similar to Hungary (ex Soviet bloc, now EU country with young and unstable democracy), I have a pretty good idea how such public IT systems are made. Whenever there are EU modernization funds to steal^Wgrab, you see, a public tender is written with criteria formulated in such a way so that only one, specific company would meet them. This company then wins with a mind-fucking-blowing price (two orders of magnitude more than what you'd expect similar system to cost in a private sector is not unheard of) and spends two years delivering a steaming pile of utter fucking shit that's not only buggy as hell, but has the functionality and feel of something from 15 years ago. The reason it's shit is because:

1) Nobody really cares about the actual system or the problem it's supposed to solve; it's the sweet, sweet Euros that can be stolen^Wused that matter,
2) The company pays peanuts so only inexperienced and/or really bad devs work there ("Every specialist is replaceable with a finite number of interns" is the actual motto of the CEO of one such company in Poland).

Fuck whitehat

[volodymyrbiryuk]

Go full blackhat or get fucked. I bet their server where customer information resides has gaping security loopholes too. Instead of punishing the company the try to kill the messenger.

Re: what would of a negative number done?

You just did.

Re: what would of a negative number done?

If you wanted more people to reply, you should of course have logged in before leaving a comment.

Re: what would of a negative number done?

[drinkypoo]

Studies show that grammar nazis are dicks.

Re:what would of a negative number done?

It's colloquial. Some people view their forum responses as literal "speech", rather than a formal written argument.

Get over it.

Re: what would of a negative number done?

That makes so much more sense. I though he misspellt our.

Re:what would of a negative number done?

[DontBeAMoran]

Nobody here says "WA LA". It's spelled "voilà" for a reason.

Re: I'm a big gay baby... apk

I know this is fake because you didn't bold anything, include links to his software or ramble semi-coherently.

Re:what would of a negative number done?

A negative number would of done failed Engrish.

Ludicrously simple?

[computational+super]

You say "ludicrously simple" but in today's 8-week-bootcamp to "Javascript ninja rockstar" culture, I've all but given up on trying to explain to front-end developers why client-side validation alone isn't sufficiently secure. I explain it to them once, shrug off their uncomprehending stares and wait for them to implement what I just told them not to, demonstrate the "hack" in front of them, wait for them to protest that "well, anybody who is competent enough to think of THAT is surely unstoppable anyway!" and then hunker down for a month of explaining again, and again, and again to management that yes, deadlines are super-duper important and yes, we have client deliverables to meet but this is a real security problem and yes, it really needs to be fixed. That the cumulative time we spend arguing about something that never should have even come up in the first place is an order of magnitude greater than the time that would have been spent just fixing the damned thing in the first place never seems to make much impression on anybody, either.

Re:what would of a negative number done?

[parkinglot777]

It's colloquial. Some people view their forum responses as literal "speech", rather than a formal written argument.

Get over it.

Then they shouldn't be writing and also stop assuming that everyone else knows it. Speaking language is often time ambiguous. If you want to write, do it properly.

If it actually did "issue a ticket"

If the young man actually was "issued a ticket," that means he bought it. That also means that he took advantage of a software vulnerability to obtain something at a lower price than it was intended for him to pay.

This is theft, and theft is a crime.

He should not have actually bought a ticket (going on the summary's language that says he was "issued a ticket").

Re:2 more of your tech fails

[omnichad]

how can a DNS amplification affect me?

Maybe you should look up what a DNS amplification attack does. Hint - it doesn't matter if you use HOSTS for all of your lookups.

A DNS amplification attack does not stop you from looking up web sites. It's a DDoS that overloads your router. HOSTS will not help you with that whatsoever. Not DOS, DoS.

P.S. It's not a "big blunder" to not remember which order to put HOSTS in. The Windows default hosts file has examples in it. You never have to learn or remember the syntax, because it's right there in the file.

Your blunders = HUGE, lol... apk

See subject: You put hosts entries out in reverse order & how can you overload my router? You don't know my IP address!|

* Clue: YOU CAN'T!

As I said, my IP is ALWAYS rotating to something different (especially on site forums - good luck guessing which of 100's I use my true IP address is, lol)

LASTLY:

Since EXAMPLES ARE THERE, your BLUNDER SHOWS YOU DIDN'T CHECK 1st & STUPIDLY PUT THEM OUT IN THE WRONG ORDER shooting your mouth off writing checks your ass can't cash, lol!

APK

P.S.=> Your other blunder on DOS was inexcuable also - I've others where you RAN from proving me wrong on hosts OR CONCEDED SPEED & SECURITY GAINS via hosts (which you said you did not deny my methods there work - shall I quote that too? Ask & "ye shall receive")... apk

Re:Your blunders = HUGE, lol... apk

[omnichad]

how can you overload my router? You don't know my IP address!

It doesn't have to be a targeted attack - you still have an IP address and you're still not any more protected. Besides, you claimed that the HOSTS file engine protects against a DNS amplification attack. Still not true.

Since EXAMPLES ARE THERE, your BLUNDER SHOWS YOU DIDN'T CHECK 1st & STUPIDLY PUT THEM OUT IN THE WRONG ORDER

Or, it's pseudocode and exact syntax doesn't matter in the slightest. You're the only person on Slashdot who would care. The meaning of my post didn't change based on the order of my syntax, because the intent was unambiguous.

Re:what would of a negative number done?

[CodeHog]

From my CS days in college, unit test for the following conditions. Value = N, value = N -1, value = N + 1, value = -N, wash, rinse, repeat until time is up or bugs are fixed.

BS! No IP = no target to hit here

See subject: It's WHY I change IP address every time I post in ANY forums + every few minutes anyhow for "cloaking" defense.

I.E./E.G. - No target possible for ANY attack. Nothing to 'zero-in' on & 'hit'... moving target here, constantly. Impossible to hit. If not 'targetted' you STILL can't hit me (constantly) if/when I change IP - period. I am "not @ that location" anymore!

* LOL, I call it something from an old Williams arcade game called "DEFENDER" - it's "inviso-power" online for the most part...

(Ahem/Lastly: Beg to differ - You care & your "objections" PROJECT IT! LOL, YOU PUT HOSTS ENTRIES OUT IN REVERSE ORDER, lol... that much is certain! Hahaha, not even a "nice try" w/ the 'pseudocode out' - it'd "pseudo-work" = why (wouldn't work in other words)).

APK

P.S.=> There is also, of course, what I noted earlier too - that YOU CONCEDED MY METHODS USING HOSTS WORK for added speed, security, reliability & even more added anonymity... apk

Re:BS! No IP = no target to hit here

[omnichad]

Do you change your actual ISP IP or your endpoint/VPN IP? Only the former prevents being affected by a DDoS. You're assuming someone found your IP from forum/server logs rather than just attacking a random IP.

It's WHY I change IP address every time I post in ANY forums

No, you do that because otherwise you can't post as AC every couple minutes all day.

Either way, HOSTS does not protect against a DNS amplification attack. Why not concede that point already?

1994 Called

[PatientZero]

They'd like their client-side shopping cart software back.

How does even the most novice developer not know that you can't trust anything from the client?

Re: what would of a negative number done?

[KGIII]

Oh, the irony.

I recall an analogy from an old European folk tale

[TheHawke]

"The King Has No Clothes on!"

I think in the original version the person that made that proclamation was promptly beheaded.

If not, it should at least be mentioned.

ISP assigned IP (not local one) of course

See subject: VERY easy to do (especially depending on connection type). DSL/dialup make this extremely easy (reset router either via direct to router/dsl/modem OR use proxies on "semi-static" longterm IP lease...).

"No Scenario? I see EVERY SCENARIO! That's what it DOES Karl - it puts me 50 MOVES AHEAD OF YOU!" lol.... see film below on that note!

("You know how they say you only access 10% of your brain? I LET YOU ACCESS ALL OF IT!" & "YOU WERE BLIND, and NOW? YOU SEE...:")

APK

P.S.=> Yes, there IS the benefit of UNLIMITED AC POSTING also, a nice ancillary benefit (baffling DOLTS who TRY limit me) as well doing this protective method (Bradley Cooper in the FILM "Limitless" https://www.youtube.com/watch?v=4TLppsfzQH8/ = me, lol) - "HOW MANY OF US GET TO KNOW OUR PERFECT SELVES?"... apk

Re:ISP assigned IP (not local one) of course

[omnichad]

And your HOSTS tool still does nothing to protect against DNS amplification attacks. Seems that you can't just address the main point of my post.

Experts

As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Yep, things like this are why it's hard to take anything anybody in the industry says seriously. Particularly places like this full of "experts".

Your DNS AMP attack can't affect me

See subject & that's truly that: No scenario? I see every scenario, I see 50 scenarios - that's what it does Karl. It puts me 50 MOVES AHEAD OF YOU..."

* Yes, I am, TRULY... "LIMITLESS" https://www.youtube.com/watch?v=4TLppsfzQH8/

APK

P.S.=> You also DO concede my methods work for more speed, security, reliability & anonymity online (had to post it, you won't lie down & die, lol, so I have to let you KILL YOURSELF MORE) https://tech.slashdot.org/comments.pl?sid=4072127&cid=44544679/ & after all - YOU SAID IT right there in black & white (hosts do DO more for less than any other "so-called 'security solution', natively w/ less resource use, in faster kernelmode, & speed you up (most slow you down) - less IS more = GOOD engineering working w/ what you already have))... apk

Re:Your DNS AMP attack can't affect me

[omnichad]

I don't care if the DNS amplification attack affects you - that wasn't the issue. You claimed that your HOSTS file engine itself protects against that. That's not true.

Re: Unbelievable... apk

I think a/c was referring to WTF but IDK.

Then what good's your so-called 'point'?

See subject: It's not. It can't determine WHERE I REALLY AM & sure hosts help - no tracking in adscripts, server-side or router logs & page snippets too!

I block ads + tracking scripts too via hosts (many times in both firewalls in software OR routers too).

I.E./E.G. - BOTH from /. & ANY OTHER SERVERS I do not need (/. is LOADED w/ them) via hosts too!

* Between that & IP rotations, I am truly a "moving impossible to 'hit' target", no questions asked (nice side effect IS unlimited AC posting here too)... again "LIMITLESS"!

(,,, & YOU DID ADMIT MY METHODS WORK QUOTED IN MY LAST POST'S LAST LINK...)

APK

P.S.=> If/when you can't even TRACK ME (rather 'zero-in' on me) via scripting or even server-side/router logs, I am for all intestwintents & purposes the UNSTOPPABLE + INVULNERABLE object online... apk

Re:Then what good's your so-called 'point'?

[omnichad]

Because you're advertising your software as something that can stop DNS amplification attacks. https://science.slashdot.org/c...

And when someone calls you out on it, you stick out your tongue and say that you can change your IP address. Only a politician would think that's an answer.

READ: Both methods = complimentary

See subject: You admit due to IP change DNS AMP attacks can't find me & hosts also block tracker scripts to determine IP also (again, blocking the ability to FIND me).

* Between the 2 of them in combination? THERE IS NO WAY TO "ZERO-IN" ON ME/WHERE I AM REALLY COMING FROM - period!

APK

P.S.=> I explained that QUITE WELL & you had to ADMIT your DNS AMP attacks = USELESS against me right here https://tech.slashdot.org/comments.pl?sid=10899017&cid=54867549/ (so is attempts by 'certain people' to LIMIT my posting - ineffectual vs. LIMITLESS Eddie Morra ME, lol!)... apk

Re:READ: Both methods = complimentary

[omnichad]

I'm not attacking you with DNS amplification attacks. I'm talking about the end-users you advertise to. Stop conflating these two things.

Hosts file engine does nothing against DNS amplification attacks.

Don't rock the boat

[OrangeTide]

Powerful people don't like to be embarrassed nor have the world discover their incompetence. If you expose a powerful moron his position is at risk, and he'll take it as an attack. It's irrelevant for him that you were only trying to help.

Re:Don't rock the boat

[edtice1559]

Yes, but the fundamental problem is that we are letting incompetent people *become* powerful. If competence were a prerequisite, we wouldn't get into this situation.

Re:Don't rock the boat

[OrangeTide]

I have no idea how you could go about changing that. It seems to have been a general problem that even the ancient Greeks wrote about.

Re:I recall an analogy from an old European folk t

If the story were told during the 14th century, I doubt they would even have to mention what happens if a commoner insulted a king's pride. These days you would have to be explicit about that as we're historically and culturally a very ignorant people.

How would you get my true IP then?

See subject: U can't. So not only do I change my IP constantly vs. DNS Amp but I also cut off tracking via hosts (+ firewalls (software & router)).

* The technique of moving IP addresses constantly is also COMPLIMENTED BY HOSTS stalling tracking too!

APK

P.S.=> As you've already conceded? My methods work... apk

Re: How would you get my true IP then?

Well looks like Omni just owned your ass. He stated a clear case and you danced around the issue with the same post template not refuting him at all. Your logic is busted, I hope you didn't join the debate team in school. Because you are awful at proving a point.

Use your brain

[dhaen]

Idly browsing one night, I discovered that all access controlled had been switched off our corporate network. Yes I could even open the CEO's home folder. It didn't take much brain power to realise that if I looked any further there would be time stamps on files that matched my shift time, so I didn't go any further (despite being curious).

I waited until the morning and phoned a relatively junior IT team member and explained the security lapse to him (on the basis of anonymity), who then escalated the problem.

The result: The problem got fixed. He got a pat on the back for discovering the oversight, and we became good friends.

Re:what would of a negative number done?

Not everyone here speaks native english. How about trying to give people a break when they make relatively minor and simple mistakes. As long as the various issues with grammar and spelling doesn't get in the way of the meaning why not let it go and instead respond to the intent of the comment. I mean we're internet junkies not award winning novelists. A little bad grammar won't kill us.

Re: what would of a negative number done?

Why don't you login and post Creimer? You scared shitless fuck.

Omni posts ac to "defend himself" lol

See subject: YOU long ago admit my methods work (my earler posts show where in links) & YES, I know it's you posting by UNIDENTIFIABLE ac now too, lol "defending yoruself"!

ALL I HAD TO PROVE WAS YOUR DNS AMP ATTACK CAN'T GET ME & THAT HOSTS HELP vs. TRACKING TOO along w/ IP changes I do THAT UTTERLY NULLIFY YOUR FEEBLE "POINT"...

Man face facts - you failed https://tech.slashdot.org/comments.pl?sid=10899017&cid=54868415/

APK

P.S.=> Between BOTH changing IP addresses constantly here & stopping tracking to DETECT MY IP ADDRESS you can't attack me (or limit me posting)... apk

Re: what would of a negative number done?

[alexgieg]

Is there even a legitimate way to use "should of" or "would of" in a sentence?

Any in which "of" is followed by "course".

a) "He should of course he should!", she exclaimed breathlessly.

b) "If we did X, we would of course get..."

c) "It could of course be a fly."

Client side checking

[ewibble]

Because there was no client or server-side validation put in place

What on earth would client side validation do? In fact it does have client side checking it puts the price in the client. The problem is that the hacker changed the client. No amount client side checking can fix this problem when the user controls the client.

Once I "had" to hack using devtools too

The system in question had a bug that it won't let you change the age through UI. I was trying to register for something which was based on first come first serve basis and would not let me change my kids age. Since tech support was not available, I just tried dev tools, changed the date and updated profile and it worked. The issue only happened for about 10% people falling in certain date ranges. Although the site fixed the issue next day, many of them who got affected by this issue could not enroll as it got full by then.

Re: Some deeper background info concerning inciden

Oh, please the fuck up. You're not from Hungary. Go fuck yourself, troll.

Re:what would of a negative number done?

And here I thought it was a southern California thing.

Re: 2 more of your tech fails

If you only visit sites in your hosts file 98% of the time, then you're only 98% covered from DNS attacks, dipshit. Besides, your use case is not applicable to the vast majority of internet users. Most of us visit fast more sites than Slashdot and Rule34 everyday.

LMAO - wrong (OpenDNS + hosts)... apk

See subject: WRONG - OpenDNS, unlike others, filters vs. threats & IS patched vs. the Kaminsky redirect poisoning flaw security issue (99.999% of ISP dns aren't).

* Guess what I combine w/ custom hosts files?

OPENDNS! ... & I never said I ONLY visit my fav. sites hardcoded for fastest possible LOCAL from SYSTEM RAM cached hosts (which also secures you vs. DNS fails in security etc. or being downed) !

(Lastly - Nicest part of MY hosts program, unlike others? Is that I allow YOU to set your fav. sites you spend MOST TIME @ ONLINE - as many as you like, properly reverse DNS resolved!)

HECK, CHINA IMITATED THIS TECHNIQUE OF MINE http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/

APK

P.S.=> Like I said to OmniChad earlier? "No scenario? I see EVERY scenario. I see 50 scenarios... that's what it DOES, Karl - It puts me 50 MOVES AHEAD OF YOU" & yours (LIMITLESS Eddie Morra, lol = me)... apk

Re: what would of a negative number done?

You're missing commas in all of those examples.

a) "He should, of course he should!", she exclaimed breathlessly.

b) "If we did X, we would, of course, get..."

c) "It could, of course, be a fly."

Re: what would of a negative number done?

[alexgieg]

You're missing commas in all of those examples.

They're actually optional, specially if you're trying to convey spoken language. I agree that with them the sentences read better though.

Re:I know this will be an unpopular opinion, but..

[Mr.+Shotgun]

May be a day late and a dollar short on this response but that is not a good analogy. Client side validation is not swapping stickers, it is handing the customer the label maker and letting them choose their own price. Sure it has a suggested price as the default, but without checking the accuracy on the server side you are letting the customer pick which ever price they want and you accept it because that is how your system is set up. It is like the credit card company that did not verify their own contract when it was sent back by a customer. If your system is set up to auto accept what the customer said you are going to have a bad time.

Re: what would of a negative number done?

Shoulda, woulda, coulda