Australian Teen Alerts Transit Department To Security Hole On Website... Gets Reported To Police

from the not-this-again dept

For years and years, we've been stumped by why website owners try to kill the messenger when someone discovers a hole on their website. It's happened yet again. Down in Australia, a 16-year-old by the name of Joshua Rogers found a security hole in the Metlink website, which is run by the Transport Department in Victoria. The hole appears to be a fairly large one:
The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.
Rogers did exactly what a good security researcher should do: he contacted the Transport Department. After waiting two weeks without further response, he went to the press. Upon hearing from a reporter, rather than focusing on closing this massive security hole (and figuring out how to properly encrypt credit card numbers), the Transportation Department told the reporter that it was reporting Rogers to the police.

In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Incredible.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    kenichi tanaka (profile), Jan 9th, 2014 @ 4:03pm

    When will people start learning to stop reporting these hacks to the authorities and the businesses who are affected by these exploits. Simply post these exploits on hacker websites.

    If I discovered an exploit, I sure as hell would not report it to the police or to the businesses who are affected by these exploits because I've seen how they treat those people who are reporting these exploits.

    I'd be more apt to post the exploits on hacker sites before I reported them to the people running these websites.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 4:11pm

    aaand Next time on "Old people in charge of computers"....

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 4:22pm

    Lazy "webmaster", is lazy.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 4:29pm

    Re:

    This.

    Nobody actually cares about getting hacked. That happens to everyone and everything, and is seen more as a natural disaster (regardless of how tech people see the post-mortem analysis of the security hole, nobody else cares). Being seen as insecure? That's not a natural disaster, that's negligence. Someone's actually responsible for that. The case is the same if someone had gone to fix the problem - someone would have been called to account.

    Being responsible for something negative is poison to government and corporate bureaucrats alike (as well as organizations), which is why this sort of thing happens. It's why whenever there's a settlement there's no admission of responsibility by the losing party. Until that changes, on a societal level, humiliating an organization (or doing something which might be humiliating) is going to draw retaliation.

    Hence this widespread problem.

     

    reply to this | link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Jan 9th, 2014 @ 4:43pm

    "likely he used a SQL injection vulnerability" -- That IS hacking.

    Fact: those don't attempt to find "vulnerabilities" on web-sites are unlikely to be reported to police. It's almost as though they're telling budding "hackers" not to make such attempts but try to find something useful to do with their time. This level of hacking requires almost zero knowledge or skill, no more than running a simple program. So why do it?

    Mike's notion that the web-site would rather allow malicious hackers is unsupported by any evidence. It's at least as likely that no other attempts were even made.

    The only interest here is meta-view of "teh internets" re-writing trivia: from "TheAge" to "Wired" and now all the way down to bottom-feeder Techdirt. A good question for Mike is why he links to "Wired" and not the original. But think I have the answer:
    http://en.wikipedia.org/wiki/Link_farming

    Only on Techdirt play Spot The Fan-Bots! Clues: 1) sheer ad-hom yapping like an ankle-biter 2) copy-pasted to either a) paraphrase without new thought b) merely gainsay 3) complaining about prior comments instead of on-topic

    12:42:53[n-765-8]

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Chronno S. Trigger (profile), Jan 9th, 2014 @ 4:51pm

    Re: "likely he used a SQL injection vulnerability" -- That IS hacking.

    Oh, I found the fan-bot, his name is out_of_the_blue. I wouldn't call him a fan, but he matches all of your criteria including 2a and 2b. What do I win?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 4:59pm

    Re: "likely he used a SQL injection vulnerability" -- That IS hacking.

    I'm confused... if Jimmy the neighborhood teenager gives the crazy-town gazette a picture of the contents of your safe deposit box because the bank was leaving a window into the vault open (even after he told the manager) you'd say the bank did everything within their power to protect your stuff and the teenager needed to do something useful with his life?

    Sorry for feeding the troll, and the runon sentence.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Nigel, Jan 9th, 2014 @ 5:00pm

    Just flag blues shit and move along..

    Funny he gets all touchy about someone getting their ass handed to them by a kid though. Its quite telling.

    High School is clearly rough for that dude.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    bmarsh (profile), Jan 9th, 2014 @ 5:03pm

    Sorry to make fun of this, but...

    The transit department, "throwing someone under a bus?"

    Really?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Mike Dee, Jan 9th, 2014 @ 5:08pm

    It's 2014. Time to embrace the hackers ( not crackers ) and get this shit fixed. Especially in a time security is becoming a big thing.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    dante866 (profile), Jan 9th, 2014 @ 5:12pm

    New Game

    I've started playing a new game...

    Step 1: Open random post with comments on Techdirt.
    Step 2: Find the ootb comment, revealing all hidden comments if need be.
    Step 3: Record distance from First that ootb comment appears, including all comments hidden by moderation programming.
    Step 4: Repeat.

    The point is to see how far you can get before 5 posts have been opened.
    --------------------------------------
    Yes, using a SQL Injection Vulnerability can be considered hacking. However, here's the bigger issue, and it's not with how this kid spends his time. 5, 10, even 15 years from now, I'd much rather have this kid finding vulnerabilities on websites and reporting them than hearing about how he shanked his roommate for a pack of cigs. I'd much rather live in a world where excellence at computing is celebrated, rather than the world that ootb seems to look forward to. If you want security, fix your damn holes...don't cover them up. Open holes in one site ruin the rest.

    Also, Streisand Effect applies to security vulnerabilities too.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    united hackers association, Jan 9th, 2014 @ 5:20pm

    i sai dit on reddit and il say it here

    THERE IS NO PROFIT , NO PAT ON THE BACK ONLY WORK FOR US OR JAIL TIME...

    DO NOT HELP THEM....

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 5:21pm

    i cant think which country, apart from the USA who already does this sort of thing. then they wonder what the hell they can do when no one bothers to help them out of the shit they have caused for themselves. this is exactly the sort of thing that Obama has started, thanks to the way he pisses all over those who have done what he wanted, what he encouraged people to do, report to the authorities things that are wrong! he left out the bit about throwing you in jail for your trouble, as your reward! as two faced as the rest of politicians!!!

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 5:35pm

    maybe the hole is deliberate?

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 5:46pm

    These companies are hilarious! They really believe in security through obscurity.
    And really, is "one guy found it, maybe others will too, and maybe they won't be as upfront about it" such a difficult concept to grasp?

    At this point, the only recourse for white hat hackers is to anonymously make vulnerabilities public knowledge. It's a shame that the companies won't get a grace period to fix their vulnerabilities while few black hats are aware of them, but at this point they've made it clear they don't want one.
    At least by publicizing the vulnerabilities they won't end up being silently exploited for years.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 6:06pm

    Thank you Senator Leahy for your brilliant new bill that makes discussing computer security a crime as if you did it. Instead of reporting this to people who you would think would be grateful for having prevented a major hack, they are now pushing for hacking charges.

    I agree with #1 and #14 over the issues. No longer report to those that would benefit from a more secure site. Instead report it to the hackers who will force them to deal with it when their customers start raising hell about shit missing.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 6:12pm

    Isn't getting on the company's case just a form of victim blaming though? It's basically the same as telling women to "cover up" to avoid assault. Is that OK?

    ~ ~ ~

    Alternatively, if you this kid's behavior is OK, what's your home address? I'd like to spend some time trying to break in without your permission in the next week or so. Don't worry I probably won't really break in - break in, I'm just curious as to how secure your house is...see if I can jimmy the locks and such. I will definitely probably maybe tell you about any vulnerabilities I find. I'm pretty good at this. I don't have like any certification for this and I don't work for any sort of organization that might legitimize this or anything; it's just kind of a hobby of mine when I get bored. So, we cool?

    If we are going to allow hobbyist pen testers to operate, and maybe that's a good idea, it needs to be regulated.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 6:47pm

    The 3rd option

    If they don't want the help, you don't have to say anything at all.Just keep it to yourself and move on.
    According to Mike Rogers, If no one knows about it, it doesn't exist.Besides it may be a good thing to have a back door.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    That One Guy (profile), Jan 9th, 2014 @ 7:21pm

    Re:

    I'm not sure about sharing the security vulnerability with hackers, but I agree, if I somehow stumbled upon something like this, the last thing I'd do would be to tell the business about it, at most I'd probably tell any friends and family to avoid the business due to them not being secure.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    That One Guy (profile), Jan 9th, 2014 @ 7:30pm

    Re:

    Let me guess, you work at some company that was told about a glaring security issue in your system that you were too lazy to deal with?

    'Victim blaming'? Really? The kid was pointing out that the website had a massive security issue, one that made available a ton of personal data on everyone listed on it, and since contacting the department itself got him nothing, he went to the press to force them to address the issue and fix it.

    This(which again only happened because they refused to listen to him when he contacted them directly about the problem) left them with a bunch of work to do and egg on their face, but rather than do the sane thing and thank him for pointing out a security problem they had, one that would have led to massive problem if someone less ethical stumbled across it, they blame him for their embarrassment.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    @blamer, Jan 9th, 2014 @ 7:35pm

    Re: safe as houses

    Analogy Does Not Hold.

    My house contains no such database of other peoples' credit card numbers. If my home is breached, you will sleep soundly.

    Metlink's database for comparison: "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site".

    Hence, all australians wake in fright.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 7:43pm

    Re: Re:

    Exactly. We can call Rogers a white hat without imagining him to be a saint. I assume he's contacting metlink to demand they "please to be now better securing *HIS* personal data". Not mine. Not yours.

    The thing about metlink is... locals can either catch *their* trains, or no trains.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 7:44pm

    about a month and a half ago the same trasport department started an advertising campaign for registering your credit card on the metlink ticketing system so youu can be automaticlly billed. they have egg on face syndrome.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Mike Brown (profile), Jan 9th, 2014 @ 7:46pm

    Re:

    I wonder if it didn't go down more like this:

    Rogers: Excuse me sir, but I noticed a security flaw on your website that I thought you might want to be aware of...

    Webmaster: WHAT??!!! You little shit, how dare you call my baby ugly! I'm calling the cops.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Liam Neeson, Jan 9th, 2014 @ 7:52pm

    DeadDrop

    Dear [insert Company]

    I know who you are. I know what you have. If you are looking for a security hole, you have one. If you are looking for a scapegoat, I can tell you I'm not him. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you plug your security hole now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will Barbra Streisand you.

    This message was brought to you by SecureDrop

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Bpat, Jan 9th, 2014 @ 7:55pm

    Re:

    Welcome to Australia, we are the 51st American state. Our politicians have some of the brownest noses around.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    That One Guy (profile), Jan 9th, 2014 @ 8:16pm

    Re: DeadDrop

    Oh that was brilliant, if that doesn't at least make editor's choice for funny this week something is seriously wrong...

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 8:22pm

    Bobby Tables

    If I was a security researcher and found a site that was vulnerable to SQL injection I would just delete their database tables using the exploit.

    This way I have protected the data from crackers and the site operators would have no clue I did it. Seems like a better alternative than being prosecuted for being a nice guy.

    http://xkcd.com/327/

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 8:23pm

    what is it with website owners?

    this isn't the same thing, but i once discovered that find-a-grave had six famous people as being buried in the wrong cemetery.  i had an account with them at that time and occasionally submitted a gravestone pic for the site.

    the graves were actually in the old city cemetery, which wasn't very large, but find-a-grave had them listed in a large commercial cemetery nearby.  i knew that people wanting to find those famous graves would waste a lot of time in that huge cemetery and never find the graves, so i went to a lot of trouble to show that they were in the other cemetery.  i knew they would be skeptical, so i made it perfectly obvious.

    i was never able to log into my account again.  all my pics were still in their possession but most no longer showed on the site.  i have no idea what happened there.  what is it with website owners?

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Liam Neeson, Jan 9th, 2014 @ 8:37pm

    Re: Re: DeadDrop

    I was tempted to use goatse instead of Barbra Streisand *sigh*

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 8:53pm

    Perhaps these people need some one with more skin in the have to report these security flaws to. Who has more skin in the game than the credit card companies who would end up eating the cost of the fraud. The credit card companies are powerful enough to get noticed and to powerful to be ridden rough shod over. Simply promise to cut off companies who fail to repair flaws in a timely manor.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    G Thompson (profile), Jan 9th, 2014 @ 8:53pm

    Re: "likely he used a SQL injection vulnerability" -- That IS hacking.

    Found a t-shirt that has YOU all over it OOTB...

    Wear it with pride

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Tru Blu, Jan 9th, 2014 @ 8:55pm

    Wash ya mouth out boyo

    with carbolic soap. That is one of the foulest things to say. Yankee go home, we didna lykya in ww2 and we lykya even less t'die.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    G Thompson (profile), Jan 9th, 2014 @ 9:04pm

    Believe me this Teenager is definitely not going to be convicted on anything under the Crimes Act.

    Though Metlink might have bit off more than they can chew under the Federal Privacy Act now.. More so since they are government contractors (for Govt Public Transport sector in Victoria)and can be criminally charged (Directors of companies are liable) because they had full foreknowledge and refused to act.

    In March this all changes to even more detrimental affect towards Companies who knowingly do NOT secure there information that comes under the new Australian Privacy Principles.

    Would suck to be a Director of Metlink at moment ;)
    Also on an interesting note Victoria is the state where the first ever Australian so called 'hacking' cases were done on the pushing by the US Secret Service and FBI way back in late 80's and early 90's with NO major punishments or any other major detriment to the teenage defendants.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 9:16pm

    so, uh, what's the website?

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Tru Blu, Jan 9th, 2014 @ 9:20pm

    PTV does not have the most enviable reputation for IT

    If you ask the right people, you will find out how screwed up PTV is in their handling of IT (systems and people). One has to remember that it is a government based bureaucracy and has all the failings there-in.

    Consider for example, they have a serious infrastructure problem with their current ticketing system and their solution is based in enforcement. Basically, if you ticket is not validated, you are considered guilty, unless you can categorically prove that the equipment has not worked. This you can only really do by testing and also seeing the actual transactions sent by the validating devices. Since you can't test the devices and it can take a month or more to see your own transactions, you are stuck with the "on the spot" fines. The reputation that the ticket inspectors have is probably lower than used car salesmen and lawyers.

    I have seen all the validators on a single tram just turn off and it take some time for them to come on line again. If you get on while these machines are off line, and then the inspectors decide to check your tickets, they will generally fine you even if they have observed the problem occurring.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    G Thompson (profile), Jan 9th, 2014 @ 9:29pm

    Re:

    In fact further to this if any Victorians are reading this I would advise you if you are a Metlink customer (and that's basically anyone who has ridden on a Bus, Train or Tram) to contact your Local MP (Federal and State) as well specifically the Victorian Privacy CommissionerM/a>

    I would also recommend any organisation within Australia (this covers ALL now not just government) or wanting to do business with Australia to read, analyse, and implement the new
    Australian Privacy Principles (APP's)that come into effect on March 2014.

    Also you might note that Notification of Data breaches are now mandatory (not just voluntary under the old guide)

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    G Thompson (profile), Jan 9th, 2014 @ 9:34pm

    Re:

    Here is the login/about page

    http://ptv.vic.gov.au/tickets/myki

    It's part of Public Transport Victoria

    also for a nice laughable read now.. read there privacy policy http://ptv.vic.gov.au/privacy/#myki [my favourite part is where they state "PTV and its agents will take all reasonable measures to secure personal information." )

    oh and the Contact details at bottom are TO USE!

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Clownius, Jan 9th, 2014 @ 10:05pm

    Doubt he gets charged

    Heres the original (updated) source. The Age

    http://www.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html

    I seriously doubt anyones going to press charges at the end of the day. Its not the first time or the last this will happen. Our media (the part not owned my Rupert Murdoch) at least makes sure the people responsible end up with egg on their face and dont want to risk the embarrassment of more details coming out due to legal action

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    haiku, Jan 9th, 2014 @ 11:20pm

    In ZA it is standard operating procedure for all governmental / municipal / etc. agencies, i.e. those paying with taxpayer's money to:

    1. Sub-contract for a website that is built at several times the going rate;
    2. When a security hole is found (composite explanation with minor local variances):
    (a) Accuse the world of hacking the website;
    (b) Report the hack to the police;
    (c) Close down the website for 'maintenance';
    (d) Never re-open the website.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    MerkleTree, Jan 9th, 2014 @ 11:34pm

    While they Shoot the canary

    While they are busy shootin' the canary, and yelling the word "terr" every 60 seconds.

    Someone is probably hammering their site without them knowing about it. (not that they knew before).

    What is scary is that this will have a chilling effect on people who might actually help.

    Part of me wants to see that whole site collapse, but then they will just blame the kid again.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    Sunhawk (profile), Jan 10th, 2014 @ 12:02am

    Re:

    Perhaps these people need some one with more skin in the have to report these security flaws to. Who has more skin in the game than the credit card companies who would end up eating the cost of the fraud. The credit card companies are powerful enough to get noticed and to powerful to be ridden rough shod over. Simply promise to cut off companies who fail to repair flaws in a timely manor.


    ... now this I like. CC companies would be the perfect foil.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    Ninja (profile), Jan 10th, 2014 @ 3:24am

    Re: Sorry to make fun of this, but...

    Hopefully they'll calculate so it does not affect the line schedule!

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    Ninja (profile), Jan 10th, 2014 @ 3:26am

    Re:

    I wonder, if it's that bad when someone points it out they'll probably start a witch hunt to find the anonymous leaker and completely ignore the real issue at hand...

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    Bergman (profile), Jan 10th, 2014 @ 3:28am

    Bureaucrats and Engineers

    This whole 'prosecute the messenger' thing makes perfect sense when you consider that most companies are run by bureaucrats not engineers.

    To an engineer, the objective is to build the best whatever possible. When someone points out a flaw, that person is a hero because then the engineer can fix the problem and make their product better.

    To a bureaucrat, the objective is to cover his ass. Problems don't exist until someone reports them; In effect, the person reporting the problem didn't discover it, they created it where it did not exist before. And worse, the person it is reported to is now an accomplice to creating the problem unless they bury it so deep it will never be heard from again.

    Given that very few engineers are the heads of companies, you get the absurdity playing itself out over and over, where companies go on the attack against anyone who points out a problem in one of their products or systems.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 3:39am

    Re: Re: "likely he used a SQL injection vulnerability" -- That IS hacking.

    He also fits 1 and 3 succinctly!

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    Niall (profile), Jan 10th, 2014 @ 4:36am

    Re:

    It's nothing to do with Obama, it was happening under Bush as well. (Although given, it may have got worse under Obama.) So sorry to puncture your favourite boogeyman.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 5:24am

    Doesn't mean the police will do shit. Over-reaction here is absolutely epic, from all angles.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 5:31am

    They should be offering this kid a job or contract work, I'm amazed at the stupidity coming out of corporate offices and nations these days aren't we supposed to be in a constant state of evolution.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Pragmatic, Jan 10th, 2014 @ 6:15am

    Re:

    I see new commenter jackn hasn't popped in to admit he was wrong... this kind of thing happens all the time.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Pragmatic, Jan 10th, 2014 @ 6:19am

    Re: Doubt he gets charged

    Look up "Weev," Clownius.

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 6:27am

    not reporting exploits

    You've seen how "they" treat people who report these exploits ONLY when the treatment comes to your attention by being bad, as it is in this case. How many explots have been reported and fixed without anyone else knowing about it? Dozens, hundreds, thouands? You have absolutely no idea, because you only hear of the cases that turn out like this.

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 6:43am

    Re:

    But if businesses get 'hackers' thrown in jail who report security vulnerabilities no one else will be able to find the security flaw!

    Why wouldn't the Stick your fingers in your ears and go 'la la la' approach work?

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Ashley Sheridan, Jan 10th, 2014 @ 7:23am

    Re: Wash ya mouth out boyo

    Erm, isn't that a Scottish "accent" you're using there? :p

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    Gwiz (profile), Jan 10th, 2014 @ 7:27am

    Re:

    "likely he used a SQL injection vulnerability" -- That IS hacking.
    Fact: those don't attempt to find "vulnerabilities" on web-sites are unlikely to be reported to police. It's almost as though they're telling budding "hackers" not to make such attempts but try to find something useful to do with their time. This level of hacking requires almost zero knowledge or skill, no more than running a simple program. So why do it?



    Why do it? I'll tell you why Blue. It's rather simple and I'm surprised you don't get it.

    Hacking in this manner is a modern day version of questioning authority. These hackers are pushing the edge just to determine the limits of these systems. They are simply questioning the authority of those limiting what they can achieve with their knowledge and a computer.

    For someone who constantly rails against Government and "The Rich", this appears to be another of your disconnect areas. You scream and yell that we should be questioning those in authority, but if your labeled a "hacker" then you are supposed shut up and meekly follow all the rules. That doesn't make much sense, Once again, your consistency is lacking.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    madasahatter (profile), Jan 10th, 2014 @ 8:35am

    Re:

    Actually if I found a security hole I would sue for gross negligence and fraud if I had standing to sue. Otherwise I would shut up. I think a couple of big lawsuits lost with the possibility of managers doing jail time for fraud and/or racketeering would make the PHB more apt to act.

     

    reply to this | link to this | view in thread ]

  57.  
    icon
    madasahatter (profile), Jan 10th, 2014 @ 8:37am

    Re: Re:

    SQL injection so well known that if the code allows it to occur one should question the management and developers because some screwed up.

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 10:19am

    Re:

    A better analogy is leaving the house with your door wide open, and then when your neighbor calls to let you know, you ignore them. So, they call your partner/spouse/kids (anyone affected by the open door) to let them know you left the door open so they will tell you to close it. When they get mad at you, you call the police on your neighbor.

     

    reply to this | link to this | view in thread ]

  59.  
    icon
    btr1701 (profile), Jan 10th, 2014 @ 11:23am

    Re:

    > If I discovered an exploit, I sure as hell
    > would not report it to the police or to
    > the businesses who are affected by these
    > exploits because I've seen how they treat
    > those people who are reporting these exploits.

    At this point, at a minimum, someone wanting to do this should probably get an attorney and report it anonymously through the lawyer.

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    Greg (profile), Jan 10th, 2014 @ 11:27am

    Re: The 3rd option

    Are you saying that he should have told the company about the vulnerability, then if they did not do anything about it, just tell no one else?

    If so, I see a major problem with this. When Mr Black hat finds it 6 months later and steals everyone's credit card info, the first thing they are going to do is report him to the police as being the thief.

    If he is getting in trouble for this "hack" when nothing bad happened, imagine how much worse it would be if the police thought he actually did something harmful.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 11:40am

    Re: Re:

    Having no idea what lawyers like to charge, I want to ask just how expensive would it then be to report an exploit?

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Rekrul, Jan 10th, 2014 @ 1:10pm

    If he has an account with them, after two weeks of no response from the company, he should have filed charges with the police against the company for putting his personal information at risk. Maybe also sue them for a violation of their privacy policy if they promised to keep his information safe.

     

    reply to this | link to this | view in thread ]

  63.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:41pm

    Re: Re:

    if I found a security hole I would sue for gross negligence and fraud if I had standing to sue.


    The existence of a security hole is not, by itself, evidence that there was anything like gross negligence or fraud. I guarantee that every device you (or anybody else) owns that can communicate has more than one security hole.

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:43pm

    Re: Re: Re:

    All it would take would be a single letter from an attorney. You could get this done on the cheap, even through a free or low cost legal aid clinic.

    (The reason to use an attorney for this is that the attorney can't be compelled to tell anyone who you are.)

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:48pm

    Re: "likely he used a SQL injection vulnerability" -- That IS hacking.

    This level of hacking requires almost zero knowledge or skill


    Actually, SQL injection does, in fact, take a certain level of knowledge and skill. You have to know SQL, you have to have a fundamental understanding of the way it tends to be used for this type of application, and you have to get the right table names.

    It's not rocket science, but it's not something you usually see the script kiddies doing, either.

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:51pm

    Re: Re:

    No no, the 51st state is Canada. You're #52.

     

    reply to this | link to this | view in thread ]

  67.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:55pm

    Re: The 3rd option

    The better solution is to do what white-hat hackers used to do routinely: publish the vulnerability widely and publicly.

    The only reason that practice stopped is because companies, quite reasonably, asked everyone to please tell them about their security problems first, to give them a chance to fix it, before telling the world.

    If the company doesn't want to be told, then just skip that step.

     

    reply to this | link to this | view in thread ]

  68.  
    icon
    Sheogorath (profile), Jan 10th, 2014 @ 4:14pm

    FTFY

    In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Typical.

     

    reply to this | link to this | view in thread ]

  69.  
    icon
    That One Guy (profile), Jan 10th, 2014 @ 6:25pm

    Re: Re: Re:

    You sure, the UK really seems to be bucking for that #51 spot.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Jan 13th, 2014 @ 12:58pm

    They don't want the teen to get their job.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This