Forgot your password?
typodupeerror
Australia Crime Security The Courts

Australian Teen Reports SQL Injection Vulnerability, Company Calls Police 287

Posted by timothy
from the charged-with-public-embarrassment dept.
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
This discussion has been archived. No new comments can be posted.

Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

Comments Filter:
  • Was not arrested (Score:5, Insightful)

    by F'Nok (226987) * on Saturday January 11, 2014 @03:09AM (#45924663)

    The article says he was reported to police, but not arrested or even contacted by the police.

    He only even knows he was reported to the police because the journalist told him.

    Seriously, can we at least read the article before making up wrong headlines?

    • According to where I originally read this (Boing Boing) it says he was [boingboing.net].

      However, I now see this at the bottom of the Wired article:

      Update: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned heâ(TM)d been reported to the police from the journalist who wrote the story for The Age.

      My apologies, title should read someone: Victorian Transportation Department Calls Police After Teen Reports SQL Injection Vulnerability

      `sudo mods edit title`

    • by cffrost (885375)

      The article says he was reported to police, but not arrested or even contacted by the police.

      He only even knows he was reported to the police because the journalist told him.

      Seriously, can we at least read the article before making up wrong headlines?

      Please, you've been here longer than I have. Surely you know that the "news" items here aren't meant to be an expression of reality, but a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs. ;o)

  • by perpenso (1613749) on Saturday January 11, 2014 @03:10AM (#45924665)
    The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

    If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.
    • by sabri (584428)

      The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

      Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

      • by perpenso (1613749)

        The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

        Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

        Your analogy is flawed. The vulnerable data is not in plain sight to an innocent bystander as the baby in the car is. A better analogy would be someone sees a panel van and wonders if they can break into it. They do and once they have opened the door they find a baby in distress. They were not aware of the baby until after the break in.

        • by amorsen (7485)

          The problem is that virtual and physical security work differently.

          If a window does not close properly, that is not something to be all that much concerned about. The number of people who will find out is likely small, and any burglar will have to find out about the broken lock and be near the window to exploit it. Even if there is a break-in, the loss is probably going to be less than $10000, easily affordable for society as a whole. If everyone starts checking all the windows they pass by, society as a wh

      • by SuricouRaven (1897204) on Saturday January 11, 2014 @05:52AM (#45925201)

        That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.

        It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.

        • by gnasher719 (869701) on Saturday January 11, 2014 @08:25AM (#45925587)

          That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism.

          Breaking into a car to get a baby out that is suffering from heat (especially in Australia, where this could be quite severe in some places) is not vandalism, it is self defense. Self defense covers protecting others as well, and allows use of an appropriate amount of violence. Breaking into a car to safe a baby from a heat stroke seems appropriate.

        • IANAL, but I my understanding is that, at least in English law, the law actually does protect the Good Samaritan who engages in minor property damage to save a baby. The prosecution would almost certainly not prosocute, but if they did, the defendent would be able to exercise the Defence of Necessity. http://en.wikipedia.org/wiki/Necessity_in_English_law [wikipedia.org]
      • by ihtoit (3393327)

        no, this is running into a burning school and coming out with an unconscious child who was not marked in the register. Nobody knows he was in there, not even you, but notwithstanding the fact that you're a fucking hero to the kid, his friends and his parents, technically you had no business being in the building and therefore stand to be arrested and charged with trespass.

      • Well I guess the key question is why he was doing the "research" to begin with

        If he was actively using portscanners and other tools to try to find exploitable systems on the internet, his intentions are questionable.

        I guess with SQL injection it's conceivable he could have simply been filling in something like a comment form, and gotten an error when the form wasn't properly handled....

        From TFA "Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability"

        However, TFA also sta

    • by steelfood (895457)

      On the other hand, the Russians and Chinese can penetrate virtually risk-free.

  • Incorrect. (Score:5, Informative)

    by jamesn (112393) on Saturday January 11, 2014 @03:11AM (#45924669)

    From the article:
    "Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

    He hasn't been arrested.

  • Idiots (Score:5, Funny)

    by Mistakill (965922) on Saturday January 11, 2014 @03:12AM (#45924683)
    If you smiled at a safe, and it burst open... its not your fault the safe was faulty...
    • If you put a high powered microphone to a safe, pick the lock and then rifle through the contents to see if they're valuable... it's not your fault it was possible for you to break in.

      • It's entirely possible he might have stumbled accidentally over SQL injection. Maybe he was filling in a "Contact Us" form and used some quotation marks or something.

        But instead of stopping there he went in to nose around and see that there were 600,000 users, credit card information, etc., available.

        So it was sort of a cache-22 on his part. He knew, maybe based on the fact that some idiot spit out the output of all SQL statements into some debug statements on the page, that he could just use SHOW TABLES;

  • by Anonymous Coward on Saturday January 11, 2014 @03:16AM (#45924699)

    Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.

  • This is BS (Score:5, Insightful)

    by Anonymous Coward on Saturday January 11, 2014 @03:30AM (#45924751)
    Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.
    • by Darinbob (1142669)

      We've known for many years now that Timothy can't actually read.

      • by crossmr (957846)

        I'm not shocked at all that this came from Timothy, I can only guess he must have been on the phone with kdawson at the time he posted it.

      • by phayes (202222)

        It's not that he can't read, it's that he either
        actively edits the article summaries to be misleading and/or controversial, or
        ignores story submissions that aren't misleading & controversial and promotes the later submissions that are (as can be seen by reading the /. firehose)

  • From TFA (Score:3, Informative)

    by AlanS2002 (580378) <sanderal2@@@hotmail...com> on Saturday January 11, 2014 @03:31AM (#45924757) Homepage

    "Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

    HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.

    • More likely, he figured it wouldn't get accepted if it was utterly uninteresting. Faux outrage is far more compelling.

      • by AlanS2002 (580378)

        You would of thought that who ever accepted it to be posted would of read TFA article and realised it was a crock.

  • We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

    Anyone with me?

    • by Anonymous Coward on Saturday January 11, 2014 @04:02AM (#45924851)

      No. Education is too expensive. Just replace him with a monkey.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

      Anyone with me?

      Nope... 't's a lost cause, timothy's cognitive skills are in the atto- range

    • by thegarbz (1787294)

      You assume Timothy is a person rather than an automated computer program that generates summaries.

    • I think it'd cost a lot, and may take waay to much time, as apparent this isn't "Timmy" but rather Timmmyyhh! [youtube.com]
  • by Grismar (840501) on Saturday January 11, 2014 @04:04AM (#45924853)
    ... and gets arrested.
    • No, no. I mean the police were contacted, but the reader was never arrested. Or at least that's what the journalist stated.
  • He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.
    • Re:Metlink IRP (Score:5, Insightful)

      by waynemcdougall (631415) <slashdot@codeworks.gen.nz> on Saturday January 11, 2014 @05:03AM (#45925055) Homepage

      He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

      No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.

      Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

      • by SJ2000 (1128057)

        No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported. Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

        It all depends on the IRP, most Australian transport organisations do not have a incident response plan for this report from a member of the public (I.T. or otherwise), but they do have them for various PR issues such as public disclosure of security issue (I.T. or otherwise). I'm not saying it's right I'm just explaining how it occurs, and given the public profile of the incident, I'm not sure I'd want to be the one deviating from the established IRP even if it wasn't written with this in mind.

  • by Tablizer (95088) on Saturday January 11, 2014 @05:27AM (#45925129) Homepage Journal

    To hide from the law, he changed his name to Drop Table All.

  • mod UP - and load rifles for /. 'editor' FIRING line -grin-
  • He hasn't been arrested. The company called the police. Big deal.

    Now can we talk about 'responsible disclosure'? He was a kid, so it isn't surprising that he would go about some things in a bit of a silly way, but he identifies as a white hat so he really needs to get his head around it if he doesn't want to get arrested at some point in the future.
    What happened:
    1. He e-mailed the company about the issue on boxing day, in the middle of the Christmas holiday period. Which e-mail address? (i.e. security, webm

    • Seems very responsible he contact one third party with a good track record. Or do you expect people to wait months/years? SQL injection is pretty low end who is the PCI auditor who missed this?

  • by MegaManSec (3494867) on Saturday January 11, 2014 @08:36AM (#45925629)

    Joshua Rogers here. The kid that this article is about.

    I want to clear something up..

    I have _not_ been arrested(yet).
    I have _not_ been questioned(yet).
    I have _not_ been officially told that I've been reported to the police(yet).

    I'm completly in the blank, as much as the rest of you.
    What I'm expecting to happen:
    They show up at my doorstep asking questions. .. .... ........
    That's it.

    They might ask me to sign something that says I have deleted all the data that I saw.

    If you have any questions, I can be contacted @megamansec..

    • Re: (Score:2, Interesting)

      by BringsApples (3418089)
      Wow. All I can say is wow. You, the person (if that's true, which I have no way to verify) with any real information regarding this, submit information as it is to you (the only one with any actual information regarding this), and you get modded only to +4 Informative. Hell, I've been modded +5 Informative in the past, simply for copy/pasting some information from a link in the summary.

      Ok, so then let's try to verify what happened. How did you find "...a basic security hole that allowed him to access
    • I saw an MySQL error on the page I was viewing. That's it, lol.
  • by ihtoit (3393327) on Saturday January 11, 2014 @08:36AM (#45925631)

    1. pass contract to build "secured" site to lowest bidder
    2. blame some spotty kid for vulnerabilities that he himself reported to you, get him arrested and settle out of court for some seven digit sum which he'll be paying off the rest of his life
    3. use some of that money to fix that single problem ...

    n. PROFIT! Reputation intact but when this hits the wires don't expect to hear of any more vulnerabilities until the next audit.

  • The story and the many of the comments make mention of the 'company' that called the police on the kid that reported the vulnerability. It wasn't a company. I was the, as the article makes clear in it's first sentence:

    "A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police."

    As much as the dominant culture of Slashdot is the sort that will take every opportunity to implicate private businesses in all manner of ev

    • by iggymanz (596061)

      you must be new here. We also take every opportunity to implicate the twisted and evil organs of government

  • I speak from experience (and a lot of it). Never, ever report this type of bug to the owner of the website, specially if this is a big company (a single person websites are different). Since most of the people who are responsible (in many cases) for the website know nothing of computer security, internet or technology in general. The best thing to do is to forget this issue and the website in question fall victim hackers and ID-theft. It is only after such scandal that something is done about it.

    This people

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...