Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

Incorrect.

[jamesn]

From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

He hasn't been arrested.

Re:Was not arrested

[Anonymous Coward]

This. Fucking scummy submitters. Go write your reports to some fantasy news website. I'm not even going to mention the /. "editors"...

Re:Was not arrested

[jones_supa]

I cancel that comment. If you read the line "He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age." carefully, you can see that he only heard from the reporter that the kid had been reported to the police (by TD). D'oh!

From TFA

[AlanS2002]

"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.

Oringial article on The Age

[AlanS2002]

http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-transport-victoria-website-20140107-30fkg.html [theage.com.au]

For anyone who is interested

Re:The correct way to "inform the authority"

[VortexCortex]

If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you'll be every bit as much a suspect as the crackers doing harm.

The problem is that the computer fraud and abuse act is too harsh -- It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn't do any hacking at all. They'd like to have a monopoly on that, so the laws won't change.

If you're not browsing by proxy in this day and age, you're screwed.

Re: Was not arrested

[Darinbob]

He's not in prison...

Although the article does make a mention about someone else who was arrested in the past, an old story that was already here in slashdot. Maybe readers of the article aren't reading for comprehension?

Re:Alias in hiding

[Anonymous Coward]

That's "little Bobby Tables" [xkcd.com].

Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

Joshua Rogers here. The kid that this article is about.

I want to clear something up..

I have _not_ been arrested(yet).
I have _not_ been questioned(yet).
I have _not_ been officially told that I've been reported to the police(yet).

I'm completly in the blank, as much as the rest of you.
What I'm expecting to happen:
They show up at my doorstep asking questions. .. .... ........
That's it.

They might ask me to sign something that says I have deleted all the data that I saw.

If you have any questions, I can be contacted @megamansec..

Re:Not Arrested, Not Questioned, Not Contacted.

[bill_mcgonigle]

I saw an MySQL error on the page I was viewing. That's it, lol.

If the database driver errors are making it out to the public then it's the systems' developers who should be questioned.

It's a shame you were trying to be helpful and these dorks don't know how to be gracious.

Re:Not Arrested, Not Questioned, Not Contacted.

[MegaManSec]

I just saw a MySQL error on the page, and knew what had happened. My guess is that they don't have staff that can review apache logs to see what I actually viewed.. So, they want to know I don't have 600,000 records on my computer, basically.