Australian Teen Reports SQL Injection Vulnerability, Company Calls Police 287
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
Was not arrested (Score:5, Insightful)
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
did he learn his lesson? (Score:3, Insightful)
Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.
Re:Was not arrested (Score:5, Insightful)
Perhaps you missed the point, so I'll make it more clear.
While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.
See how that kinda changes the overall theme?
Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
But it sounds like they actually might have done just that, because the police did not arrest him.
They did not arrest. The overall theme should be about the idiot company, not the police.
Re:Was not arrested (Score:5, Insightful)
And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.
This is BS (Score:5, Insightful)
Brilliant, make them coconspirators (Score:5, Insightful)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
Re:The correct way to "inform the authority" (Score:4, Insightful)
So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".
We now know that there is no "right way" to deal with government, other than kick them in the ass.
Re:We need a Kickstarter campaign for Timothy (Score:3, Insightful)
We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.
Anyone with me?
Nope... 't's a lost cause, timothy's cognitive skills are in the atto- range
Re:Metlink IRP (Score:5, Insightful)
He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.
No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.
Instead they did nothing until exposure of their incompetence was threatened by mainstream media.
Re:The law does not care ... (Score:5, Insightful)
That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.
It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.
Re:Was not arrested (Score:3, Insightful)
Re:The correct way to "inform the authority" (Score:4, Insightful)
Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity [wikipedia.org] is a viable way of business.
This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down [couriermail.com.au] while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.
Re:The law does not care ... (Score:5, Insightful)
That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism.
Breaking into a car to get a baby out that is suffering from heat (especially in Australia, where this could be quite severe in some places) is not vandalism, it is self defense. Self defense covers protecting others as well, and allows use of an appropriate amount of violence. Breaking into a car to safe a baby from a heat stroke seems appropriate.
Re:The correct way to "inform the authority" (Score:5, Insightful)
Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.
The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.
I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).
I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).
Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state [wikipedia.org], not to be trifled with without extreme precautions for one's own well-being.
As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.
Re:Was not arrested (Score:4, Insightful)
Except that many important security holes affecting the general population have been found this way. "Grey hat" pentesting (which I'm defining as unapproved but without malicious intent) is of critical importance for pretty much any public-facing system. The "black hat" crowd will be hitting it anyways, and who would you rather have find the problem? The one who'll report it or the one who'll exploit it?
Sure it's a risky thing to do and I sure wouldn't intentionally associate any such behavior with my real identity, but its something we should be encouraging because the other option is worse.
Re:Was not arrested (Score:4, Insightful)
a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs
I'm nominating this to replace "News for Nerds. Stuff that Matters."