Australian Teen Reports SQL Injection Vulnerability, Company Calls Police 287
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
Was not arrested (Score:5, Insightful)
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
Re: (Score:2)
According to where I originally read this (Boing Boing) it says he was [boingboing.net].
However, I now see this at the bottom of the Wired article:
Update: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned heâ(TM)d been reported to the police from the journalist who wrote the story for The Age.
My apologies, title should read someone: Victorian Transportation Department Calls Police After Teen Reports SQL Injection Vulnerability
`sudo mods edit title`
Re: (Score:2)
Fucking autocorrect.
Re: (Score:3)
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
Please, you've been here longer than I have. Surely you know that the "news" items here aren't meant to be an expression of reality, but a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs. ;o)
Re:Was not arrested (Score:4, Insightful)
a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs
I'm nominating this to replace "News for Nerds. Stuff that Matters."
Re:Was not arrested (Score:5, Insightful)
Perhaps you missed the point, so I'll make it more clear.
While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.
See how that kinda changes the overall theme?
Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
But it sounds like they actually might have done just that, because the police did not arrest him.
They did not arrest. The overall theme should be about the idiot company, not the police.
Re:Was not arrested (Score:5, Funny)
Re:Was not arrested (Score:5, Insightful)
And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.
Re: Was not arrested (Score:2)
What clink? He wasn't arrested. He hasn't even been approached by the police.
Re: Was not arrested (Score:5, Funny)
Then how did he wind up in prison? He certainly didn't place himself under arrest. I guess we'll just have to hear the rest of the story once he's out on parole, the cops certainly aren't talking.
Re: Was not arrested (Score:5, Informative)
He's not in prison...
Although the article does make a mention about someone else who was arrested in the past, an old story that was already here in slashdot. Maybe readers of the article aren't reading for comprehension?
Re: Was not arrested (Score:5, Funny)
Re: Was not arrested (Score:5, Funny)
I don't see what's so funny about a kid getting arrested.
Re: (Score:2, Funny)
Please, stop with the self-righteous posturing. Where were you when this kid was spending his best years in jail ? Where where you when his mother committed suicide ?
Re: (Score:3)
Re: (Score:2)
Maybe readers of the article
LOL
You must be new here
Re: (Score:2, Funny)
You know, I really admire your patience with the GP. I can't believe how stupid the GP is, misreading the article like that. If I were you, I'd have thrown the GP in the same jail the hacker kid is.
Re:Was not arrested (Score:5, Funny)
in the meantime lets not forget about the cops who arrested him.
The non-existent ones? This is getting very meta-physical, I may have to make some coffee.
Re:Was not arrested (Score:5, Funny)
Re: (Score:2)
For all you know the cops were told the kid was breaking into their systems, not that he discovered a security vulnerability. And from their point of view, they see someone attempting to break into their systems, not that he was some shining white knight attempting to help them to better security. Once the cops sorted it out, they seem to have let the little wiggler go.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Perhaps you missed the point, so I'll make it more clear. While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.
See how that kinda changes the overall theme?
No, it doesn't. It was the decision of the police to not arrest him (good act of the police by the way). The Transportation Departement is still a dork for a) ignoring the bug report and b) acting silly when the information got aut.
Re: Was not arrested (Score:3)
Re: (Score:2)
Re:Was not arrested (Score:5, Informative)
Re: (Score:3, Insightful)
Re:Was not arrested (Score:4, Insightful)
Except that many important security holes affecting the general population have been found this way. "Grey hat" pentesting (which I'm defining as unapproved but without malicious intent) is of critical importance for pretty much any public-facing system. The "black hat" crowd will be hitting it anyways, and who would you rather have find the problem? The one who'll report it or the one who'll exploit it?
Sure it's a risky thing to do and I sure wouldn't intentionally associate any such behavior with my real identity, but its something we should be encouraging because the other option is worse.
Re: (Score:3, Interesting)
Well kids, now you know what the smart thing is to do: don't run pen tests against websites without permission.
Similarly, don't walk down the hall in apartment buildings you don't live in wiggling the door handles. Sure, it's just innocent fun, and you were just doing it so you could write letters to the addresses of doors you found unlocked warning them, but it looks bad.
The law does not care ... (Score:5, Interesting)
If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.
Re: (Score:2)
The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.
Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.
Re: (Score:2)
The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.
Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.
Your analogy is flawed. The vulnerable data is not in plain sight to an innocent bystander as the baby in the car is. A better analogy would be someone sees a panel van and wonders if they can break into it. They do and once they have opened the door they find a baby in distress. They were not aware of the baby until after the break in.
Re: (Score:2)
The problem is that virtual and physical security work differently.
If a window does not close properly, that is not something to be all that much concerned about. The number of people who will find out is likely small, and any burglar will have to find out about the broken lock and be near the window to exploit it. Even if there is a break-in, the loss is probably going to be less than $10000, easily affordable for society as a whole. If everyone starts checking all the windows they pass by, society as a wh
Re:The law does not care ... (Score:5, Insightful)
That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.
It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.
Re:The law does not care ... (Score:5, Insightful)
That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism.
Breaking into a car to get a baby out that is suffering from heat (especially in Australia, where this could be quite severe in some places) is not vandalism, it is self defense. Self defense covers protecting others as well, and allows use of an appropriate amount of violence. Breaking into a car to safe a baby from a heat stroke seems appropriate.
The law does care (Score:2)
Re: (Score:2)
no, this is running into a burning school and coming out with an unconscious child who was not marked in the register. Nobody knows he was in there, not even you, but notwithstanding the fact that you're a fucking hero to the kid, his friends and his parents, technically you had no business being in the building and therefore stand to be arrested and charged with trespass.
Re: (Score:2)
Well I guess the key question is why he was doing the "research" to begin with
If he was actively using portscanners and other tools to try to find exploitable systems on the internet, his intentions are questionable.
I guess with SQL injection it's conceivable he could have simply been filling in something like a comment form, and gotten an error when the form wasn't properly handled....
From TFA "Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability"
However, TFA also sta
Re: (Score:2)
On the other hand, the Russians and Chinese can penetrate virtually risk-free.
Incorrect. (Score:5, Informative)
From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
He hasn't been arrested.
Idiots (Score:5, Funny)
Re: (Score:2)
If you put a high powered microphone to a safe, pick the lock and then rifle through the contents to see if they're valuable... it's not your fault it was possible for you to break in.
Re: (Score:2)
It's entirely possible he might have stumbled accidentally over SQL injection. Maybe he was filling in a "Contact Us" form and used some quotation marks or something.
But instead of stopping there he went in to nose around and see that there were 600,000 users, credit card information, etc., available.
So it was sort of a cache-22 on his part. He knew, maybe based on the fact that some idiot spit out the output of all SQL statements into some debug statements on the page, that he could just use SHOW TABLES;
did he learn his lesson? (Score:3, Insightful)
Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.
This is BS (Score:5, Insightful)
Re: (Score:3)
We've known for many years now that Timothy can't actually read.
Re: (Score:3)
I'm not shocked at all that this came from Timothy, I can only guess he must have been on the phone with kdawson at the time he posted it.
Re: (Score:2)
It's not that he can't read, it's that he either /. firehose)
actively edits the article summaries to be misleading and/or controversial, or
ignores story submissions that aren't misleading & controversial and promotes the later submissions that are (as can be seen by reading the
From TFA (Score:3, Informative)
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.
Re: (Score:2)
More likely, he figured it wouldn't get accepted if it was utterly uninteresting. Faux outrage is far more compelling.
Re: (Score:2)
You would of thought that who ever accepted it to be posted would of read TFA article and realised it was a crock.
Oringial article on The Age (Score:5, Informative)
http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-transport-victoria-website-20140107-30fkg.html [theage.com.au]
For anyone who is interested
Re:Oringial article on The Age (Score:4, Funny)
For anyone who is interested
No thanks, we like being uninformed here.
Re: (Score:3)
No thanks, we like being uninformed here.
What did you say that for? I was perfectly happy not knowing.
We need a Kickstarter campaign for Timothy (Score:5, Funny)
We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.
Anyone with me?
Re:We need a Kickstarter campaign for Timothy (Score:5, Funny)
No. Education is too expensive. Just replace him with a monkey.
Re: (Score:3, Insightful)
We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.
Anyone with me?
Nope... 't's a lost cause, timothy's cognitive skills are in the atto- range
Re: (Score:2)
You assume Timothy is a person rather than an automated computer program that generates summaries.
Re: (Score:2)
Slashdot reader points out error in headline ... (Score:5, Funny)
Re: (Score:2)
Metlink IRP (Score:2)
Re:Metlink IRP (Score:5, Insightful)
He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.
No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.
Instead they did nothing until exposure of their incompetence was threatened by mainstream media.
Re: (Score:2)
No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported. Instead they did nothing until exposure of their incompetence was threatened by mainstream media.
It all depends on the IRP, most Australian transport organisations do not have a incident response plan for this report from a member of the public (I.T. or otherwise), but they do have them for various PR issues such as public disclosure of security issue (I.T. or otherwise). I'm not saying it's right I'm just explaining how it occurs, and given the public profile of the incident, I'm not sure I'd want to be the one deviating from the established IRP even if it wasn't written with this in mind.
Alias in hiding (Score:5, Funny)
To hide from the law, he changed his name to Drop Table All.
Re: (Score:2)
'); DROP TABLE All;--
Slashdot reader points out error in headline ... ( (Score:2)
Responsible disclosure, anyone? (Score:2)
He hasn't been arrested. The company called the police. Big deal.
Now can we talk about 'responsible disclosure'? He was a kid, so it isn't surprising that he would go about some things in a bit of a silly way, but he identifies as a white hat so he really needs to get his head around it if he doesn't want to get arrested at some point in the future.
What happened:
1. He e-mailed the company about the issue on boxing day, in the middle of the Christmas holiday period. Which e-mail address? (i.e. security, webm
Re: (Score:3)
Seems very responsible he contact one third party with a good track record. Or do you expect people to wait months/years? SQL injection is pretty low end who is the PCI auditor who missed this?
Not Arrested, Not Questioned, Not Contacted. (Score:5, Informative)
Joshua Rogers here. The kid that this article is about.
I want to clear something up..
I have _not_ been arrested(yet).
I have _not_ been questioned(yet).
I have _not_ been officially told that I've been reported to the police(yet).
I'm completly in the blank, as much as the rest of you. .. .... ........
What I'm expecting to happen:
They show up at my doorstep asking questions.
That's it.
They might ask me to sign something that says I have deleted all the data that I saw.
If you have any questions, I can be contacted @megamansec..
Re: (Score:2, Interesting)
Ok, so then let's try to verify what happened. How did you find "...a basic security hole that allowed him to access
Re:Not Arrested, Not Questioned, Not Contacted. (Score:5, Informative)
Re: (Score:2)
Re:Not Arrested, Not Questioned, Not Contacted. (Score:5, Informative)
I saw an MySQL error on the page I was viewing. That's it, lol.
If the database driver errors are making it out to the public then it's the systems' developers who should be questioned.
It's a shame you were trying to be helpful and these dorks don't know how to be gracious.
way to cover your arses (Score:3)
1. pass contract to build "secured" site to lowest bidder ...
2. blame some spotty kid for vulnerabilities that he himself reported to you, get him arrested and settle out of court for some seven digit sum which he'll be paying off the rest of his life
3. use some of that money to fix that single problem
n. PROFIT! Reputation intact but when this hits the wires don't expect to hear of any more vulnerabilities until the next audit.
Company? This involved a government agency, not a (Score:2)
The story and the many of the comments make mention of the 'company' that called the police on the kid that reported the vulnerability. It wasn't a company. I was the, as the article makes clear in it's first sentence:
"A teenager in Australia who thought he was doing a good deed by reporting a security vulnerability in a government website was reported to the police."
As much as the dominant culture of Slashdot is the sort that will take every opportunity to implicate private businesses in all manner of ev
Re: (Score:2)
you must be new here. We also take every opportunity to implicate the twisted and evil organs of government
Let them burn (Score:2)
I speak from experience (and a lot of it). Never, ever report this type of bug to the owner of the website, specially if this is a big company (a single person websites are different). Since most of the people who are responsible (in many cases) for the website know nothing of computer security, internet or technology in general. The best thing to do is to forget this issue and the website in question fall victim hackers and ID-theft. It is only after such scandal that something is done about it.
This people
The correct way to "inform the authority" (Score:4, Interesting)
I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.
All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.
If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.
Most of the reporters are spineless creeps who suck up to the power-that-be.
Instead, you have two options -
1. Keep quite.
2. "leak" the info to some hacking circle and let others do the job for you.
If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.
Re:The correct way to "inform the authority" (Score:5, Funny)
This sentence is quite incomplete.
Brilliant, make them coconspirators (Score:5, Insightful)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
Re:Brilliant, make them coconspirators (Score:4, Interesting)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
I agree that involving potential minors presents a moral conundrum, but I think this is mostly a problem with how harshly minors are treated nowadays. Perhaps it's best to include an advisory with any vulnerability details that outline the potential penalties and risks involved with using the information provided. I believe it is the case that "the kids" have shown themselves to be very adept at this work, but I'm dismayed by what happens to them when they're caught (i.e., as though having done something terribly wrong, instead of having helpfully contributed to the security process).
In the meantime, maybe some kind of anonymous WikiLeaks-style clearinghouse for zero-day exploits would be ideal, until the harsh penalties are removed, or the market chooses something other than "zero-day exploit" as the most effective form of security vulnerability disclosure (what with "responsible disclosure" resulting in inaction and/or harsh penalties applied to actors in good faith). (I'm unaware of the current release platform, but I suppose it's an unorganized mixture of web sites and P2P platforms with varying and unknown degrees of risk — a centralized point would make it easier for users and vendors to check if systems important to them have been compromised. News media could also extend its reach.)
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
That sounds like a fun learning activity for people who have the time and interest, but sometimes security vulnerabilities are discovered by those who may be regarded as lay-people. Increasingly so, I would guess, as more people are exposed to more technology. I wish they were always aware of the harsh penalties that are often involved in helping to repair security vulnerabilities, — until ideally — harsh penalties are removed as a likely possibility.
Re:The correct way to "inform the authority" (Score:5, Informative)
If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you'll be every bit as much a suspect as the crackers doing harm.
The problem is that the computer fraud and abuse act is too harsh -- It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn't do any hacking at all. They'd like to have a monopoly on that, so the laws won't change.
If you're not browsing by proxy in this day and age, you're screwed.
Re:The correct way to "inform the authority" (Score:5, Funny)
If you're not browsing by proxy in this day and age, you're screwed.
But baby, proxies don't feel natural! I'll pull out before I post my comment, I promise.
Re:The correct way to "inform the authority" (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
What about sending the information anonymously?
Though this will likely result in a low-level communications clerk dismissing your message as some paranoid crank before it even gets to the technical staff.
Re:The correct way to "inform the authority" (Score:4, Insightful)
Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity [wikipedia.org] is a viable way of business.
This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down [couriermail.com.au] while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.
Re:The correct way to "inform the authority" (Score:4, Interesting)
Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity [wikipedia.org] is a viable way of business.
This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down [couriermail.com.au] while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.
Keeping your car secure isn't always in your best interest.
I once had a $1000 convertible top cut in order to steal a (broken) $150 radio.
Since then I made it a practice to never lock the doors on a convertible. (and never leave anything of value inside)
Re: (Score:3)
Maybe he just didn't want the thief to break his window. If you leave it rolled down they can take what they want without damaging your car.
Re: (Score:3)
No. You only have option 1. It is unlikely that you are able to hide your traces well enough that no one can find you. If you discovered an SQL vulnerability, you can be reasonably certain that the request was logged. If no one else exploits it around the same time, that log entry will likely never be found -- if they were diligent, they would not have an SQL injection problem in the first place.
If the vulnerability gets widely known, there will be people looking for the first instance it was exploited. The
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re:The correct way to "inform the authority" (Score:4, Insightful)
So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".
We now know that there is no "right way" to deal with government, other than kick them in the ass.
Re: (Score:2)
This may be OT but still. It seems to me we in the West are facing something bigger than usual incompetence and corruption which society can fix itself by sta
Re:The correct way to "inform the authority" (Score:5, Insightful)
Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.
The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.
I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).
I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).
Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state [wikipedia.org], not to be trifled with without extreme precautions for one's own well-being.
As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.
Re:Never put your name to it (Score:5, Interesting)
Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.
I'm pretty sure most western countries have a complaints department for law enforcement.
Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.
Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.
While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.
I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.
I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.
Re: (Score:2)
this is fucking Slashdot, where the editors mangle the shit out of submissions, injecting spelling and grammatical errors where there previously were none, inject links where there were none, and take submissions completely out of context and repost them as original work. I won't be doing that again. Fuckers.
Re: (Score:2)
yet he is still villified as a paedophile.
To borrow from the contemporary slang: smh.