Australian Teen Reports SQL Injection Vulnerability, Company Calls Police 287
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
The law does not care ... (Score:5, Interesting)
If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.
The correct way to "inform the authority" (Score:4, Interesting)
I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.
All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.
If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.
Most of the reporters are spineless creeps who suck up to the power-that-be.
Instead, you have two options -
1. Keep quite.
2. "leak" the info to some hacking circle and let others do the job for you.
If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.
Re:Never put your name to it (Score:5, Interesting)
Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.
I'm pretty sure most western countries have a complaints department for law enforcement.
Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.
Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.
While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.
I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.
I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.
Re:The correct way to "inform the authority" (Score:4, Interesting)
Sounds like the underlying issue is that some people (who should know better) still believe security through obscurity [wikipedia.org] is a viable way of business.
This also reminds me of the case of Julian Harris. A man in Brisbane who was recently fined $44 for leaving his car window down [couriermail.com.au] while he was away from the car. The reason, is because it makes it easier for a thief to steal things from the car or steal the car itself. So clearly, Australian authorities understand that leaving oneself vulnerable (aka. "security negligence") should be punished even if you're not taken advantage of.
Keeping your car secure isn't always in your best interest.
I once had a $1000 convertible top cut in order to steal a (broken) $150 radio.
Since then I made it a practice to never lock the doors on a convertible. (and never leave anything of value inside)
Re:Brilliant, make them coconspirators (Score:4, Interesting)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
I agree that involving potential minors presents a moral conundrum, but I think this is mostly a problem with how harshly minors are treated nowadays. Perhaps it's best to include an advisory with any vulnerability details that outline the potential penalties and risks involved with using the information provided. I believe it is the case that "the kids" have shown themselves to be very adept at this work, but I'm dismayed by what happens to them when they're caught (i.e., as though having done something terribly wrong, instead of having helpfully contributed to the security process).
In the meantime, maybe some kind of anonymous WikiLeaks-style clearinghouse for zero-day exploits would be ideal, until the harsh penalties are removed, or the market chooses something other than "zero-day exploit" as the most effective form of security vulnerability disclosure (what with "responsible disclosure" resulting in inaction and/or harsh penalties applied to actors in good faith). (I'm unaware of the current release platform, but I suppose it's an unorganized mixture of web sites and P2P platforms with varying and unknown degrees of risk — a centralized point would make it easier for users and vendors to check if systems important to them have been compromised. News media could also extend its reach.)
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
That sounds like a fun learning activity for people who have the time and interest, but sometimes security vulnerabilities are discovered by those who may be regarded as lay-people. Increasingly so, I would guess, as more people are exposed to more technology. I wish they were always aware of the harsh penalties that are often involved in helping to repair security vulnerabilities, — until ideally — harsh penalties are removed as a likely possibility.
Re:Was not arrested (Score:3, Interesting)
Well kids, now you know what the smart thing is to do: don't run pen tests against websites without permission.
Similarly, don't walk down the hall in apartment buildings you don't live in wiggling the door handles. Sure, it's just innocent fun, and you were just doing it so you could write letters to the addresses of doors you found unlocked warning them, but it looks bad.
Re:Not Arrested, Not Questioned, Not Contacted. (Score:2, Interesting)
Ok, so then let's try to verify what happened. How did you find "...a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department."? Why would the cops be 'after' you?