In high school I was blacklisted from an admin position for demonstrating that you could write in Digital Command Language a program that simulated the login environment, stored login attempts, and then after three tries exited to the real login environment to let the user in. In college I was nearly expelled for just mentioning to the IT guys that they didn't have a password on some database, and I could get in with just telnet. These attitudes haven't changed much since 1990 at least.
> These attitudes haven't changed much since 1990 at least.
Why would they?
A blatant oversight is a sign of incompetence and by making such incompetence public, you're threatening their job security. Why would anyone react positively?
You're better off making the disclosure anonymously.
> You're better off making the disclosure anonymously.
When the info comes from an anonymous source they can't take their frustration out on the messenger. (Instead of thanking the messenger as they should.) I don't get why these hackers often give up their anonymity.
> I don't get why these hackers often give up their anonymity.
My guess is that it's because they're hackers, and they don't expect that the other side consist mostly of boring incompetents with zero sense of humour or professional pride. Geez, if I were to ever be responsible for ITSEC in a school, I'd take such hacker for a beer and dare him to try and break some more stuff. The state of mind which leads people to prosecute hackers is a very sad one.
Funny enough, I did the exact same thing when I was in high school, only we were running Novell on NT4 and I did it in basic and started it from autorun.bat which loaded before the network login screen.
It would let you try one time, tell you you entered the wrong password (saving it to file) and exit, at which point windows would load the novell login screen that looked exactly the same.
Hah! Exact same thing, I used... Borland Basic, IIRC, to build the executable that I called from autorun.
I collected many passwords - I never used them or intended to, I just wanted to see if I could do it.
I made the classic mistake though - I told someone about it. A few days later word got around. I was suspended for a week and was banned from computers for the rest of my time there.
Edit: Now that I think about it (I haven't in years): What kind of response is that? Someone shows some creative thinking and does so in a way that is obviously[1] quite naive/without ill intent. While I understand that you want to discourage the specific behavior, perhaps steering the culprit to use talents with more foresight would have been a better answer.
[1] Looking back, I was something of an asshat in the personal skills department so it's entirely possible that they simply didn't believe my lack of nefarious intent.
Actually, I doubt it had anything to do with your personality (and if it did, shame on the authority figures - and the same is true if they were reacting to being made look foolish). No, instead I imagine this was a pure security play: you had a bunch of passwords, and you hadn't done anything with them yet. But they would have had to believe that (and chances are they had no way to independently verify this) and in addition that you would never do anything with them in the future. The second claim is rather tougher to believe than the first.
So in the simplest possible manner you became a "known threat", and they dealt with you in the simplest possible manner, digital ostracism.
Now we can all tell the alternative story, about the wise teacher who sees something special about us in the misdeed, and who takes the time and the risk to cultivate that positive seed rather than throw the baby out with the bathwater, so to speak. Our very own Mr. Miyagi to safe us from a misspent youth, and who understands our behavior as an expression of exploration ignoring limits, outsmarting the system, rather than your basic mean-spirited destruction for no reason. (Although tagging and hacking do share many qualities, and both are driven, I think, by a young man's desire to prove himself, and yes, even aggrandize himself as someone special - bold, clever, crafty, and someone who can't be "kept down by the man". Rebellious, but also desperately needing to prove himself.)
(Of course in this story the Mr. Miyagi would have hacked onto your personal systems, encrypted the passwords you'd stored, and then left a personal message notifying you that if you wish to understand what he did and how he did it, he'll meet you after school in room 10 for a primer on real hacking.)
I too did something similar in high school. We were running Novel on either Windows 98 or 95 (Can't recall now the specific version). I started the Visual Basic program using the autorun.bat like you, except instead of presenting a fake login dialog, my program would listen for the OK button click event in the real dialog (using the Windows API) and would get the contents of the username and password textboxes and then POST them to a web server a fellow classmate had setup. This had the advantage that it was completely invisible to the end user. The program was also hidden from Task Manager (also using the Windows API).
We did end up getting the admin password and getting access to the server. I had written another program (also in VB) that would run hidden in the background and randomly open and close the CD-ROM drive. I uploaded this program to the server and attempted to get it to push to all of the computers in the school, but I don't believe I was successful as I didn't really know anything about Novell and never saw it working on any machines.
One of my fellow classmates also found the schools SOCKS proxy so we were able to run AIM and ICQ on the school machines. Our teacher pretty much let us do whatever we wanted in that class. It was my third year taking a programming class with her and she allowed the advanced students to work on their own projects. In that class I also wrote a Group/IM chat client in VB with a Perl server. As GrinningFool said, responding to teens who are obviously interested in computers with bans or expulsion or worse is just stupid. If I hadn't had the freedoms that my teacher gave us in those classes, I wouldn't have learned anywhere near as much as I did.
Witches were burned at the stake, basic human reactions have not evolved since dark ages. So basic premise of somewhat trivialistic movie "Hackers" the one with Jonny Lee Miller holds right - rest of the world is sheep(and it will get worse as we migrate from general purpose computing to specialized devices). Most of the world is made up of unwashed masses that consider computing something that resembles magic - you only scare and confuse them talking all the smart things that they do not really understand or grasp.
I'll conjure up respected Arthur C. Clarke - Third law: Any sufficiently advanced technology is indistinguishable from magic. Put scared people and magic together and you got bonfires going. This why hackers rot in jail for longer than murderous psychopaths.
But then again I was more of a black hat for most of my life than white.
I was threatened with a ban on computers at high school from my middle school.. because I had copied game demos to other user's accounts. [They gave me their username and password]
I also figured out how to access the middle school's library database without a login. [That wasn't secured, nor did it require a password]
Also, nearly got in trouble with the IT administrators at my high school because I found out how to send Novell messages.
I was put into isolation for three weeks during high school when I was found to be hacking my way through the network. In reality I had found access to the remote server through the winword.exe open dialog that didn't require passwords and was displaying in the list of network drives, but didn't in explorer.
Because I found this, I was able to find the RM (Research Machines) Management Console and use a teachers (actually the deputy head) password "teacher" (no word of a lie) to create a hidden admin user in the list of student accounts. Through this I could get to RM Tutor 3 which allowed me to control every PC in the school.
I was gathering information to give to the IT staff, but I was grassed on instead, so I was in the wrong. I spent 3 weeks explaining everything and how to fix it, then I was allowed to continue my quest so long as I asked permission and gave info straight away rather than hoarding it.
Apparently if I had denied it they would've got the police involved, but I was honest and upfront when they asked me.
My brother started the same school three years ago (I've been gone for 8 years) and I was still able to access a few things with the remote panel — after which I alerted the school to it. I don't think they were best pleased to hear from me...
> Apparently if I had denied it they would've got the police involved, but I was honest and upfront when they asked me.
The problem is that this is usually a terrible gamble to make. I'm glad it worked out for you, but my general advice for anybody else would be not to talk to the administrators, the same way you should never talk to the police.
You never know if they're going to involve the police anyway after you spill the beans, and if they do, you'd rather they do it without already having a confession from you.
> You never know if they're going to involve the police anyway after you spill the beans, and if they do, you'd rather they do it without already having a confession from you.
I was definitely worried about this, but I figured that if anything, I've not lied to anybody, so I'd be happy with myself.
> if anything, I've not lied to anybody, so I'd be happy with myself.
Unfortunately, that's not the way police encounters work in practice. Even if you've done nothing wrong, talking to the police can really only hurt you. For example, this re-enactment is based on a true story in which an old lady in Baltimore was convicted of drug possession because some neighborhood children had left a dime bag under her sofa (which she didn't even know about) https://www.youtube.com/watch?v=s7RYH8Py6lY[0]
Just because you think you've done nothing wrong doesn't mean others will agree, especially when it's their job to think you're guilty.
[0] This is part of an hour-long video which shows several more cases like this, but for some reason I can't find the full version anymore.
Well, this underscores the problem with the current state of affairs. In general, the person who discovers the vulnerability has every incentive not to disclose it. They have nothing to gain, and they take quite a risk in doing so.
> I had found access to the remote server [...]. I was able to find the [...] Management Console and use a teachers [...] password [...] create a hidden admin user [...]. Through this I could [...] control every PC in the school.
And this is why we can't have nice things. Admins at The Age (in this case) see someone trying to "report" a vulnerability and instantly jump to the conclusion that the user is someone like you, who has already compromised and exploited the system and at this point just wants to gloat on top of it all.
Surely there is a spectrum between white and black hat hacking. But this is over the line, sorry. Once you start trying to guess passwords and modifying state to add backdoors (seriously!?), you have to reasonably expect the rest of us to try to resist and suppress you, by law enforcement if necessary.
I don't see the point in bringing the legal hammer down on a student. With security holes this large and gaping, it's the system administrator that needs to change the way they do things. For instance, monitor the creation of new admin accounts, monitor logged data for events that indicate a breach, enforce some level minimal password difficulty, etc. This sort of malfeasance seems like _exactly_ what the sysadmin at a school should be expecting. Someone who waltzes up to the login prompt and types the first thing that comes to mind.
Personally, I don't think this or anything close should be made illegal. Who was hurt? What was the damage and the cost? Private data was likely at risk, and maybe there's a case to be made there, but I'm not entirely convinced that shouldn't be laid at the feet of the organization for shoddy security practices.
I don't know if it is the times that have changed, or it's just that old stories were all romantic, but I get the feeling that nowdays IT staff has no sense of humour or understanding of the concept of having (creative) fun.
> Once you start trying to guess passwords and modifying state to add backdoors (seriously!?), you have to reasonably expect the rest of us to try to resist and suppress you, by law enforcement if necessary.
In this setting (a school) I'd reasonably expect the "rest of you" to play the game, not to swing the legal hammer. If your system is so easily compromised, you should feel professional shame and try to attone, not reach for law enforcement and general grown-up dullness. Especially given that this school, one would hope that everything there, including the computer infrastructure, should be a part of learning experience, as long as no one gets seriously hurt.
BTW. in my high school, the school server and computer rooms were managed by students, not teachers or any hired staff. Everything worked well most of the time, and at the same time every generation of students was busy putting their backdoors everywhere, while searching and removing ones left by their predecessors. It was fun, and we learned a lot.
It's definitely more harmful long term to arrest rather than reward. Arresting people for reporting security vulnerabilities only causes the people whom would do so reluctant or even afraid of the repercussions. Meanwhile those who exploit maliciously will continue to not report their findings. If I was to find a security vulnerability in a site I frequent, I'd most likely stay quiet about it out of fear of legal ramifications.
The problem is that this property transfers to other websites. I'd much rather a 16 year old report problems with my website to me, but if she doesn't because of fears that I will call the police as other webmasters have, I'm worse off as a result.
This highlights the importance of having a visible bug bounty program (or at least something very basic) that clearly states that you take security seriously and appreciate/reward (whatever you prefer) bug reports from security researchers.
This seems to be the state of society we are in: If somebody uncovers a problem that exists, he is reported to the police. But if one organization spies on everybody and uses the data in irresponsible ways, they are promoted.
I have no doubt, that the coming generations will have big difficulties to distinguish between right and wrong.
We don't have the problem now with single fallen states, but with a fallen human kind.
Meta: I've mentioned it before here - why is standard spell-checking so lame. The phrase "It seams that" is only going to be correct about 1 in a few-million times ["if you bend it seams that have high pressure applied will burst", maybe].
If I was clever enough I could probably fix it; I've heard that phrase based analysis is used for translation. Most homophonic spelling errors seem fixable using automated lexical context analysis.
Seems there is movement in mobile spell-check and word suggestion but not in desktop?
One of the Senior Thesis presentations at my college last year was someone working on a context spell-checker. I don't know if his demo could suggest a better word, but it would highlight words that seemed wrong.
It was based off of Google's NGrams, I think he used 3-grams, and checked to see how frequently a word showed up between the two words next to it.
The problem with that was it required a HUGE amount of data. Like several hundred gigabytes worth of space just to store the 3-grams (compressed down to one instance of each 3-gram coupled with the number of times it showed up in the original dataset).
Average vocabulary isn't going to require using that massive a set of 3-grams though. If we started with homophones (https://en.wikipedia.org/wiki/Homophone#English) that would seem to make a large difference; add in ability to easily get a definition (or list of synonyms) for words/phrases (like in Google Translate). Google suggest already does a lot of what is required.
Google also has a ton of computing power and disk space...
That said, homophones and homonyms only would make the 3-gram sets smaller, but it would only detect homophones and homonyms being used incorrectly. I could still use a word incorrectly, and if I'm banking on that software to detect my mistakes it wouldn't.
Indeed. My false positive rate [flagged errors that are really omissions from the dict.] on spell-check in-browser appears to have been about 95% over the past couple of months. I wouldn't be expecting perfection; surely some mistakes corrected is better than none.
How I envision it is also a learning tool - "can here you" would pop up a "can {here} you [here refers to location, hear to hearing sound; 'can hear you']" allowing the author to click the 'corrected' phrase. At the same time you're learning the distinctions.
And every time that happens a bunch of apologists appear shouting "Why didn't they inform the site operators first? That is really irresponsible"
And then some poor teen believes it and thinks "maybe it's wise to inform the site first" and subsequently goes to jail for doing the 'responsible' thing. And so the cycle continues.
Wouldn't combining the two tactics be the actually responsible thing to do? Inform the operators anonymously, and tell them that in four weeks a copy of this e-mail will be publicized.
You definitely have to phrase it kindly and explicit and be open for other options of how to proceed. Otherwise, the point of staying anonymous is to protect oneself from unnecessarily enraged admins or other responsible people.
When I first read The Cuckoo's Egg by Cliff Stoll, I was wondering if anyone would think to criminalize connecting something to the network that had no protection. So instead of throwing teenagers in jail, they would make an example of systems administrators. Perhaps that would have quickened the advance of internet security awareness.
At one time, there was a law in Minnesota that it was a misdemeanor to leave your car unlocked in a public place, so the idea is not totally without precedent.
There are similar laws in many other jurisdictions.
I think there should be a digital whistleblower law to protect people who report such things in good faith. It should include a clause to make it negligence to ignore such a valid report.
You could send a postcard through regular mail to the head of IT's house, I think that would get the point across haha. They might be able to find you by checking access logs after the fact though, I don't think there is any riskless way to disclose.
Send an anonymous email or other notification to them? I agree it's scary to be penalized for "hacking" the system (in their eyes), but I also think these things can't be left alone. It'd be cool if you found a way to let them know.
Then you have to worry that they might track you down. How will you send an anonymous email? The library will have cameras, so might the coffee shop. The fake email you setup might store information about your location as well. You can never be too careful. It might be better to send a regular old mail.
Lol, you've never opened a gmail account using fake data and sent from there? Yahoo? Hotmail?
The FBI will help your sys admin investigate a bomb threat, obviously. Reporting a security hole will unlikely draw their interest. Yes, just using a fake gmail account is tracable without more protections (like correctly accessing Tor). Again, I doubt the FBI is going to investigate.
But hey, I'm all for paranoia and extra caution.
Plus, rtfa you linked. It says clearly in the first few paragraphs that Tor did NOT fail this guy, but that he's an idiot in how he accessed it.
Lastly, as mentioned, send an anonymous letter. It's not hard, kids!
If what you're reporting is significant enough to threaten the livelihood or reputation of people important enough, they can and will find a way to trace you via your fingerprints/IPs … or do you think Google won't simply roll over on you when they get a subpoena/warrant?
In the U.S., hacker Andrew Auernheimer, aka “weev”, is serving a three-and-a-half-year sentence for identity theft and hacking after he and a friend discovered a hole in AT&T’s website that allowed anyone to obtain the email addresses and ICC-IDs of iPad users.
I don't understand why weev is mentioned in the same article as this teen. Weev was allegedly discussing the practicalities of making money through fraud using the information he obtained. It's almost certain he wasn't wearing a completely white hat. This teen sounds like he was doing the proper white hat thing, but then got reported to the police anyhow, at least according to the information provided in the article.
You beat me to it. The weev paragraph was a total non sequitur; he wasn't arrested for pointing out their lax security, he went down for attempting to profit from it.
Am I allowed to go to businesses and try to pick the locks, look inside, and then report to the business owner that their lock was pickable? Well... yes, but I'd probably be reported to police.
Websites, like locks, aren't bullet proof. How many web applications out there don't have a security flaw somewhere? Doing penetration tests on unwilling victims is risky. Trying to break wifi, company intranets, people's computers, etc. It's best to pentest as a professional, with willing victims or wait for a "pentest" contest.
> Am I allowed to go to businesses and try to pick the locks, look inside, and then report to the business owner that their lock was pickable? Well... yes, but I'd probably be reported to police.
Sometimes these discoveries aren't intentional. Let's say I lean against a door and it's not locked. Well, I never meant to open it up, but since I can't prove I didn't intend to, and since the business can't distinguish people with honorable intentions vs. those without, why risk telling them?
If you tar the helpful with the same brush as the crooks then you shall always learn the hard way from your mistakes.
Always beware of physical -> digital analogies. When the whole world has the ability to walk by your door, windows, and alarm system and pick at it without being seen, then you probably should be grateful when some of them let you know the back door is open.
With a physical lock, you'd have to pick the lock each time you wanted access, and avoid being seen. The bar for repetitive attacks on the web is much lower, because you only need to write the "lock picking" script once, and then you can use it indefinitely, disseminate it, etc.
A poorly protected website is more akin a house with no lock on it at all, and reporting that "this house has no lock" is not a criminal act.
What about this: seeing the house has no lock, opening the door, going inside, counting the money in the owners wallet, putting it back, then reporting that "Anyone could steal $300 from that guy".
If I were that guy I would be very happy that someone informed me about the vulnerability of my wallet. I would definitely thank them and invite them for tea. Reporting them to police would be the last thing on my mind.
Every time I hear about another case like this, I struggle with how I feel about it. I think it really depends on how he discovered the issue, and how far he took those findings. Let's say he just happened put a quote in a field and noticed that it broke the response from the site. That is a good indicator that a SQL injection might be possible. If he stops at that point and reports his findings, I don't see an issue with that. In my mind, it is like being at a friend's house, where you have permission to be, but noticing that their safe is wide open with their valuables visible to all. Or maybe being in a store and noticing that they've left the cash drawer wide open. However, if he continued to probe and see if he could get data using a SQL injection vulnerability, I feel that is more like walking up to the safe and jiggling the handle, or checking to see if that cash drawer is locked. I don't think your friend or the store owner would be very happy, and the site admins probably wouldn't be too happy about it either.
They don't need help to see that some guy is fumbling their physical locks, a website can be attacked without been seeing.
Let me put that in another way, if a guest lean close to a lock and then look around to report that there is a defective lock or prone to fail I will be grateful. (But not if he pickit)
More like you're depositing checks into an ATM machine, then notice there's a keypad to open and you guess 1234 and to your surprise, you've found a lot of people's info. Or if you saw that it had a lock but the hinge was expose and pretty loose, and hey, you flicked it with you finger and it fell off.
Where do you see that the paper gave them the kid's info? All I see is he contacted them directly, and no indication that the followup from the paper is where they got his info.
It went like this. Kid didn't get a response from PTV, so he contact The Age. The Age went and called PTV to call them out. PTV responded to The Age and then stupidly went "whelp we have no choice but to notify the Police".
That doesn't say if the paper gave the department Roger's info, or if they thought the right way to react to the publicity from the paper was to hand information they already had over to the police.
Back in high school I found a vulnerability in the website of a major online DVD retailer.
I notified them about it, and included information on what specifically was wrong, the impact it had (over 6 million credit cards, social insurance numbers, addresses, full names, and telephone numbers), and they hired me to help them fix it.
I often look back on that event and am quite thankful for how it turned out. I've read about plenty of stories where the person who found the vulnerability was not as fortunate.
The article isn't to specific but they imply he used SQL injection.
It's pretty simple people this is against the law in most countries. SQL injection, default passwords, remote injection are illegal.
The big thing for me is not what happened to him but young people thinking this is legal. Why didn't he try and be anonymous?
Don't care whether it should or should not be legal to hack sites but how could he not know it was illegal? (I guess that's slightly rhetorical, he was 16)
A lot of these kind of things we seen in news these days is a result of a highly networked society colliding with a hierarchical administration/governance system.
A typical college management or government is designed to take orders from top. A persons ability to make decisions and process information is not often correlated with this position. But in this real world a 16 year old can beat a 50 years on basis of pure merit. As a society we are adapted to it but governments and management practices haven't. So when a teen calls up to report a security hole the lower level of administration panics.
Clearly, the government department is wholly responsible for putting up a rubbish website, but from another article on the story, "He first contacted PTV by email on Boxing Day..". I wonder if the "white-hat hacker" didn't time his notification quite intentionally knowing there was a much lower probability of action being taken promptly. If they'd just patched the security hole he wouldn't get any exposure. It makes me wonder if there's more to this story than we're hearing - that he actually found the security flaw much earlier and sat on it for a while for example. Or that he downloaded all the available information first.
As ever, a couple of short articles may not be giving us the big picture.
By that logic why would he even bother reporting it and have security experts poking around the logs and potentially find traces of his download.
Personally i would have sold it to the highest bidder. Being "white hat" gets you in trouble more often than not.
Il stick to "gray hat" thank you very much. If i ever choose to disclose any vulnerability to the owners i will not reveal my identity and after arbitrary amount of time say... (1 month) if it's still present sell it to the highest bidder let them deal with the consequences.
You have to be strict when teaching people and this is no different. If you let them set the rules they could choose and unreasonable length of time like 1 year before they allow you to disclose anything.
You are the one in the position of power never let them take that away from you. By revealing you identity you give away all your power.
If you're not a threat people don't take you seriously.
> Being "white hat" gets you in trouble more often than not.
Granted. I've lost clients this way, despite having been actually invited to do work on their systems; such experience has taught me that the political concerns around unsolicited vulnerability reporting dwarf the technical considerations involved, and that trying to navigate such minefields is worthwhile only when the status quo is utterly untenable.
> Personally i would have sold it to the highest bidder.
Well, that's a wholly different consideration, isn't it? Saying nothing is one thing. Gravely violating the ethics of your profession, and possibly criminal law as well, is quite another.
Maybe more pointedly - white hat and in high school, OR independent and not well known, OR when dealing with any sort of organization affiliated with government, banking, telecommunications or retail.
I think that covers 80% of this type of story cropping up quarterly in mainstream media.
Because "Being white hat gets you in trouble more often than not." is so obviously untrue to anybody with even the vaguest relation to the industry. It implies that more than 50% of the time, when you disclose a vulnerability responsibly you get in trouble. When it's more likely much much less than 0.1% of the time.
People getting in trouble for reporting vulnerabilities is highly rare. Show me 100 cases of it, and I'll still tell you it's rare.
Most of the industry wouldn't characterize themselves as "white hat" just ask them and they will say their more "gray hat" then white hat.
At least in private anyway if you ask them in public their force to keep up appearances.
Now we can argue about the percentages all day but you have to agree being "gray hat" and keeping the power on your side by not exposing your identity is the safer way to go about it unless you want bragging rights which is whole other level of psychology.
I'm not after the attention I'd rather be the guy who nobody notices.
I'm not sure timing matters, ever. Why should it? Large organizations will pay millions of dollars for canned 'assessments' that create far more noise and operational problems than reports like this - yet the knee here reaction to responsible disclosure is "well you didn't send it to us on the third Sunday of the month after a blue moon". Get a clue. If someone responsibly discloses then suck it up, fix it and when you don't expect to hit the front page of the local news. That's how reality works today, and as stated in the article, if this young researcher has found it it's either already known or the sands of time were close to running out on malicious use case.
I believe that if an organization wants to incriminate responsible disclosure then they have to have a public ToS stating any disclosure is subject to just that. Then they will dissuade any free help in a public fashion and left to their own devices. In that case there should be non-retaliation protection available via the state to anonymously submit without fear of being penalized.
If there was a big hole in the side of a bank and it was illegal to talk about it do you just accept it and move on? Do you continue to bank there? There's inherent risk with providing Internet based services. Deal with it instead of being ignorant about it.
I agree it was a bad day to email PTV, but in another article I read on it he was simply trying to find out some info on Myki (the current travel card). Unfortunately I can't find it though.
It's about time for legislation making it a crime to report whistleblowers to the police and a criminal offense to search or seize their equipment. Perhaps an independent review body could be set up to arbitrate these situations?
It should never be a crime to report something to the police.
It should be the police's responsibility to make a decision about whether reports should be followed up or not. We should hold the police, prosecutors and the courts culpable for making reasonable judgements here, not random uninformed members of the public.
False reporting is already a crime, and I think it's fair to assume that by 'something' (parent (parent)) meant 'a crime', rather than assuming that he meant false reporting should be made lawful.
Finding and reporting a security problem should not be a crime; neither should whistleblowing. Sending the police after someone who demonstrates your incompetence or corruption should be a crime.
While I agree that the websites response and the response of many organizations is overly harsh and draconian in situations like these, if the teen in the story did use SQLi to exfiltrate 500 records then he crossed the line. He should have just shown that the vuln existed without pulling customer data. If the organization pushed back and said it didn't see a problem, then he could offer to write a proof of concept to pull that data, but to just go from discovery to pulling credit card data is a bad move on his part.
- complain how white-hat practice are not well understood;
- advise to report, but anonymously.
It sounds like a simple enough website to set up. It would encourage script-kiddies to report anonymously, send a warning to the right person, and include explanations — maybe free best practice tips and references to known security professionals if necessary. Now that Scheider is in the news, his name could help reassure uninformed admins that this is not a racket.
I'm not a coder, and the furthest thing from a security professional, though.
To me this is really weird. If a neighbor knocks on your door to tell you that you forgot the keys in the keyhole outside you thank him, you don't call the police...
No, the kid didn't log into the website and make some postings to their internal communication systems (forums, email listings, etc). He attempted to contact them through official channels but was ignored.
After that, he went to the local news agency. This is totally different.
OK, so he went into your room, you weren't there, and he came back to knock on the door to let you know he went to your room to find you. It's close enough.
Edit: I just want to clarify that I don't think the kid should be prosecuted, but I also don't like the fact that he went as far as to check for sensitive information inside of their system.
It would be like a passerby finding your door continuously wide open, stepping into your foyer and shouting to let you know, you weren't there or didn't respond, so he told your neighbor to tell you. Then you call the police because of trespassing.
I think it has to do with intentions. Not trying to literally map online site to a house. But in general, when a person has found a vulnerability and is trying to report it in a good will (no matter through what channel), as opposed to using it to try and blackmail, etc., things should not be reversed and used against that person.
It's sad but most people would rather you didn't tell them about a security issue. until they get hacked and then they wished someone warned them prior.
I think the difference lies in finding the security hole and testing the security hole. In most of the cases that the hacker is persecuted, the hacker has tested the hole, i.e. downloaded data illegally.
If the hacker simply notified the people responsible before retrieving any data, I don't think that the hacker would be persecuted.
I wonder how it would go if you went to the police, showing them a website which displays tens of thousands of customers' personal data, and tried to get the website owner busted for violating privacy legislation?
Suppose while you were away from your house someone came to your front door and found it unlocked. Assume he entered your house and had a look around, but didn't take anything. He then later notified you that you had left your house unlocked. Did he do anything wrong?
Physical metaphors DO NOT WORK in this scenario. This is not a house or a car or commercial warehouse or anything else... it's a website. There are far too many relevant differences between physical locations and web sites for metaphorical reasoning to work.
Well, we need to know more about the particulars. It says it was SQL injection. It's entirely possible, given the limited information, that he just sent a correctly crafted GET request. In that case, a more apt analogy would be a warehouse where stepping on a particular part of the sidewalk unlocks the door.
My doormat says "GO AWAY", the old school robots.txt.
Your analogy doesn't hold. There are few spiders trying every door and window of every house. The risk profile (attack surface area) is much smaller in the physical world.
If a service publishes a port, many someone's will probe it, legitimately or not.
Where your analogy does hold is courtesy. If one of my neighbors sees my door open, does a walk thru to check things out (I might be bleeding out in the basement), finds nothing, then I absolutely do want her/him to clue me in.
And if you care about users' private data being leaked, said users can always use the assassinaton market to dispose said sites' admin staff.
I'm dead serious on both point. I would love to see somebody die a violent death over such shit as exposing user data and then reporting white hat to the police without even securing the system in the first place.
