Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australian Police Database Lacked Root Password

kdawson posted more than 5 years ago | from the kick-me dept.

Security 214

Concerned Citizen writes "The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. 'These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

cancel ×

214 comments

Sorry! There are no comments related to the filter you selected.

mmmm........ (4, Funny)

gcnaddict (841664) | more than 5 years ago | (#29114001)

That's the smell of someone being fired.

Re:mmmm........ (5, Insightful)

jcr (53032) | more than 5 years ago | (#29114021)

A bureaucrat fired for incompetence?

If that happens, then Australia is more different than the USA than I can possibly imagine.

-jcr

Re:mmmm........ (4, Insightful)

gcnaddict (841664) | more than 5 years ago | (#29114611)

Government employees are always fired when their actions (or inaction) embarrass the nation.

Incompetence? You're right; employees typically aren't fired for that, but causing major embarrassment is always grounds for termination.

Re:mmmm........ (4, Insightful)

Shakrai (717556) | more than 5 years ago | (#29114775)

Government employees are always fired when their actions (or inaction) embarrass their political masters

Fixed that for you :)

Re:mmmm........ (1)

Nefarious Wheel (628136) | more than 5 years ago | (#29115213)

That's the smell of someone being fired at.

a legit hack (5, Insightful)

Lord Ender (156273) | more than 5 years ago | (#29114007)

They broke out of a honeypot, discovered the available services on a private network, then found and exploited s service that was misconfigured.

Believe it or not, most hacks don't involve writing custom exploit code. They just require some work and the sense to know what you're looking for.

Re:a legit hack (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29114247)

They broke out of a honeypot,

That's exactly what they want you to believe...

Does the idea of a recursive honeypot sound entirely ridiculous? After breaking out of the first honeypot would most people not even contemplate this possibility?

Journalistic Beat-Up? (2, Informative)

Capsaicin (412918) | more than 5 years ago | (#29114969)

Does the idea of a recursive honeypot sound entirely ridiculous?

It was not a honeypot, it was not even an AFP machine. Read down the discussion in TFA. Shaon Diwakar, the security expert quoted in the article, responding to another poster explains that he was misquoted by the journalist (re. SQL injection), and explains the status of the machine under question.

... according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se

[my emphasis]

Which sounds the AFP took over a machine belonging to someone who also forgot to set their mysql password. If I'm reading that correctly, and they broke into a machine with poor security, it's probably not in their job description to fix up the victim's mysql password. So no, I doubt if anyone (in the AFP) will be sacked here.

Re:Journalistic Beat-Up? (2, Interesting)

Capsaicin (412918) | more than 5 years ago | (#29115237)

If I'm reading that correctly, and they broke into a machine with poor security.

On reflection I'm not reading it correctly. What this probably means is they arrested the owner, took over the physical box, and just left it running to see who was using it. But the point stands. Not their responsibility to fix up the villain's poor security. Indeed, if this what happened, one might imagine that miminal-to-no inteferrence with how the box was running would be an operational imperative.

Didn't have a password? (5, Funny)

billstewart (78916) | more than 5 years ago | (#29114393)

I hope the crackers were polite enough to give it one....

Re:Didn't have a password? (1)

CDMA_Demo (841347) | more than 5 years ago | (#29114787)

I hope the crackers were polite enough to give it one....

Only in America....
Only on 4chan
Only at /b/

Re:a legit hack (0)

Anonymous Coward | more than 5 years ago | (#29114409)

Sounds to me like they didn't actually "hack" anything - they never left the honeypot.

Re:a legit hack (4, Informative)

rivetgeek (977479) | more than 5 years ago | (#29114491)

Uh...no. The article states they just used SQL injection to insert an include to a remote php file (the idiots apparently hadnt disabled remote file includes). The included file was basically a dashboard that did directory listings and file transfers. I did a contract cleaning up a similar mess (URL-RFI Injection). The hardest part about the entire hack was probably finding the SQL injection point.

Re:a legit hack (3, Insightful)

Lord Ender (156273) | more than 5 years ago | (#29114515)

And? A hack doesn't have to be "hard" to be a hack. As the word is popularly used today, breaking into a computer through nonobvious (to the average person) means is hacking.

Re:a legit hack (1)

rivetgeek (977479) | more than 5 years ago | (#29114591)

Im just saying your description of the hack was entirely inaccurate.

Re:a legit hack (1, Informative)

Anonymous Coward | more than 5 years ago | (#29115423)

...breaking into a computer through nonobvious (to the average person) means is cracking.

no injection necessary (5, Informative)

Capsaicin (412918) | more than 5 years ago | (#29115001)

The article states they just used SQL injection

The article is wrong. Quoting from (again!) from the message left in the discussion by the quoted security dude in response to someone questioning whether this really was SQL injection:

... you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed.

The journalist (Asher Moses) simply got it wrong. It happens.

Re:no injection necessary (2, Insightful)

rivetgeek (977479) | more than 5 years ago | (#29115049)

Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.

Re:no injection necessary (2, Informative)

Capsaicin (412918) | more than 5 years ago | (#29115207)

Are you (or he, i haven't read his comment) trying to say that mysql was accessible from the outside to arbitrary connections directly? I find that pretty hard to believe.

It appears to be what he (or someone claiming to be him) is saying, or am I misreading him. For your benefit, I'll quote his comment in its entirety:

@killjoy - you're absolutely correct, it would just be a matter of punching in SQL statements once you've managed to connect to MySQL. This wouldn't be SQL injection, but rather just plain SQL query execution. I guess in explaining that to Asher the definition got skewed. Also, according to what we were presented, the AFP commandeered this server as part of an investigation - so it may not necessarily have been a honeypot per se.
@k@icolo - you'll be surprised, its just human nature. It could easily have happened to security folks (such as us) as well - especially if we're not vigilant.
@Luke | Melbourne - the point of the 4corners exercise was to demonstrate what would happen in the scenario where a wireless AP was not encrypting traffic - you may be using WPA2 but a lot of people aren't, nor would they know how to enable it.
Posted By: Shaon Diwakar | HackLabs - August 18, 2009, 10:00PM

How do you read that?

Note also that he indicates that this was not an AFP machine, or a machine normally administered by the AFP, but a machine "comandeered" (which on reflection probably means confiscated rather than cracked) by the AFP.

Re:no injection necessary (1)

rivetgeek (977479) | more than 5 years ago | (#29115225)

Yah from that comment it would seem correct however you have to TRY to open up mysql to outside connections. I just find it dumbfounding that anyone would.

Re:no injection necessary (1)

Capsaicin (412918) | more than 5 years ago | (#29115291)

I just find it dumbfounding that anyone would.

Maybe he (the actual administrator) wanted access to it when he was at work? Not setting a password if you've done that does seem incredible though, I agree. But that was what the "you'll (sic) be surprised ..." comment was in response to.

Even if unlocked still breaking and entering (4, Informative)

JoshuaZ (1134087) | more than 5 years ago | (#29114031)

In most jurisdictions that formally define "breaking and entering" make it synonymous with burglary(which may itself be broken down in various ways). Generally, it doesn't matter how easy access was or whether a door was unlocked. However, many jurisdictions don't count something as burglary unless one entered with the intention of committing a crime.

Re:Even if unlocked still breaking and entering (5, Informative)

conufsed (650798) | more than 5 years ago | (#29114147)

Australian law has a separate charge for unauthorised access to a computer system under the computer crimes act

Re:Even if unlocked still breaking and entering (5, Informative)

Shakrai (717556) | more than 5 years ago | (#29114739)

Speaking from the experience of being charged with them, New York State also has a few different computer crime laws. The simplest one is a misdemeanor, "Unauthorized use of a computer". All that's required to commit this crime is to bypass a security system (wi-fi encryption, username/password prompt, etc.) without authorization to do so from the owner of said system. Then there's "computer trespass", a felony. The only difference between the two? Unauthorized use of a computer merely requires that you gain access to the system. Computer trespass requires that you use that access to access "computer material" (i.e: data).

So, breaking your neighbors WEP encryption and logging onto his network is a misdemeanor. Using this access to browse onto his c$ share and download his secret porn stash bumps it up to a felony.

Re:Even if unlocked still breaking and entering (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29115487)

It's worth pointing out also - Under said Australian law - whoever did this is looking at about a 10 year sentence if caught. Probably more than that for interfering with an investigation as well.

Australia got specific law regarding this very early - such that the judges and politicians who passed it were acting from a position of fear and doubt - and so said hacker would probably have gotten off easier if he'd just actually physically removed said computer.

There are a lot of worse crimes which attract less harsh sentences - mostly because those deciding on the sentences understand the crime. And in the case of those laws, they didn't really "get" it when they framed the law. The understanding they had was purely intellectual - it had no emotional component, so they couldn't understand WHY someone might commit such crime, and overreacted to create more of a deterrent to err on the safe side.

Re:Even if unlocked still breaking and entering (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#29114531)

yup i agree

Re:Even if unlocked still breaking and entering (4, Informative)

jasonwc (939262) | more than 5 years ago | (#29114537)

To elaborate on the parent post, "breaking and entering" is often referred to as a synonym for burglary, whereas it is in fact merely two of the elements to establish burglary. Under the common law, the following elements must be met to establish burglary:

1) Breaking (The use of force, however slight, to facilitate entry - may include pushing open a door, opening a window etc.)

2) Entering (Literally entering the physical structure)

3) The home of another (Note that breaking into a commercial building would not constitute burglary. The property must have the primary use as a residence.)

4) At Night (Variously defined - usually from sunset to sunrise, but could be what a "reasonable" person would believe to be night)

5) With the Intent to Commit a Felony (Usually larceny, but can be any felony including violent crimes)

Note that I have quoted the common law elements of burglary. Many state statutes have altered the elements to, for example, remove the requirement that the break-in occur at night.

Jason
Yale Law School, Class of 2010

Re:Even if unlocked still breaking and entering (1, Funny)

TheRealMindChild (743925) | more than 5 years ago | (#29114695)

Wait... Australia has STATES? We must be WAY behind in getting those stars on the flag

Re:Even if unlocked still breaking and entering (3, Funny)

jasonwc (939262) | more than 5 years ago | (#29114743)

Obviously I was referring to the United States, but you are correct in your implication that I should have been more clear especially on a site as pedantic as Slashdot.

Re:Even if unlocked still breaking and entering (2, Funny)

zonky (1153039) | more than 5 years ago | (#29114771)

Yes, they have 6. [wikipedia.org]

Re:Even if unlocked still breaking and entering (2, Funny)

davester666 (731373) | more than 5 years ago | (#29114949)

Six states of Australian's also known as Her Majesty's Penal Colony :-)
Committing offense
Charged with offense
Awaiting trial
Convicted
Doing Time
On Parole

Re:Even if unlocked still breaking and entering (1)

spankyofoz (445751) | more than 5 years ago | (#29115059)

See the 7 pointed star underneath the Union Jack? Thats's the federeation star, each of the points represents a state, and the 7th is for territories

Re:Even if unlocked still breaking and entering (1)

Nefarious Wheel (628136) | more than 5 years ago | (#29115257)

Wait... Australia has STATES? We must be WAY behind in getting those stars on the flag

Yep, we've earned our stripes too.

By the way, we've bought the rights to the Star Spangled Banner. RIAA agents on their way to your ball games this very moment.

Some Yank owns the rights to Waltzing Mathilda, so it's only fair. RIAA might want to come to our barbecues, as we might sing it in a highly public way after a few beers. But they're nothing you can't fix with a backhoe, drunk or sober.

Re:Even if unlocked still breaking and entering (0)

Anonymous Coward | more than 5 years ago | (#29114837)

Is this Australian common law they're teaching at Yale?

Re:Even if unlocked still breaking and entering (3, Informative)

jasonwc (939262) | more than 5 years ago | (#29114881)

Both the common law of the United States and that of Australia are derived from English common law. In fact, when the United States became an independent nation, we incorporated all of the common law of England up to that point. As burglary is a very old offense, which can be traced back hundreds of years if not more, there is likely to be a great deal of similarity between the common law of Australia, the United States, and the United Kingdom with regard to the definition of burglary.

However, I still don't see the point of these pedantic comments. I thought it was obvious from my post that I was referring to the common-law definition of burglary in the United States. If I was at all unclear, my later post should have removed all doubt as I stated explicitly that the post referred to the law of the United States, not Australia.

Re:Even if unlocked still breaking and entering (1)

Barny (103770) | more than 5 years ago | (#29115157)

But you are of course replying to a story about Australian Federal Police, so it would be reasonable to assume that you are stating Australian Law.

Re:Even if unlocked still breaking and entering (1)

Hurricane78 (562437) | more than 5 years ago | (#29114587)

What if you are on a generic police site, and just land in there by randomly clicking on five links on the page? It is still "breaking and entering".

What if you walk down the street, and fall into an open sewer, just to find out that it is a secret underground tunnel to a high-security government building, and there is no way to climb out, other than walking down the tunnel into the secret building?

What if you are blind, and walk trough the open backdoor of a police headquarter's stolen goods storage room?

Oh, and I don't care what some jurisdictions say, because the difference between "breaking and entering" and "burglary" is that in a burglary, you took something. There. Was that so hard?? Every other definition would just be "douchebaggery".

Re:Even if unlocked still breaking and entering (1)

Hungus (585181) | more than 5 years ago | (#29114671)

Burglary is legally defined in most states as "entering of a premsis with the intent to commit a felony"

It's still breaking and entering (4, Interesting)

rm999 (775449) | more than 5 years ago | (#29114035)

"Can you be charged with breaking and entering a house that has the door left wide open?"

Nothing has to be "broken" during a breaking and entering. Not everything is so literal. As long as the person maliciously entered the system with the knowledge he didn't belong in there, it would be a virtual breaking and entering.

Re:It's still breaking and entering (2, Informative)

gandhi_2 (1108023) | more than 5 years ago | (#29114073)

IIRC, breaking means breaking the plane of entry. Not physically damaging anything.

Re:It's still breaking and entering (0)

Anonymous Coward | more than 5 years ago | (#29114129)

No, you recall incorrectly.

Re:It's still breaking and entering (1)

gandhi_2 (1108023) | more than 5 years ago | (#29114137)

Henceforth: NYRI.

Re:It's still breaking and entering (5, Informative)

rm999 (775449) | more than 5 years ago | (#29114211)

Actually, that's the entering. Breaking is the act before entering. That's why it's called "breaking and entering". See http://legal-dictionary.thefreedictionary.com/burglary [thefreedictionary.com]

"At common law, entering through a preexisting opening did not constitute breaking. If one gained access through an open door or window, burglary was not committed. The same rule applied when a door or window was partially open even though it was necessary to open it further in order to enter. The rationale under-lying this rule was that one who failed to secure his or her dwelling was not entitled to the protection of the law. A majority of states no longer follow this rule and consider breaking to be the slightest application of force to gain entry through a partially accessible opening."

So, my original point was that in modern US law, you don't have to do much "breaking" to commit a break and enter.

Re:It's still breaking and entering (1, Informative)

Anonymous Coward | more than 5 years ago | (#29114555)

Security guard here. At least in Canada, it's breaking and entering if you trespass with intent to commit a crime or commit a crime in the process of entering. Smash a window to get in? B+E. Walk in the unlocked door to steal something? B+E. Walk in to stand around for a while and leave? Trespassing. Not sure how that relates to computer-related legalities, but there you go.

Re:It's still breaking and entering (2, Informative)

gandhi_2 (1108023) | more than 5 years ago | (#29114569)

This, I'm sure depends on what jurisdiction you are in. But...I guess we can all quote websites, right?
From lawguru.com [lawguru.com]

Forcible entry is distinguishable from the broader crime of "breaking and entering" which might not include any actual damage from the force used to "break" a way in, such as when one opens an unlocked door to private premises without license to do so, or tampers with a locking mechanism and later takes advantage of the defect. As such, one can assume that the "breaking" refers to breaking the plane of entry; that is, crossing the threshold of a door, window or other entryway into a building.

Re:It's still breaking and entering (1)

syntotic (1619955) | more than 5 years ago | (#29114595)

Heisenberg: still, you already see it.

Re:It's still breaking and entering (4, Insightful)

zippthorne (748122) | more than 5 years ago | (#29114101)

I should hope that the law is literal. "Don't be so literal" is not the kind of argument you want to hear from the prosecution at any phase of a trial. Especially sentencing. Assault and Battery are sure as damn different things, and separably chargeable.

Re:It's still breaking and entering (2, Informative)

rm999 (775449) | more than 5 years ago | (#29114167)

I think the difference is obvious. Would you "break" into someone's house and try to convince the judge you didn't literally break anything when you are being charged with breaking and entering? I hope not.

I meant the name should not be taken literally, but obviously the law itself should.

Re:It's still breaking and entering (2, Funny)

Anonymous Coward | more than 5 years ago | (#29114345)

Assault and Battery are sure as damn different things, and separably chargeable.

I understand how one can charge a battery, but how does one charge an assault? Let alone why you'd have to charge them separately... ...

Re:It's still breaking and entering (1)

EdIII (1114411) | more than 5 years ago | (#29114217)

it would be a virtual breaking and entering.

Okay.. So do I go to Virtual Prison? Drop the Virtual Soap? Put on Virtual Lipstick?

Just curious... :)

Re:It's still breaking and entering (5, Funny)

Metasquares (555685) | more than 5 years ago | (#29114363)

No, but this sounds like an idea for the next Sims expansion pack.

Re:It's still breaking and entering (2, Funny)

Anonymous Coward | more than 5 years ago | (#29114417)

please dont give ea ideas T_T

According to TFA (3, Informative)

thatkid_2002 (1529917) | more than 5 years ago | (#29114041)

TFA says that the computer was being used as a part of a (somewhat poorly executed) Sting.

It was not the main database which was broken into, but rather just a node which had some of the information from the database stored on it.

TFS is very poorly written... it is not worthy of being a "Summary".

Re:According to TFA (2, Funny)

Architect_sasyr (938685) | more than 5 years ago | (#29114271)

I will give you a summary of the documented process they did for this then (it was on our local "4 corners" show and had me crying).

They spoke of the Russian DDoS on the Gamboling people in the north, then they jumped around a bit listening to police officers talk a little too quietly (almost mumbling) about IT stuff (which had me cringing the entire time). Then they showed us a 20year old who looked like a try hard metalhead who was apparantly this 'leet hacker' in control of 56,000 .au credit cards.

Finally the two bits that made me cringe the most, was watching them set up the front-page-post of the so-called "hacker forum", and when one of the forensics guys fakes-out what he was doing during the raid: "ok now ive just typed in 'netstat'".

Fucking disgusting. I'm severely tempted to go blackhat just to screw with these guys.

Re:According to TFA (0)

Anonymous Coward | more than 5 years ago | (#29115205)

They wouldn't show the real guys on TV, trust me.

Lacked??? (0)

ItsPaPPy (1182035) | more than 5 years ago | (#29114043)

Wow that's bad. Anyone notice the misspelling?

well... (1)

gandhi_2 (1108023) | more than 5 years ago | (#29114063)

...nothing a few more laws won't fix.

Uncrackable Password (0)

Anonymous Coward | more than 5 years ago | (#29114067)

couldhave

Brag about it and get snapped! (5, Informative)

Slotty (562298) | more than 5 years ago | (#29114075)

They had an entire episode on one of the current affairs TV shows here in Australia dedicated to cyber crime. The very next day this article came out.

The way they were talking on the TV show you're lead to believe they worked hard and displayed decent technical knowledge and skills. Nice to know my tax dollars pay for a department that doesn't even have a secure server. However according to the article the police stated that it was a seperate network with no actual worthwhile data or connection to the real network

Re:Brag about it and get snapped! (4, Insightful)

Beardo the Bearded (321478) | more than 5 years ago | (#29114143)

Well, they would say that, wouldn't they?

Re:Brag about it and get snapped! (1)

nanospook (521118) | more than 5 years ago | (#29114157)

Go ahead.. believe that! *rolling eyes*

Re:Brag about it and get snapped! (1, Informative)

Anonymous Coward | more than 5 years ago | (#29114265)

From the local news, it reads as if the crack was in response to the police boasting [abc.net.au] that they had the crackers under control.

Re:Brag about it and get snapped! (0)

Anonymous Coward | more than 5 years ago | (#29114397)

I recently looked into Computer Forensics for QLD Police, the wage was about $50K AU per year (maybe $40K US). How can they expect to have a decent cyber crime division when they're paying peanuts?

Re:Brag about it and get snapped! (0)

Anonymous Coward | more than 5 years ago | (#29114471)

I enquired about cyber security positions with the AFP a few years back and they said they only recruit internally/from partner agencies. How many hackers want to go through the police academy and do beat work in the hope of maybe being promoted to the CSS?

I hope the armed services are more intelligent about their upcoming program, although I wish they wouldn't base it in Canberra!

Re:Brag about it and get snapped! (1)

jaxtherat (1165473) | more than 5 years ago | (#29115147)

That's actually reasonably good as in the QLD state police you get massive tax benefits, free healthcare, free education. Also QLD is a lot cheaper than NSW, i.e. housing costs close to the cbd of Brisbane are ~1/2 that of Sydney.

So yeah, this ain't too bad if this is a starting salary.

Re:Brag about it and get snapped! (1)

zobier (585066) | more than 5 years ago | (#29114511)

Four Corners is dedicated to cyber crime?

Grammar nazi alert (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#29114119)

could HAVE

Re:Grammar nazi alert (0, Offtopic)

bunratty (545641) | more than 5 years ago | (#29114235)

What is it that they could of had?

Re:Grammar nazi alert (1, Funny)

Culture20 (968837) | more than 5 years ago | (#29114287)

What is it that they could of had?

could of halved. Sheesh.

Insertion fix (0, Offtopic)

MillionthMonkey (240664) | more than 5 years ago | (#29114343)

"It could of [course have] been faster if I hadn't stopped to laugh so much."

Re:Insertion fix (0, Offtopic)

bunratty (545641) | more than 5 years ago | (#29114685)

Well, yeah, you could have beans faster if you don't stop to laugh so much. I guess you could have anything faster if you don't stop to laugh so much. I doubt that anyone will stop to laugh at this lame joke though.

Re:Grammar nazi alert (0, Informative)

Anonymous Coward | more than 5 years ago | (#29114539)

There's also a contraction for "have" that the writer could've used.

Re:Grammar nazi alert (0, Offtopic)

bunratty (545641) | more than 5 years ago | (#29114805)

What is it?

Criminal Intent ! (4, Informative)

redelm (54142) | more than 5 years ago | (#29114131)

One thing missing here (and indeed in some statutes) is the concept of "mens rea", the guilty intent. Yes, this could be trespassing or it could be theft. The prosecutors (Crown) has to establish intent in the break-in.

Breaking & entering or burlary does not require any sort of strong measures be overcome -- just walking through a totally unlocked screen door qualifies. But if you aren't taking anything or doing anything else wrong, then it is trespassing.

The problem with some statute is it attempts to be self-proving -- ie, the act establishes intent. For it to reasonably do so, there must be no possible innocent explanation. Anyone could formulate a query to a webserver. If it honors the query, how is that "unauthorized access"? However, someone might argue if it is not in a clickable URL, then the access is not authorized. I would disagree and state that clickable URLs are "encouragement" or ease of use. Exposing a query language is authorization for its' use. After all, it could easily have been hidden.

Re:Criminal Intent ! (0)

Anonymous Coward | more than 5 years ago | (#29115221)

But if you aren't taking anything or doing anything else wrong, then it is trespassing.

I'm not sure how it works in the states, but in Canada: "...evidence that an accused broke and entered a place...in absence of evidence to the contrary, proof that he broke and entered the place...with intent to commit an indictable offence therein...".

Unless he has a legal reason for being there, break and enter fits. I'd also hit him up with Unlawfully in a Dwelling-House if it were a residence.

In seeing this from the dark side... (4, Insightful)

shacky003 (1595307) | more than 5 years ago | (#29114231)

The OP is asking about being charged with anything just because the "door" wasn't on the "house" to keep them out...

That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."
Just because there wasn't a safeguard in place (supreme dumbasses? Why yes!) it isn't a valid legal argument (at least in the states) to plead ignorance to the
effect that you still stole the bike, even if there was no lock securing it..

It might be an interesting place to live if everything could be played with/used/stolen
as long as it wasn't secured..

As always, I may know nothing about anything, ever - and don't smoke crack.

Re:In seeing this from the dark side... (0)

Anonymous Coward | more than 5 years ago | (#29114923)

Oh noes! I have connected to Slashdot without logging in and I've even manipulated data on their servers. (Lack of access protection has always been implicit permission to access with regard to computer networks, and rightly so, because the only viable way for strangers to grant each other access is to automatically grant access. Lack of protection is the simplest and most obvious way of doing just that.)

Re:In seeing this from the dark side... (0)

Anonymous Coward | more than 5 years ago | (#29114997)

That's a little like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store while the owner was inside the store.."

But its a lot more like saying "Can someone be charged with stealing a bike if it was just sitting up against the front of the store, and they sat on it for a bit, then left it alone..."

However in this case, planting code to allow future access, would establish malicious intent, and should come with its own charges, regardless of hows its accomplished.

Presumptions are dangerous... (1)

gillbates (106458) | more than 5 years ago | (#29115101)

One of the things which I've always wondered is how hackers know they've broken into the real-deal versus a honeypot.

  1. Faking CC numbers, names and addresses, etc... isn't that difficult. Suppose, for example, the feds impersonated a bank server, complete with fake Credit Card numbers, names, addresses, etc...
  2. Hacker downloads the database, and then sells the info.
  3. Credit card companies issue "provisional credit" to vendors when the fake card number is used. Vendor sees "provisional credit" code on approval and recognizes this is fraud, and alerts the feds. From the buyer's perspective, everything looks legit, but...
  4. A day or so later the Feds show up at the receiving addresses, busting far more than just a single hacker.

I wonder if it even occurs to most hacker/cracker types that the logon banner and machine name are completely arbitrary. I recently setup servers on a private section of the network with a banner which states, "You are not authorized to access this server; this incident will be reported..." (Now, granted, there's nothing of great importance on that particular machine, and it has not been "properly" secured.) But I could just as easily have used, "Bank of America Federal Clearing House" Had I done so, (and if this machine was internet-accessible), I would not at all be surprised to hear of a hacker group claiming to have compromised Bank of America.

How does a hacker know the machine to which he's gained access is doing anything more than merely logging his actions? How does he know if the data he's got is any good?

Re:In seeing this from the dark side... (0)

Anonymous Coward | more than 5 years ago | (#29115529)

But what if they didn't actually steal the bike? What if they just tried out if the bike is properly secured, and after noticing that they could lift the bike with no problem, put the bike back and went in the store to remind the owner? It seems to me that no prosecutor would bother with such a case in real life, but they sure as hell go after computer geeks who do that kind of thing to unsecure servers.

Really? (1)

Rehnberg (1618505) | more than 5 years ago | (#29114355)

How did they possibly have this major system running without even the most basic security protocols? This really makes you wonder where your tax dollars are going...

Re:Really? (1)

AHuxley (892839) | more than 5 years ago | (#29114501)

Its rather smart in a way. If its hacked, its just a windows box with a database on it.
Collecting info in real time for later use in court.
The Australians wanted to do a "Special Agent J. Keith Mularski" and run the forum for a few years, but something did not work out.
http://www.wired.com/threatlevel/2008/10/darkmarket-post/ [wired.com]
"... online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years.."
Something went wrong with the admin swap and a clean MS box for evidence collecting got 'seen'
Nothing new is known (a new keylogger, carnivore, magic lantern, MS backdoor, Operation Fairplay), that could not be read in Wired, that feds can take over forums and record all.
The real fun is all the users will now be looking over their shoulders for sneak and peek warrants :)

Typical bureaucratic concept of network security (3, Funny)

DarthBart (640519) | more than 5 years ago | (#29114369)

We don't need to secure anything...we've got a...

(Tympanic BOOM-BOOM-BOOM)

A FIREWALL!

Re:Typical bureaucratic concept of network securit (1)

ceoyoyo (59147) | more than 5 years ago | (#29114717)

I think I need a timpani recording on my phone, to play on demand.

Get off your ego trips (0)

Anonymous Coward | more than 5 years ago | (#29114519)

Bragging about hacking into a database that is not password protected is only something an impotent prick would do.

I could rob any of my neighbors easily, it doesn't mean I should or will.

TERRIBLE analogy (3, Insightful)

Anonymous Coward | more than 5 years ago | (#29114561)

Let's get a better analogy:

"If you broke a window (pun intended), entered the house, saw safe on the floor, turned the handle and it was unlocked, would you be breaking and entering?"

Re:TERRIBLE analogy (1)

Renraku (518261) | more than 5 years ago | (#29115459)

Entering someone's property without being invited is trespassing.

Entering someone's house without being invited is usually breaking and entering.

Gaining access to the contents of something like a safe or a drawer would establish intent for theft, since that's pretty much the only reason you'd be entering a safe or drawer anyway, or at least, that's what the expensive lawyers would be paid to prove.

So you have trespassing, and breaking and entering in the least.

Now, this being a computer situation, I don't think trespassing is really an issue. You can't charge someone for looking at your login prompt, as it would be akin to them seeing your 'no trespassing' or 'keep out' sign. Effectively, you have no property that's not behind the door.

The breaking and entering charge could stick, since you were uninvited, but came right in anyway.

An even better, and car-related analogy, would be if someone left their car door unlocked but had a 'keep out' sign on it, but you entered it anyway. Regardless of whether or not you stunk the car up or stole anything, you'd certainly be charged with (most likely) breaking and entering.

Root password key (0)

Anonymous Coward | more than 5 years ago | (#29114585)

Oh, did they leave it open not to be blamed to intrude because it was already wide open but it was them who leave it open in anticipation of the crime but it is somebody else s fault? There s an ulterior motive to make the analogy with an open house because it is not the same password than key. If the owner of the root password goes missing nobody else can ever take admin rights, right? So it is like giving ownership to a possibly missing gov employee or the equivalent to a small dictatorshop... (cat got your tongue, does it mean a cat looking guy is cutting tongues?)

Re:Root password key (1)

AHuxley (892839) | more than 5 years ago | (#29114635)

Just a badly set up clean MS box to record in the wild.
If seen, would just look like any other PC recording a forum in real time been used by ????.
The real trick for the feds to become admins.
What they mirrored off the forum with is really just a cute detail.

Four Corners (3, Informative)

Mr_Plattz (1589701) | more than 5 years ago | (#29114603)

I'd just like to point out that on Monday night EST, Four Corners [abc.net.au] one of only a small handful of highly respected journalism shows in Australia, ran a piece on "Hackers" and "cyber-crime". I use inverted commas, because although this show is highly respected it "dumbed" down all the interviewees.

1. Essentially it was about hackers who DDOS'd multi-bet and destroyed the company.
2. Essentially it was about a dumb old guy who was a victim of a simple phishing scam.
3. Essentially it was about Australian Federal Police (AFP) who were on the TV show, quite literally laughing at the hackers.

Now, I agree with the first point. I do not have time or appreciation for hackers black mailing then botnet'ting a company to Bankruptcy.

But I do want to make the point: Dumb people get what they deserve (point 2), and dumb organizations who instigate other organization that are much smarter than themselves also get what they deserve. I think "pie in the face" in an understatement in this instance.

I think the only good news in this Article was that the database didn't contain the Tax numbers or Criminal Records of every Australian. I have the highest respect for AFP and the Australia Police Service.

They don't need to be any more competent (1)

petrus4 (213815) | more than 5 years ago | (#29114613)

Where the majority of the "Dancing with the Stars," generation are concerned these days, that's about the level of competence that the police need to get the job done. People who know how to access MySQL databases at all probably aren't a large group, relative to the general population.

Re:They don't need to be any more competent (1)

dakameleon (1126377) | more than 5 years ago | (#29115133)

I'd be worried if their "is it secure?" test was along the lines of "is it safe from an untrained tween with an internet browser?"

so the cops thought that (1)

archangel9 (1499897) | more than 5 years ago | (#29114617)

none of the people on the forums communicated via other methods? That the word wouldn't get out, and that the members/mods/admins didn't notice a change in IP addresses on the account the police assumed? Between this and using an unsecured MySQL db on a windoze box, the cops sound like the noobs here.

Re:so the cops thought that (1)

AHuxley (892839) | more than 5 years ago | (#29114761)

I think the feds wanted to become admins. They would have had the right IP addresses.
"Police were monitoring the forum by logging into the account of the administrator they had raided, but this aroused suspicion among members who knew the raid had taken place."
Real world meets virtual world...
Best to use the real account while they could vs. to try and hack.
The feds did not show their toolkits and they still got to look around.

They can Try (0)

Anonymous Coward | more than 5 years ago | (#29115115)

I had the po' try to charge me like 15 years ago (I was a minor then). I pointed out the phone # I dialed, the system did not identify itself and it did not ask for a username or password. I asked what law I was being charged under, the Computer Crime Act of 1986 required $1000 minimum damages which seemed very dubious. They tried to have me sign away my Miranda rights too, which I refused to do, although I spoke frankly with them. They blustered about $1000s in fines and ended up finding some excuse to fine $50, which was basically not worth contesting.

          I'm sure Australian law is different, but indeed, if there's no password it seems unlikely a crime was comitted. This won't stop them from trying to find one anyway.

"SQL Injection" (1)

ohtani (154270) | more than 5 years ago | (#29115135)

According to the article they also used "SQL injection" except they described it wrong.

The person made a .php file through MySQL calls, but they referred to that as SQL injection.

Interesting (1)

Spit (23158) | more than 5 years ago | (#29115175)

I've got a few of systems like that on my networks, except I call them honeypots.

I don't know why... (1)

Taikutusu (1479335) | more than 5 years ago | (#29115345)

...but this reminds me of this, in a way.

http://bash.org/?117002 [bash.org] [bash.org]

AU judges often don't have passwords on their PCs (4, Interesting)

wheels4me (871935) | more than 5 years ago | (#29115385)

The judges in AU are on a network that does not have a requirement that all users have passwords. Thus, many judges don't even password protect their PCs that are net-connected. It is no surprise that their db got hacked with the abysmal lack of security on the judicial network.

America ... F*** Yeah! (1)

n8r0n (1447647) | more than 5 years ago | (#29115541)

In general, I'm certainly of the opinion that Americans (being one myself) are a rather pompous lot of ignoramuses ... but, when it comes to security, I think we're ahead of most of the world.

I worked for multiple years on an IT project for a branch of the Australian military (in the US and Oz), and I have to say that their idea of security is a total joke. Sorry, Aussies. You guys rock in almost every other area, but security (especially computing) is just not taken seriously.

So, this really doesn't come as much of a surprise to me.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>