Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researcher Threatened With Vulnerability Repair Bill

Soulskill posted more than 2 years ago | from the biting-a-helping-hand dept.

Security 231

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."

cancel ×

231 comments

Sorry! There are no comments related to the filter you selected.

Lesson learned (5, Insightful)

nurb432 (527695) | more than 2 years ago | (#37719070)

If you find a vulnerability, don't tell the people at risk, sell it or use it.

Either that or move to a less stupid country.

Re:Lesson learned (2, Insightful)

Anonymous Coward | more than 2 years ago | (#37719102)

More like you need to extend whistleblower protection for security researchers disclosing vulnerabilities. However, the guy basically admitted to unlawful access of their system in order to prove the vulnerability existed, which in ethical circles is a big no-no.

Re:Lesson learned (1)

Anonymous Coward | more than 2 years ago | (#37719176)

What is the alternative? It isn't possible to know if a flaw exists without exploiting it.

Re:Lesson learned (5, Insightful)

LifesABeach (234436) | more than 2 years ago | (#37719512)

Well, lets just backup here a bit. If my neighbor discovers that part of my fence is broken, and walks onto my property to tell me so:
1. Is the neighbor guilty of Trespassing?
2. Is the neighbor guilty of causing the fence to be broken?
3. Is the neighbor guilty of being the cause of the broken fence?
4. Is the neighbor guilty of Negligence because the fence is broken?
5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
6. Is the neighbor guilty of not maintaining the fence?
7. Is the neighbor guilty of any damage because the fence is broken?

Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!

Re:Lesson learned (3, Insightful)

arth1 (260657) | more than 2 years ago | (#37719670)

The problem was that your neighbor, in order to discover whether your fence was broken, tried 600 entry points.

No, I'm not defending the Australian company and its lawyers, but pen-testing without permission is black hat even if done under responsible disclosure.
It's one thing to pen-test a device you own, it's a whole different kettle of fish to do the same to a random company.

If I were Judge Dredd in this case, I'd award the company a 1 cent restitution along with a hefty fine for wasting the court's time, then put the researcher in jail for three months for the crime of stupidity.

Re:Lesson learned (0)

Anonymous Coward | more than 2 years ago | (#37719690)

1) Yes
2-6) No, of course.
7) If he damaged anything while performing (1) he is responsible.

I think a better analogy would be the neighbor noticing the fence is being held up by rot wood. In the case of this researcher he pushes the fence over, walks to the front door (through the hole in the fence and house), walks out the front door, turns around and rings the doorbell. All instead of noticing the rot wood and walking around to the front door and reporting a possible problem.

The researcher suspected an error (see the rot wood).
The research exploits the error (pushes the fence over).
The researcher copies a couple files (walks through the house).
The researcher reports his findings to the company (walks out the front door, closes it, then turns around and rings the doorbell).

Re:Lesson learned (2, Insightful)

bratwiz (635601) | more than 2 years ago | (#37719694)

What you mean is, if the neighbor stops by to tell you your fence is broken and hands you your TV set as proof he was able to access your stuff.

I'd say that's a bit different than all the things you suggested.

How would you feel about it?

Re:Lesson learned (3)

Cyberllama (113628) | more than 2 years ago | (#37719900)

That metaphor breaks down here because there's no way to "see the hole" until you've stumbled through it. In this case, we're talking about changing a value somewhere in an URL or something similar, and getting access to something that isn't yours. You can look at the structure of the URL and make the intuitive leap that there might be an issue and test it out, but there's no way you can know without testing and no point in reporting if you don't know.

so a typo is now unlawful access? (2)

Joe_Dragon (2206452) | more than 2 years ago | (#37719222)

He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

but any ways that is just like having a open door and all you need to do is to go though the door next to the that is your door.

Re:so a typo is now unlawful access? (0)

Anonymous Coward | more than 2 years ago | (#37719344)

So if I follow your analogy (and ignore your inability to form a coherent sentence) if my neighbor leaves their door open and I wander into their apartment and rifle through their stuff, I'm not trespassing?

Re:so a typo is now unlawful access? (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37719428)

It's not even that it's more like if a hotel had a view a bill system and my miss keying it you where able to see others bills.

Re:so a typo is now unlawful access? (2)

blair1q (305137) | more than 2 years ago | (#37719376)

Accidentally walking into a neighbor's apartment is an accident.

Doing it repeatedly because now you know they leave the door unlocked is a crime.

Re:so a typo is now unlawful access? (0)

Anonymous Coward | more than 2 years ago | (#37719850)

Not when they regularly leave their apartment unlocked with the intention of having all the world browse on through to whatever they leave unlocked.

Suppose you live in an appartment. (1)

Chirs (87576) | more than 2 years ago | (#37719872)

You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.

Would you expect to be sued for trespassing on all of your neighbours?

Re:Suppose you live in an appartment. (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37719918)

well the landlord can sue you to cover the costs so it's blame the person who found the broken locks.

Re:Suppose you live in an appartment. (2)

blair1q (305137) | more than 2 years ago | (#37719968)

Why would I check my neighbor's lock because mine is broken?

Let's make it a closer analogy:

I walk up to my door, open it, and discover it's not my apartment. Oops. It's my neighbor's and it should have been locked.

Then I think, what about the others? So I start jiggling knobs, and a cop walks around the corner and catches me at it.

You think he'll believe me when I say I was just checking locks? And was I right to try to find all the unlocked doors on the floor just because my neighbor's is unlocked?

Re:Suppose you live in an appartment. (2)

fluffy99 (870997) | more than 2 years ago | (#37720064)

You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.

Would you expect to be sued for trespassing on all of your neighbours?

If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.

Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpeona the computer he used so they can assess and properly report the information that he compromised.

Here is the link to the law which he broke:
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html [austlii.edu.au]

The stipulations to delete all the compromised data and a pledge to not attempt to gain unauthorized access again is pretty appropriate. The statements about reserving the right to inspect his computer or seek damages are in the letter simply to make it clear that they have not absolved him of responsibility and may want proof that he indeed deleted all the data. With all that said, I think it's silly for them to ask to access his computer to verify the data has been deleted. They have no way of knowing if he made copies or even if that's the computer he used.

Re:so a typo is now unlawful access? (1)

AHuxley (892839) | more than 2 years ago | (#37719916)

Australia had such weak computer security laws in the past that they had to make any attempt i.e. URL rewrite equal to more creative attempts.
Add in the reality that Australian lawyers are well trained, the old trespass like laws did not really hold up well in court.
So federal law is now very clear- don't play with other peoples computer, data, url ect.

Re:Lesson learned (1)

shentino (1139071) | more than 2 years ago | (#37719556)

What I'd like to know is who he told that wasn't entitled to know about it.

If the guy told the same network as the one he found the breach in, how is that a violation of privacy?

We need to know more about whose network he discovered to have an exploit, and who exactly he told about it.

Re:Lesson learned (1)

Anonymous Coward | more than 2 years ago | (#37719736)

which in ethical circles is a big no-no.

With a nonstandard definition of ethical.

Re:Lesson learned (0)

Anonymous Coward | more than 2 years ago | (#37719134)

Laws against using a vulnerability are not stupid. This guy screwed up. Accessing 500 accounts is not research.

Re:Lesson learned (2)

DanTheStone (1212500) | more than 2 years ago | (#37719228)

TFA says 1, not 500. I wonder where the 500 number came from?

Re:Lesson learned (1)

MachDelta (704883) | more than 2 years ago | (#37719714)

The PDF mentions accessing "approximately" 568 accounts.

Re:Lesson learned (1)

DanTheStone (1212500) | more than 2 years ago | (#37719816)

Ah, there's the crucial missing link. Sounds like it could be a bad summary in the other articles, then. Thank you.

Re:Lesson learned (0)

Anonymous Coward | more than 2 years ago | (#37719402)

I want to know where the "batch file accessing 500 accounts" came from - certainly not in the TFA.

So they have threatened legal charges and told him to destroy what evidence he may have, and then allow them to go through his computer? Nice

Re:Lesson learned (1)

jimshatt (1002452) | more than 2 years ago | (#37719624)

Maybe, but handing over documents of 500 accounts has somewhat more impact than just 1. The company might have been inclined to see this as a glitch and continue with business as usual. After all, if they were stupid enough to create this gaping security hole, they're probably stupid enough to leave it this way unless (nearly) forced to fix it.

Obviously (2)

nedlohs (1335013) | more than 2 years ago | (#37719124)

If you are going to access 500 accounts you don't then report the problem with your name attached. Even if said access is just changing a number in a url because they have a retarded system.

Re:Obviously (2)

Synerg1y (2169962) | more than 2 years ago | (#37719170)

The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.

1. It's the companies systems and they are responsible not you
2. Hacking is illegal
3. This is what happens when you try to reason with sheep who just don't get it

If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.

Also, at least in the states there are no circumstances a private entity can look at any of my information, it can contact law enforcement, and they can seize the computer, but otherwise SOL and that's the way it should be.

Re:Obviously (1)

jamstar7 (694492) | more than 2 years ago | (#37719542)

The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.

1. It's the companies systems and they are responsible not you 2. Hacking is illegal 3. This is what happens when you try to reason with sheep who just don't get it

If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.

Also, at least in the states there are no circumstances a private entity can look at any of my information, it can contact law enforcement, and they can seize the computer, but otherwise SOL and that's the way it should be.

Just goes to show, no good dead goes unpunished.

Re:Obviously (2)

ColdWetDog (752185) | more than 2 years ago | (#37719568)

Just goes to show, no good dead goes unpunished.

Zombie joke?

Re:Obviously (3, Interesting)

Mathinker (909784) | more than 2 years ago | (#37719244)

> said access is just changing a number in a url because they have a retarded system

I wonder just how many of us have come across such idiocies. I know I have, and yes, I didn't report it because the probability that I would get into trouble by doing so was greater than the damage of email addresses being leaked or having a few people getting their bulk email subscriptions erroneously canceled (it was a company which took care of mass emailing for quite a few clients, including a prestigious scientific journal).

Re:Obviously (5, Interesting)

hawguy (1600213) | more than 2 years ago | (#37719564)

I wonder just how many of us have come across such idiocies.

I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.

He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.

Re:Obviously (1)

fluffy99 (870997) | more than 2 years ago | (#37720106)

I still run into Unix and Linux admins who don't understand how NFS (non-)authentication works. It's a retarded system that blindly trusts the user to state their identity and group membership (uid/gid) and there are no credentials involved at all. These guys usually have norootsquash enabled which makes it even worse.

Re:Obviously (1)

arth1 (260657) | more than 2 years ago | (#37719742)

I wonder just how many of us have come across such idiocies. I know I have,

I took a look at my cookie hive one day. Not just who set what cookies, but what they actually contained. There were several that "authorized" (if you can call it that) by a simple and relatively low number. No hash, no corresponding key, nope. Just a number in a cookie to bypass a login. Change it, and Bob's your uncle.

Sounds like a job for the EFF (1)

Anonymous Coward | more than 2 years ago | (#37719472)

Ask the EFF to write up an internationally-binding contract, in which a company would make a legal commitment not to harass, annoy or otherwise harsh the mellow of any security researcher who provides them information in good faith. It should be written so as to side-step any possible laws to the contrary. I.e., commit the company to indemnify & hold harmless, choose not to prosecute, etc.

Any company who signs this is likely to get security assistance. Those who do not sign, could not expect such assistance.

Now, who the counter-party would be I can't tell you.

Re:Sounds like a job for the EFF (2)

shentino (1139071) | more than 2 years ago | (#37719570)

Unfortunately statutes trump contracts.

Re:Sounds like a job for the EFF (2)

Dogtanian (588974) | more than 2 years ago | (#37720042)

Ask the EFF to write up an internationally-binding contract, in which a company would make a legal commitment not to harass [etc] any security researcher who provides them information in good faith. [..] Any company who signs this is likely to get security assistance. Those who do not sign, could not expect such assistance.

With respect, this is naive and assumes that such companies *want* your assistance. I'm sure that a significant proportion would rather that you STFU about any inconvenient vulnerabilities which would cause them a lot of hassle to fix, probably make them look bad (people do *not* like being made to look incompetent, even when they are) and I suspect, from a legal point-of-view, be all-round more convenient to not (officially) know about.

If you persist in trying to get them to do something about this (regardless of whether or not it would help their customers), they *will* find a way of getting back at you and dissuading others from doing the same thing. To be honest, that would appear to be the most likely explanation in this case, and going by some of the comments posted here, it seems to work.

Of course, such dissuaded responses appear to forget that the people you're really helping are more likely the innocent customers of this company (who have no idea how lousy the company is) as much as the company themselves- who would probably rather you kept quiet. So saying "fuck 'em" and letting the company reap the rewards of their own incompetence misses the point.

The primary aim is to address the problem and get them to fix it. While ideally this would be done in a way that minimises harm to the company/people responsible (as "punishing" them isn't- or shouldn't- be the aim), one *has* to assume that their response may not be positive, and make the #1 priority to protect oneself from a potentially hostile response.

This may not be natural for geek-types who see fixing the problem as most important and think they are doing those involved a "favour"- and being more rational- by being more direct, but it is *not* your job to risk being crucified and smeared by some company whose toes they think you stood on. If that means doing things anonymously and less directly then that has to be the way you do it.

As the old idiom goes: (5, Insightful)

magsol (1406749) | more than 2 years ago | (#37719164)

No good deed goes unpunished.

Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.

Re:As the old idiom goes: (0)

Anonymous Coward | more than 2 years ago | (#37719848)

You don't understand it from their position. If nobody notices, no issues. Since its brought up, they actually have to do something about it. If it is used for badness, its the EVIL HACKERS and not our incompetence. Since he sent in the evidence, they have to do something about it, and can't blame anybody.

Re:As the old idiom goes: (1)

BlueStrat (756137) | more than 2 years ago | (#37719988)

You don't understand it from their position. If nobody notices, no issues. Since its brought up, they actually have to do something about it. If it is used for badness, its the EVIL HACKERS and not our incompetence. Since he sent in the evidence, they have to do something about it, and can't blame anybody.

~ He could even be charged with performing a scapegoat-otomy without a medical license! Oh, the humanity! /~ :-)

Strat

Re:As the old idiom goes: rule 285 (0)

Anonymous Coward | more than 2 years ago | (#37719990)

Rule of Acquisition #285 I believe.

Full-Disclosure (1)

gellenburg (61212) | more than 2 years ago | (#37719168)

If you find a vulnerability, disclose it. Publicly.

And yes, I work in Information Security. Vulnerability Management even. Go figure.

Re:Full-Disclosure (0)

Anonymous Coward | more than 2 years ago | (#37719224)

Well, you can't manage vulnerabilities unless you know about them :D

Re:Full-Disclosure (3, Insightful)

Hatta (162192) | more than 2 years ago | (#37719368)

If you find a vulnerability, disclose it. Publicly.

and anonymously.

Re:Full-Disclosure (1)

fluffy99 (870997) | more than 2 years ago | (#37720120)

If you find a vulnerability, disclose it. Publicly.

And yes, I work in Information Security. Vulnerability Management even. Go figure.

At least be ethical and anonymously tell the company first and give them a chance to fix it themselves. If they ignore it, then consider a public announcement. Otherwise you're no better than the criminals, legally or ethically.

Yes. (2)

unity100 (970058) | more than 2 years ago | (#37719174)

Next time leave the whoresons to get fucked through their vulnerability by ill-intentioned black hats rather than warning them.

they deserve it. really.

Re:Yes. (1)

Pseudonym Authority (1591027) | more than 2 years ago | (#37719320)

I concur. People like those are why you have to ask before saving someone from choking. Fuck 'em. And honestly, what's the point or informing them that their code is shitty. It isn't as if they are an OSS project. They are a private company, and they should either pay you, or get hacked and lose customers. The is the free market. Only a filthy socialist would do it for free.

shades of Randal Schwartz (0)

Anonymous Coward | more than 2 years ago | (#37719206)

The well-known author of O'Reilly's Learning Perl [oreilly.com] was caught testing an open source password cracking package on Intel's intranet while doing consulting work there in the '90s. Intel didn't find it interesting in the same way Schwartz did, and a nasty legal battle [lightlink.com] ensued.

IIRC one of the harvested passwords was "Pre$ident", from an ambitious Intel VP.

Good Samaritan Laws (3, Insightful)

bmo (77928) | more than 2 years ago | (#37719214)

In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.

We need this for e-space.

If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.

The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.

--
BMO

Re:Good Samaritan Laws (1)

fyngyrz (762201) | more than 2 years ago | (#37719282)

The problem is legislation written by idiots, abused by lawyers (but I repeat myself), and then the dance of arbitrary abuse performed by the judiciary. There is nothing so dangerous as poorly written law, and in my experience, almost all law is poorly written.

Re:Good Samaritan Laws (0)

bmo (77928) | more than 2 years ago | (#37719314)

Good Samaritan laws already work in meatspace. They are a proven concept.

You're an idiot.

--
BMO

Re:Good Samaritan Laws (0)

MechaStreisand (585905) | more than 2 years ago | (#37719478)

Below, someone pointed out:

"Ironically, Good Samaritan laws in Ohio don't apply to health care professionals because they're supposed to know what to do."

Who's the idiot? You are. Fuck off and die.

Re:Good Samaritan Laws (1)

bmo (77928) | more than 2 years ago | (#37719802)

How about you take your "HURR GUBMINT CAN'T POSSIBLY DO ANYTHING GOOD WHATSOEVER" and shove it squarely up your ass, you psychopath.

I've heard assholes like you my entire life and I prefer civilization instead of warlords.

Go fuck yourself with a glass shard.

--
BMO

Re:Good Samaritan Laws (0)

Anonymous Coward | more than 2 years ago | (#37719666)

your fucking retarded. prick

Re:Good Samaritan Laws (1)

shentino (1139071) | more than 2 years ago | (#37719586)

They're not idiots.

They just don't work for the voters that supposedly are supposed to decide whether or not they get into office.

It's an issue of loyalty, not competence.

Re:Good Samaritan Laws (1)

arbiter1 (1204146) | more than 2 years ago | (#37719342)

No one would looked bad if they didn't sue the guy, since this story wouldn't even been published but when they filed that suit against him now everyone knows how much of A-holes this company is to a person that saved them a massive PR nightmare.

Re:Good Samaritan Laws (2)

bmo (77928) | more than 2 years ago | (#37719470)

>No one would looked bad if they didn't sue the guy,

You misunderstand what I meant about who is looking bad. This is the result of someone within the organization attempting to cover his ass by blaming the messenger and convincing the lawyers that it's not his fault.

Because if he didn't, he'd look bad to his bosses.

That's why all this is happening, and since shit rolls downhill and there is no protection for people like the researcher, guess who gets squashed like a bug by the corp?

>Flaw
>Researcher points it out
>Blame researcher
>Everyone happy but researcher. He twists in the wind.

--
BMO

Re:Good Samaritan Laws (1)

cshark (673578) | more than 2 years ago | (#37719772)

Sometimes, it really seems like no good deed goes unpunished.

If one of the good guys gives you information to help you fix your systems when they're obviously broken, and you bite their hand... the consequence is that fewer good guys will be willing to do it. So, if you follow this slippery slope argument to it's conclusion; you're pretty much left with the bad guys being the only people who are willing to break into your obviously broken server. And, then there are no warnings. There are no second chances. There is no help.

The researcher may have broken the letter of the law by doing it, but I don't think the law was intended for people who are trying to help. You apply it to them, and you really screw yourself. It amazes me that anyone could get free advice from a random person who found a problem, and take legal action. What the fuck was FSSTS thinking?

Re:Good Samaritan Laws (1)

Relayman (1068986) | more than 2 years ago | (#37719372)

Ironically, Good Samaritan laws in Ohio don't apply to health care professionals because they're supposed to know what to do.

Translating to e-space, a security consultant could be liable to malpractice. However, this consultant still did the right thing, so there are no grounds for causing him trouble.

Re:Good Samaritan Laws (1)

MatthiasF (1853064) | more than 2 years ago | (#37719510)

They shouldn't even consider Good Samaritan laws or unlawful access to a computer system.

The company seems to have offered all of it's users access to other user's information. The guy didn't hack through any security, the company gave him access indirectly.

It's like he received a retirement package for another person but had his name on the label, or a bank using the same key for every security deposit box and you just on whim tried your key in someone else' box.

You didn't know you would be exposed, you did something out of curiosity that seemed obvious and wouldn't amount to anything.

So, it seems the onus is on the company, not the user, even though the company seems to think it has the right to bully the guy to keep their snafu hidden from it's other customers.

Re:Good Samaritan Laws (1)

ATMAvatar (648864) | more than 2 years ago | (#37720076)

That's not entirely true. Rendering CPR to an unconscious victim can and has gotten people sued.

Turn a White hat into a Black hat.. (1)

Moheeheeko (1682914) | more than 2 years ago | (#37719232)

.. just add unnecissary litigation!

information source? (0)

Anonymous Coward | more than 2 years ago | (#37719242)

The linked article only states that one account was accessed in this way, nothing about a batch file or 500 accounts....

Welcome to Wonderland (2)

Nom du Keyboard (633989) | more than 2 years ago | (#37719252)

“Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.

What the hell kind of logic is that? If this stands then every independent security researcher ought to leave Down Under at once and leave them to find out that White Hats != Black Hats through direct and painful experience. What a bunch of jokers.

Re:Welcome to Wonderland (0)

Anonymous Coward | more than 2 years ago | (#37719446)

Or they should start researching on demand instead of attacking random servers. Then they might even get paid (without having to resort to extortion).

Critical information missing in TFA (1)

Beerdood (1451859) | more than 2 years ago | (#37719270)

The summary says that he "run a batch file to access 500 accounts", but there's no mention of that in TFA. According to that article "Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data."

So which is it? This is a pretty critical part of the story that seems to be missing. The linked article seems to indicate that the researcher simply found the one issue and quickly reported it to them. Summary says "the researcher had run a batch file to access around 500 accounts". Well did he did he do it or not? And how would the company have found out about that anyway? I doubt he'd disclose that information, and his computer wasn't seized.

Re:Critical information missing in TFA (1)

julesh (229690) | more than 2 years ago | (#37719364)

And how would the company have found out about that anyway?

Theoretically, if he had, his requests would be in their access logs...

Re:Critical information missing in TFA (1)

RichMan (8097) | more than 2 years ago | (#37719592)

"run a batch file" and simply modifying a URL likely means something like a simple script around wget or something equally trivial

for (i=0;i500;i++)
      wget -O dump${i} http:///url/long/user=${i}
end

Re:Critical information missing in TFA (2)

ark1 (873448) | more than 2 years ago | (#37719616)

The PDF has a sentence which hints that he may have submitted a proof of concept that accessed approx 568 statements.

Re:Critical information missing in TFA (1)

fluffy99 (870997) | more than 2 years ago | (#37720156)

568 accounts to be exact.
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]

Try clicking a few of the links in TFA next time. Or were you surprised that the summary actually included more than just a paraphrasing of the original article?

plausible deniability (2)

buybuydandavis (644487) | more than 2 years ago | (#37719308)

Companies don't want to know. Literally. If they know, it increases their liability for doing nothing in the event of a problem.

Re:plausible deniability (1)

Joe U (443617) | more than 2 years ago | (#37719630)

After the first letter, kindly explain that you're going to take out a full page advertisement explaining how company doesn't care about user data. Make sure to mention identity theft.

Re:plausible deniability (1)

greg1104 (461138) | more than 2 years ago | (#37719912)

Make sure you're ready for some time in jail for blackmail, too, if you follow that route. The only thing worse than reporting this sort of data the nice way is to report it in a way that's threatening.

As they always say.. (1)

mewsenews (251487) | more than 2 years ago | (#37719312)

No good deed goes unpunished

Re:As they always say.. (0)

Relayman (1068986) | more than 2 years ago | (#37719408)

Dup. Mod down.

WOOT? _fp... (-1)

Anonymous Coward | more than 2 years ago | (#37719336)

luck I'Y'l find

When did Australians turn into Americans? (0)

Anonymous Coward | more than 2 years ago | (#37719370)

I thought Australians were no nonsense people that didn't put up with (or use) bullshit like this.

Re:When did Australians turn into Americans? (1)

harvey the nerd (582806) | more than 2 years ago | (#37719490)

Aussies have their own regulatory Wonderland. Some even greatly exceed US agencies' foolishness. Perhaps the larger percentage of convict content more recently :)

Re:When did Australians turn into Americans? (1)

couchslug (175151) | more than 2 years ago | (#37719738)

"I thought Australians were no nonsense people that didn't put up with (or use) bullshit like this."

Everybody thinks they are "no nonsense people that didn't put up with (or use) bullshit like this". Many are mistaken.

Service Guarantees Citizenship (3, Interesting)

mounthood (993037) | more than 2 years ago | (#37719458)

The rule should be: Disclosure Guarantees Immunity

This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.

Re:Service Guarantees Citizenship (0)

Anonymous Coward | more than 2 years ago | (#37719702)

Is there a reputable organization you can send vulnerabilities to that will act as the middle man to avoid these types of situations? If not, why isn't there?

Re:Service Guarantees Citizenship (1)

giorgist (1208992) | more than 2 years ago | (#37719894)

So if I disclose all your bank password, would that make me immune ?
I agree in part, but it is a problem.

If as a delivery dude, I find your key under the front door mat, can I make a 1000 copies and drop them off all over the city with your address to teach you to be safer ?

I am genuinely asking, I don't have the answer.

If I simply return your key, and you keep putting it under the mat, then what do I do.

Re:Service Guarantees Citizenship (1)

wierd_w (1375923) | more than 2 years ago | (#37720032)

No, it should be this:

"Unauthorised access, with full disclosure, and without intent to illegally make use of accessed data, should not be illegal."

Say for instance, somebody pen tested sony before the PSN hack-a-thon, pulled some demonstration data to prove the exploit was live, and forwarded it to sony's IT staff, asking them to inform the impacted users of the breach and to please fix the exploit.

That should be legal.

If they did the above, but neglected to mention that they vacuumed up 10,000 credit cards and identities and sold them on the internet, and then reported-- THAT should not receive any form of legal protection.

Criminal intent MUST be required.

My letter to Maged (1)

gavron (1300111) | more than 2 years ago | (#37719464)

It took a lot of work to delete all references to "ass" and "douchebag".
Ehud

Dear Maged,

I read with interest your letter to Patrick Webster copied at
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]

Mr. Webster informed your client of a security flaw in their software that allows
access to members' confidential and financial information. He did so in accordance
with accepted business principles of Full and Open Disclosure.

Your response shows that your law firm clearly lacks an understanding of the law,
the facts, and of technology. I'll use an analogy to make these complicated
ideas seem simpler. If I spot your garage door is wide open, and I enter, say
"hello," and let you know that you left it open... that is not trespassing. It is
a good Samaritan effort to inform you. Your bullying email is not the right
response.

Your bullying letter to Mr. Webster strongly suggests that you need to get an
expert who understands the technology.

That way you won't come across like a ludite, and have yourself, your law firm,
and your client, show yourselves to be total head-in-the-sand ostriches. Your
client was notified about a security flaw, and now wants the security researcher
to pay for them to fix it? Absurd.

It's one thing to be uneducated. That can be corrected. It's quite another
to be uninformed and open one's mouth and prove it. You've done the latter.

Best and kindest regards.

Ehud Gavron
Tucson AZ USA

Re:My letter to Maged (0)

Anonymous Coward | more than 2 years ago | (#37719646)

You might want to correct the spelling of "ludite" before you send that.

Re:My letter to Maged (1)

colinrichardday (768814) | more than 2 years ago | (#37719770)

Wouldn't a ludite be someone who takes Quaaludes? That might apply.

Re:My letter to Maged (1)

fluffy99 (870997) | more than 2 years ago | (#37720192)

You might also want to read the law before you accuse them of being ignorant of it. They are absolutely correct that his actions violate the law. I doubt the police will pursue it unless there is some malicious intent shown.

http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html [austlii.edu.au]

What is needed... (1)

TimothyDavis (1124707) | more than 2 years ago | (#37719552)

What is needed is a proxy organization. Something like Wikileaks, who can take from the white hats, and manage disclosure to the outside (company affected, etc). This way a white hat can report issues to the proxy with less risk of being prosecuted or sued by idiot entities.

Re:What is needed... (0)

Anonymous Coward | more than 2 years ago | (#37719740)

This will work very well if they allow black hats to bid against the company and keep proceeds from the winner.

The company takes a cut, passes the rest on to the researcher.

True, it blurs the distinction between black hat and white hat, but it also provides a lot of incentive for current black-hats to become whiter-hats.

Phone company (1)

woodsbury (1581559) | more than 2 years ago | (#37719582)

Reminds me of a phone company that we looked into for a security class at university (I'm Australian). They allowed access to anyone's account balance simply by calling a number and entering their mobile number. The system provided no other means of verifying your identity. They were investigated by the Privacy Commission and were found to he in breach of the Privacy Act. I can't imagine this company cannot also be.

Re:Phone company (1)

bmo (77928) | more than 2 years ago | (#37719776)

That's probably why they want the actual physical computer, to make the evidence go away.

--
BMO

No good deed goes unpunished (1)

ipv6_128_lgwb (70428) | more than 2 years ago | (#37719648)

No good deed goes unpunished.
          - I wish I would stop finding this to be true.

Virtue has no reward, only punishment. (1)

couchslug (175151) | more than 2 years ago | (#37719718)

If I were a "security researcher" I wouldn't offer anything to anyone unsolicited. Fuck 'em. Fuck ALL of 'em.

The only way to punish these cocksuckers is to NOT look for any credit, expose their vulns, then laugh quietly as they are exploited.

Re:Virtue has no reward, only punishment. (0)

Anonymous Coward | more than 2 years ago | (#37720116)

I disagree. Even the most diligent programmers will believe they have discovered flaws in their work, look at some of the more persistent problems in your favourite *nix kernel for examples.

A bounty system administered by a combination of a professional association and government leglislation covering all on line banking, financial services and all government services holding personal data (pretty much every government section) is my preferred option.

The occasional redacted wikileaks style disclosure to keep above group on their toes, especially when the exploited service is not fixed promptly.

The issue I am most interested is the name of the fund. I will pull my funds, that will send the greatest message.

Utter lack of understanding the real problem here (2)

cdrguru (88047) | more than 2 years ago | (#37719904)

The problem is, the guy admits to accessing their system and obtaining documents that he should not have been able to get. He says "Here are 500 samples".

What is the first thing that should occur to someone? Well, how about if he accessed 1000 and is planning on ransoming off the information of the 500 he didn't tell anyone about? Why do you think they want to see his computer? Unfortunately, anyone clever enough to do this would have moved the other 500 somewhere isolated that they would have to tear his house apart to get. Like on a microSD card sewn into a stuffed animal.

See, he has zero credibility here. He can say "But I only took 500! I swear it!" and it does no good. Even searching his house doesn't generate any credibility, it only says they didn't find what they were looking for. Checking his computer only proves that if he has criminal intent that he isn't stupid about it. Since many (most?) criminals are stupid, not finding something on the computer actually does say something ... just not much.

The real question is how much would other records be worth to the subject of those records and how much would it be worth on the open market? If you could take a record and turn it into some cash - presumably by drawing on the assets of the subject of the record - then you have a pretty clear idea of the worth. Even if the value was only privacy there might be some monetary value that you could get from the records. Then you have to either make the records irrelevant or you have to watch this guy for the rest of his life to see if he suddenly comes into a lot of money.

Pissweak Legislation (0)

Anonymous Coward | more than 2 years ago | (#37720006)

The New South Wales Crimes Act clearly states that "Unauthorised access, modification or impairment" requires "intent to commit serious indictable offence" (Part 6, 308C) however it could be argued that he accessed "restricted data" because "restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer." (Part 6, 308H) but when it comes to court there are so many loopholes to get out of that it's very ineffective (Eg: No Published Data Access Policies to define "unauthorised", whether or not it was communicated properly and whether or not simply changing a number in a URL even constitutes executing an unauthorised computer function) even then, "Unauthorised access to or modification of restricted data held in computer" is a summary offence. Pillar can go suck his balls.

Public disclosure (2)

Charliemopps (1157495) | more than 2 years ago | (#37720034)

This is why you make your findings public. Stupid companies like this deserve the result.

Making one rethink their good deeds. (3, Informative)

The Archon V2.0 (782634) | more than 2 years ago | (#37720068)

Less than a year ago I found a similar (though not quite as grievous) flaw in a Kickstarter-like website when I mistyped the URL to my own profile page. I grabbed a handful of info with it; just a few random accounts to proof-of-concept automated grabbing, the technique for which I made note of in an e-mail to their support address. Also, I got the e-mail address of user #1 (unsurprisingly, the implementer), whom I CCed the support e-mail. After a few e-mails of discussion about the precise nature of the flaw, I received a very grateful thank-you from the owner of the company and the head of IT, and the flaw was fixed within the hour despite it being the dead of night in their HQ's time zone. When I see stuff like this, though, it makes me wonder if the next time I trip across something like this I should do the same thing.

Should Know Better (1)

Anonymous Coward | more than 2 years ago | (#37720122)

The line between a cracker and an amateur "security researcher" is very thin indeed.

This is why security professionals always obtain a service contract as the very first step.

A service contract is an agreement between you and the other party; it details what services are to be performed, what disclosure (if any) will take place, who is responsible for damage in case that SQL injection goes horrifically wrong, how much you will be paid for your service, etc.

It's one thing to haul somebody in front of a court and say, "He broke into our system!" when your defense is, "But, I was just trying to do a good deed!"
It's another thing entirely when that defense is, "We agreed in advance that they would pay me to break in and write a report!"

Better do a cavity search, for good measure. (4, Insightful)

FyberOptic (813904) | more than 2 years ago | (#37720194)

"Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>