Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: To Hack Or Not To Hack?

Soulskill posted more than 2 years ago | from the ethics-and-responsibilities dept.

Privacy 517

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

Sorry! There are no comments related to the filter you selected.

First thing first (5, Informative)

CmdrPony (2505686) | more than 2 years ago | (#38243638)

Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?

Re:First thing first (2, Insightful)

tripleevenfall (1990004) | more than 2 years ago | (#38243672)

Blow it up. People's privacy is at risk.

Re:First thing first (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38243880)

Someone left their front door open, lets go torch the house before someone steals something of value.

Re:First thing first (0)

Anonymous Coward | more than 2 years ago | (#38243916)

I see what you did there.

Re:First thing first (0)

Anonymous Coward | more than 2 years ago | (#38243994)

TFA's author's hand is covered in honey from the pot he just stuck it in.

Party Van inbound.

Re:First thing first (5, Informative)

Zaphod The 42nd (1205578) | more than 2 years ago | (#38244080)

He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
Computer Fraud and Abuse Act [wikipedia.org] State laws on Computer Hacking and Unauthorized Access [ncsl.org]

I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
To go to jail, or not to go to jail?

Re:First thing first (1)

Synerg1y (2169962) | more than 2 years ago | (#38244156)

Who was that poor bastard that I read a slasdot article about that was having legal weight put against him for pointing out a companies security flaws to them? It was offshore (USA) possibly Australian in nature?

Based off that experience, you have two perfectly viable options.

1. Tell them without risk to your identity
2. Sell the information to someone who is setup to exploit it

The increase in technology has done nothing for hacking, you are still either a white hat or a black hat, I guess sometimes a greyfag.

NSA? (4, Funny)

Toe, The (545098) | more than 2 years ago | (#38243664)

Maybe you could get the NSA to hack them?
Just brainstorming here...

Language matters (1, Informative)

colinrichardday (768814) | more than 2 years ago | (#38243666)

Please don't call such activity "hacking". It is cracking. Learn the difference.

Re:Language matters (5, Insightful)

pmgarvey (2497652) | more than 2 years ago | (#38243794)

I think you're fighting a battle that was lost long ago. In the minds of most, what was once called cracking is now hacking.

Re:Language matters (-1, Flamebait)

CmdrPony (2505686) | more than 2 years ago | (#38243842)

Hacking is hacking into remote targets. Cracking is cracking software on your local computer by reverse engineering and debugging it.

Re:Language matters (2)

BagOBones (574735) | more than 2 years ago | (#38243926)

You're such a geek [merriam-webster.com] no I mean nerd [merriam-webster.com] no wait.... what where we talking about?

Re:Language matters (1)

jgrahn (181062) | more than 2 years ago | (#38244016)

Hacking is hacking into remote targets. Cracking is cracking software on your local computer by reverse engineering and debugging it.

You're probably right about cracking, but hacking has many different meanings. I tend to use it as "to do a quick-and-dirty bit of programming" and in context people seem to understand what I mean.

Re:Language matters (3, Interesting)

msauve (701917) | more than 2 years ago | (#38244028)

"Hacking is hacking into remote targets. Cracking is cracking software on your local computer by reverse engineering and debugging it."

Absolutely wrong. "Hacker" is defined, and differentiated from "cracker," in RFC 1392 [ietf.org] :

cracker
A cracker is an individual who attempts to access computer systems without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system...

hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term.

Re:Language matters (1)

Haedrian (1676506) | more than 2 years ago | (#38244162)

Well this is /. we're not 'the minds of most'.

There are lots of specific jargon only ict geeks understand. This could be one of them.

Re:Language matters (-1)

Anonymous Coward | more than 2 years ago | (#38243870)

Cracking? There's a word that hasn't meant anything to anyone since... forever!

Re:Language matters (1)

0111 1110 (518466) | more than 2 years ago | (#38244066)

I hear it used all the time. In phrases like 'password cracking' or 'WEP cracking'. It doesn't sound right to say hacking WEP or password hacking. For something like a website the term 'hacking' just sounds better than cracking. Maybe its an association of the word cracking with safe cracking. So it sounds more natural when referring to some kind of code that is being broken.

Oh shut up... (5, Insightful)

frank_adrian314159 (469671) | more than 2 years ago | (#38243956)

Language evolves. You can fight the tide or swim with it. I know which way gets you drowned first.

Re:Language matters (3, Insightful)

Zaphod The 42nd (1205578) | more than 2 years ago | (#38243964)

*sigh* man, I feel you. The word "hack" is just gone, lost from our culture. The mainstream has twisted it far too much.

Reading Aaron Barr from HBGary talk to anonymous and then talk to his "programmer" about all his sweet "hacks" nearly killed me.
The 95 Hackers film has become reality. I can't shake em, he's right behind me! Crash overdrive! Acid Burn!

Ooh, plus there's Swordfish "dropped a logic bomb through the trapdoor" and the wonderful CSI "programmed a GUI interface in Visual Basic to track the IP".

We really need to start educating the non-technical public on some technical things. Treating computers and technology as a whole as a black box ends up in all KINDS of misunderstandings and misinterpretations.

Re:Language matters (0)

Anonymous Coward | more than 2 years ago | (#38243980)

Cracking a webserver sounds lame. 15 mebibytes level of lame.

Don't defend lame language, let it fix itself.

Re:Language matters (1)

Qzukk (229616) | more than 2 years ago | (#38244198)

Cracking a safe sounds lame. 15 sticks of dynamite level of lame.

Re:Language matters (1)

V!NCENT (1105021) | more than 2 years ago | (#38244064)

Complain!

Re:Language matters (1)

Synerg1y (2169962) | more than 2 years ago | (#38244204)

Cracking is when he damages the system by making changes or stealing the information, hacking is when he is researching the security hole that company has exposed. But, as mentioned in response to your post, the battle has been lost, and everybody is a hacker that knows a bit of networking and isn't employed as a corporate tool, then the term becomes security expert.

PCI (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38243670)

If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.

Re:PCI (-1)

Anonymous Coward | more than 2 years ago | (#38243796)

+99

/story

Re:PCI (5, Insightful)

Dr_Barnowl (709838) | more than 2 years ago | (#38243840)

If you hadn't already exposed yourself to the owner, I'd write a how-to and send it to them anonymously, and later send the credit cards an ANONYMOUS tip.

Why anonymous? Hacking, even for white-hat reasons, is illegal in most jurisdictions. Even accidental hacking.

Now that you've exposed yourself to them it would be too easy for them to piece it together who turned them in for a nice PCI audit. It would be all too easy of them to send your emails to a computer crime division and get you busted, especially if they have any friends with influence there. Just avoid using their product and quietly tell your friends not to do the same.

The only time I have ever even considered informing a company of a security hole is on an occasion when I'd previously worked for them, personally knew the owner, and knew that the owner respected my ability.

Re:PCI (0)

Anonymous Coward | more than 2 years ago | (#38243892)

Your assuming that they won't detect the hack and trace it to his ip address.

Re:PCI (0)

Anonymous Coward | more than 2 years ago | (#38244002)

if they already suck cock at security, you think they're going to be able to do that?

lols x pi

Re:PCI (5, Insightful)

hellkyng (1920978) | more than 2 years ago | (#38244084)

While you make a good point that Visa and MC won't sit on their asses about data, that is only from a PCI perspective. And realistically its trivially easy to maintain PCI compliance and have an insecure product.

What I would recommend however is work through a professional service like Secunia: https://secunia.com/company/blog_news/news/271 [secunia.com] . They can lend credibility to your claim and they provide what I personally would describe as an ethical approach to remediation. I would strongly not recommend any further testing on your part unless you are prepared to deal with legal consequences. Not that I agree with companies going after researchers, but it does happen.

Good luck.

Re:PCI (1)

Anonymous Coward | more than 2 years ago | (#38244136)

Just maybe it'd be a good idea to link [pcisecuritystandards.org] to the organization and define what the Payment Card Industry security standards are [pcisecuritystandards.org] . This sounds like an issue with non-compliance. If it's a large enough scope, offer to lead a team to correct the problem before it becomes a liability. If not, mention it to those responsible for operations and legal. Both will appreciate not being fined.

Re:PCI (1)

complete loony (663508) | more than 2 years ago | (#38244144)

Tell the company that you can *delete* all of those credit card details, and completely put a halt to their revenue stream. Then they might pay attention.

You're just asking (5, Insightful)

Vinegar Joe (998110) | more than 2 years ago | (#38243678)

For a 5 year tour of the federal penitentiary system, aren't you?

Re:You're just asking (0)

Anonymous Coward | more than 2 years ago | (#38243732)

I agree - this all comes down to how much you like jail.

Re:You're just asking (5, Funny)

seniorcoder (586717) | more than 2 years ago | (#38243774)

At least if you are going to do this, simply as a proof of concept of course, steal all their customers money. Then the risk/reward ratio is looking better.

there is a saying, in my language (3, Insightful)

gTsiros (205624) | more than 2 years ago | (#38243698)

translated:

do you know how to steal? (implied yes as an answer)

do you know how to *hide*?

Go to the investors (5, Insightful)

james_van (2241758) | more than 2 years ago | (#38243702)

Maybe the company doesn't care, but the people with money on the line will. And when they start to care, the company will start to care. Don't go hacking to try and prove a point, that's just gonna cause you more trouble than it's worth. And if, at the end of the day, no one cares or does anything about it, no sweat off your back.

Oh boy... (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38243710)

Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.

Re:Oh boy... (0)

Anonymous Coward | more than 2 years ago | (#38243854)

Seconded. No matter what your motives are, there is nothing but trouble for you here. In fact, you may have already done too much.

Re:Oh boy... (4, Informative)

TheSpoom (715771) | more than 2 years ago | (#38244086)

This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.

Re:Oh boy... (1)

Anonymous Coward | more than 2 years ago | (#38244180)

This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.

And in those cases once those people discovered a hole they continued to exploit it. He's already violated the law, but might claim he didn't expect it to work or some other lame excuse. If he does it again, it's clear he has no respect for that law and will be taught some. This is somebody else's problem, [wikipedia.org] don't make it your own!

Re:Oh boy... (1)

denis-The-menace (471988) | more than 2 years ago | (#38244152)

Whistleblowers are not kindly regarded in these times.
Otherwise you'd have real news "a-la-deep-throat"

Keep you head down and don't deal with the company.

Re:Oh boy... (1)

lorenlal (164133) | more than 2 years ago | (#38244158)

Unfortunately, since poster did try to do the right thing, now this person could be accused if there is a compromise at the target. By making themselves known, they may have to go even farther.

Seriously, I'd take the advice of other posters and bring it up with the credit card vendors. They will certainly be interested parties since they'd be directly affected by a breach. If the card companies aren't interested, maybe the Better Business Bureau would be?

You havent hacked shit (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38243716)

You just have some inside info, or know your cousins password, or whatever.

Who have you emailed and from what email address? (1)

Anonymous Coward | more than 2 years ago | (#38243724)

Have you emailed the IT manager, the CTO, the CEO, some random guy? And what are your credentials? Are you emailing from superhacker123@hotmail.com?

notify visa (5, Informative)

banbeans (122547) | more than 2 years ago | (#38243738)

U.S. – (650) 432-2978 or usfraudcontrol@visa.com

Re:notify visa (5, Informative)

James Renken (610) | more than 2 years ago | (#38243954)

This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.

Report Them (1)

AdamJS (2466928) | more than 2 years ago | (#38243742)

Report them to a newspaper and tech sites or something. Business papers, even.

write 2600 (0)

Anonymous Coward | more than 2 years ago | (#38243750)

write 2600 mag they'll post it.

More important (2)

tqft (619476) | more than 2 years ago | (#38243776)

How do I make my amazon wishlist available to you?

Drop everything, wipe the files you have, reformat and reinstall your computer, create a plausible deniability claim to any account you used of this that can be tied to you.

Then go to an internet cafe and post somewhere.

Re:More important (1)

networkzombie (921324) | more than 2 years ago | (#38243972)

When at the cafe, have on a disguise, wear gloves, and pay in cash.

Retain a lawyer. (5, Insightful)

chemicaldave (1776600) | more than 2 years ago | (#38243798)

You should probably hire a lawyer. It doesn't matter how good you're trying to be. Anything you did to come to your conclusions that was illegal is going to be frowned upon... severely. And if you do go public, you'll likely be hit with a C&D letter.

You already made the wrong first step (3, Insightful)

nedlohs (1335013) | more than 2 years ago | (#38243804)

Now just forget about it and hope no one hacks them before they forget about you.

Step 1 (-1)

Anonymous Coward | more than 2 years ago | (#38243806)

I discovered how to hack into and secure user accounts of a rising mobile payment start-up

The first thing you should do is hack into the accounts and secure them! If the company's not willing to do it, it would be nice of you to do it for them.

Depends on if you want fast or right... (0)

trunicated (1272370) | more than 2 years ago | (#38243816)

What's the right thing to do? Keep email bombing them until someone takes you seriously.

What's the fastest thing to do? Leak info and POC to various news sites that cover start ups - like TechCrunch

Full disclosure is the most ethical path. (3, Interesting)

pngwen (72492) | more than 2 years ago | (#38243820)

The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.

Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!

Send them here (2, Funny)

Anonymous Coward | more than 2 years ago | (#38243822)

Send them a link to this website: http://ask.slashdot.org/story/11/12/02/2124215/ask-slashdot-to-hack-or-not-to-hack

NONONO RED FLAGS!!! (5, Insightful)

Zaphod The 42nd (1205578) | more than 2 years ago | (#38243832)

This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM? People can't just go around doing things without permission like that. If your internet connection crosses a state line, (and due to packet routing it probably is and you might not even know) then you are committing a FEDERAL CRIME. That means that not just the police, but the FBI will come knock on your door. History is just FULL of people who though, hey, I'm pretty clever, I'll hack these people and get a job. NOBODY WILL HIRE A CRIMINAL I PROMISE YOU.

Cannot stress this enough. Jeeze.

Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).

Re:NONONO RED FLAGS!!! (1)

Zaphod The 42nd (1205578) | more than 2 years ago | (#38243844)

Seriously, how did this get on the front page?!?

Re:NONONO RED FLAGS!!! (0)

Anonymous Coward | more than 2 years ago | (#38244022)

Really - listen to this guy. What you have done violates several US laws and you are now subject to being visited by the FBI and the US Secret Service. Regardless of your motives, what you have done is illegal and you should not be broadcasting it in public. I would not even call or email them.

Re:NONONO RED FLAGS!!! (1)

syousef (465911) | more than 2 years ago | (#38244116)

This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM?

No, but I'm familiar with the concept of a LEGAL system. ;-)

Escalate in another direction? (0)

Anonymous Coward | more than 2 years ago | (#38243836)

How about notifying the local police department, better business bureau, or city council member? How about the newspaper? That's likely to get a lot more attention from the powers-that-be at the company.

CEO (0)

Anonymous Coward | more than 2 years ago | (#38243848)

Contact CEO or their board of directors.

For the love of Christ... (1, Insightful)

trims (10010) | more than 2 years ago | (#38243850)

First off, QUIT FUCKING TRESSPASSING.

I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.

The company didn't ask you to do a security audit. It's not a public organization where you can claim some sort of "ownership" or such. It's a Private Place. They're responsible for their own security, not some random passerby. You have no business doing what you did, and that's it. If they blow security, they're on the hook for the consequences. We have very well established methods for doing that kind of reinforcement.

Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general. Grow the Fuck Up.

Just drop it, period, and go find something else do spend your energies on. And, find another crowd of people to hang out with - those ones you're in with now aren't a good influence (obviously).

-Erik

Re:For the love of Christ... (0)

Anonymous Coward | more than 2 years ago | (#38243990)

nail on the head

no you grow the fuck up (4, Interesting)

unity100 (970058) | more than 2 years ago | (#38243998)

Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.

its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.

if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.

Re:no you grow the fuck up (0)

Anonymous Coward | more than 2 years ago | (#38244096)

Really? I think you should go to the White House and try breaking in. And the Capitol. Shoot, how about every public building you can locate. After all, you have an interest in them. Surely it's the right thing to do. Bust a window and see if you can climb in. I mean, after all, if you can so could someone else and that someone else might not be as noble and well intentioned as you are. It's for your own good, and the good of all of your fellow taxpayers.

Re:For the love of Christ... (2)

iceaxe (18903) | more than 2 years ago | (#38244032)

IF the poster actually used the discovered methods of intrusion (which is likely) then you are absolutely right.

If on the other hand the poster simply noticed a problem but did not test it actively, then notifying the company is the decent thing to do.

In either case, it's now time to walk away.

Re:For the love of Christ... (0)

Anonymous Coward | more than 2 years ago | (#38244146)

If he didn't "use the methods" how does he know it exposes CC information?

Re:For the love of Christ... (5, Insightful)

dave562 (969951) | more than 2 years ago | (#38244040)

You're being a bit harsh on the guy. A lot of people started their IT careers in the computer underground, myself included. If it were not for LA 2600 meetings and the first few Defcons, I would not have developed the skills and background that landed me my first job as a sysadmin fifteen years ago. More recently (within the last year), the head auditor for my company told me that my background reassured him because he knew that I had a better perspective on computer security and the threat landscape than most "professionals" who picked up all of their knowledge in a classroom.

WRT the OP, it was dumb for him to go to the company. As everyone else stated, he exposed himself to some liability. Any information that he provides to the company could be used to build a case against him for computer trespass, unauthorized access, etc.

To call the OP morally and ethically criminal is overboard. He did not do any damage to them and did not profit from his activities. It was a real world learning exercise. It was not the brightest move in the world, but doing a security audit on a random computer system does not make someone morally bankrupt. If he had taken the data and sold it for profit, or even just posted it for fame and notoriety, that would be a different story. Instead he naively did "the right thing" without fully understanding the liability it exposed him to.

Re:For the love of Christ... (0)

Anonymous Coward | more than 2 years ago | (#38244054)

First off, QUIT FUCKING TRESSPASSING.

I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.

The company didn't ask you to do a security audit. It's not a public organization where you can claim some sort of "ownership" or such. It's a Private Place. They're responsible for their own security, not some random passerby. You have no business doing what you did, and that's it. If they blow security, they're on the hook for the consequences. We have very well established methods for doing that kind of reinforcement.

Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general. Grow the Fuck Up.

Just drop it, period, and go find something else do spend your energies on. And, find another crowd of people to hang out with - those ones you're in with now aren't a good influence (obviously).

-Erik

Wow, to many people see something and ignore it. Maybe you should pull your head out of your ass.

Re:For the love of Christ... (4, Interesting)

jgrahn (181062) | more than 2 years ago | (#38244078)

First off, QUIT FUCKING TRESSPASSING.

I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.

As he explained it, it sounds as if he's concerned about the outfit's customers. It's not unheard of -- that people care about the wellbeing of other people. (That Christ guy you mention in the subject line did, for example)

Journalism works (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38243852)

If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.

Soo... (0)

Anonymous Coward | more than 2 years ago | (#38243856)

To prevent someone from stealing a bunch of people's personal information, you plan on, stealing a bunch of people's information. Unless you are Batman, you are not legally allowed "to blow them out of the water" and your initial entry into their system is also illegal.

Don't ask Slashdot, Ask Ed Felten (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38243868)

Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.

My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.

It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.

But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is

1) legal
2) professionally done
3) likely to get taken seriously by the developers at the affected company.

Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!

this is not news (0, Troll)

Zaphod The 42nd (1205578) | more than 2 years ago | (#38243886)

This is not news. This is not a story. There isn't even a fucking article to tell someone to go RTFA. This is some idiot asking for advice on an absolutely terrible scheme which has been explained before (with actual news mind you, of people getting locked up or tried for crimes instead of just theorizing).
This is not something for /. This is something that should go on a programming forum, or a law forum. (Or better yet, kept to oneself as a hair-brained scheme that would fail).

Usually when somebody goes "THIS, on /. ?" I go "hey, news for nerds means a lot of topics."
But this is just ridiculous.

Haven't played nethack in years... (1)

ackthpt (218170) | more than 2 years ago | (#38243898)

Probably good time for another session...

Give them one more notice with full details.... (1)

bpeikes (596073) | more than 2 years ago | (#38243902)

I would send them one more email explaining how to crack a user account. If they still don't believe you, then I would send a complaint to the FTC with all of the relevant information on how it is insecure. The investors in this company don't want to hear about it. If the name of the company gets out, they'll have issues. If you really believe that their systems are insecure, post the name of the company here. People post security flaws all of the time: http://mashable.com/2011/10/03/htc-security-flaw/ [mashable.com] I think you actually have a responsibility to tell people about the issue after you have done what you can to help the company.

Well... (3, Interesting)

MikeRT (947531) | more than 2 years ago | (#38243906)

You could consider contacting one of the major credit card companies like Visa. That's assuming you haven't done anything which could be construed as actually testing or exploiting the hole. If you have, it's a pretty sure bet the FBI will be on you like white on rice. They might anyway, but that would be a one way ticket to Club Fed.

Bugtraq (0)

Anonymous Coward | more than 2 years ago | (#38243910)

Been years since I cared about security, since I just firewall, VPN, and use virtual account numbers where I can.

Why don't you screw them indirectly, by posting the information on bugtraq or whatever the equivalent was/is these days. Let them get hosed by some other dumb fool willing to take the risk and publicly shamed. Not that it matters, public shame, people go the supermarket in pajamas and blow out in tuners at major intersections for all to see, but what the hell, try it, maybe then you'll get the point.

Wash your hands of the matter afterwards. Not worth your time, effort, legal fees, and potential jail time cleaning up some else's ass. History has shown that the bearer of bad news, even if they do nothing wrong, gets axed and is deemed complicit by knowledge. A company that incompetent already doesn't deserve to grow, and investors that don't do their due diligence, deserve to get hosed for investing in a company with such purported bad security.

i like hacking too! (0)

Anonymous Coward | more than 2 years ago | (#38243920)

thats really cool! I like hacking too and do a lot of it but nothing that complex. I just recently hacked my computer apart with a bigger hard drive but when i turned it back on nothing happened. when i put the old hard drive back in it worked again so i was confused. doesnt the hard drive just have my files and music on it? so yeah i tried hackign my hard drive and that didn't work well, i guess im wondering how you hacked somenoe elses hard drive? do you just go to their house and plug it out and hope they don't notice their data is changed or missing?!?

Black market! (0)

Anonymous Coward | more than 2 years ago | (#38243922)

Sell it to the second-highest bidder. The highest-bidder is always a trap.

Let them rot (0)

Anonymous Coward | more than 2 years ago | (#38243938)

Fuck em, you can't help people who can't help themselves. Let them suffer due to their negligence and inability to do risk analysis and management. I've been in a similar position so many times and tried various things, the best one is to just ignore it and advise your friends and family to avoid them like the plague. If you're still not convinced take the game theory normal form approach and gain an insight into how hopeless the situation is.

Watch out for your self. (1)

crakbone (860662) | more than 2 years ago | (#38243946)

Most people don't like when people tell them they made a mistake. They will try to find a scapegoat and it will be you. But if you wanted to push it. I have had the most success when pressed with problems similar to this to go to a high up person. If the normal channels just don't work find the email of the highest person there and send it to them. A vice president, ceo, cio, who ever you can find and send it. They will take notice. Just make sure you protect yourself first.

Morons will sue you. (1)

unity100 (970058) | more than 2 years ago | (#38243958)

As can be concluded from earlier cases like this. Dont tell them anything, dont do anything, but let them have what's coming to them. However, you contacted them. When hacked, they may attempt to sue you. So, you may need to go to a notar or something to have it written that you warned these people, but they didnt take heed or something. You need to have solid documents to show blame may not be laid on you, in courts.

Mistakes (1)

whereissue (2522564) | more than 2 years ago | (#38243968)

1) emailing the vendor... if something goes wrong before this problem is corrected, you are the first suspect, and they already know how to contact you. 2) asking, publicly, if you should "hack" something. 3) asking slashdot instead of 4chan.* my advice would be to contact the EFF and install a keylogger on your computer. *humor!

Screw Them (0)

Anonymous Coward | more than 2 years ago | (#38243984)

Sell the exploit to the Russians. Corps don't give a shit about humans.

Walk Away and Forget About It (4, Insightful)

StormReaver (59959) | more than 2 years ago | (#38244006)

Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.

Here's my advice:

1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.

2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.

Dumbass (1)

Anonymous Coward | more than 2 years ago | (#38244020)

You should never have notified them and used your own moral judgement to answer your "ask slashdot" question. What a dumbass... No one should have ever known regardless of what you planned to do.

We all know that pointing out a security vulnerability will get you in big trouble. Hell, back in high school, we had Win 98 machines running Novell. I found a way to launch solitare, minesweeper, etc. by creating a macro in Word and editing the VB code to call an executable. Very simple to figure out, but I was the only one in my hick ass school (Home of the Mustangs in the southwest corner of MO) that would know such a thing. I lost my computer privileges for the rest of the year when I immediately brought it to the IT guys attention. I did it after class with no one else present. Thought I was doing the right thing.

Fuck you, Mr. Jay. And fuck the idiots at that school. Enough info in this post for the pertinent parties to know who they are.

Testing 1 2 3 (0)

Anonymous Coward | more than 2 years ago | (#38244036)

      Soulshill

Consider doing nothing. (1)

Anonymous Coward | more than 2 years ago | (#38244060)

Consider not doing anything. You've probably already accessed the system in ways you are not authorized to, and publicizing that in ways that causes "harm" to their reputation ("blowing them up"), even if it's based in truth, is possibly going to draw the kind of attention to you that you don't want. If it was me and I had "stumbled upon" something and _already_ informed them, then I would keep a record of that fact, as they already have a record on their side, and then stop getting yourself deeper into a hole, e.g. by providing further evidence that you're intentionally violating their TOS or actual laws. This problem is not your responsibility to force them to fix and you only take further risk upon yourself by pursuing it. Once they're suitably notified I'd guess they have higher liability by failing to address it.

If you are actually their customer and you feel that there has been a threat to your own information, then you probably have recourse that could cause them to fix this, e.g. by disclosing findings to them as their affected customer, and perhaps to payment processors like Visa and Mastercard, who in turn will have rules around investigations, findings, risks and assessed disclosures to other customers. Again, depending on what's happened so far, you potentially dig yourself into a hole.

Vigilantism is dangerous. How much is protecting everyone else worth vs. protecting yourself?

IANAL, and none of this is advice of any kind, legal or otherwise.

You've sent the email (2)

camperdave (969942) | more than 2 years ago | (#38244098)

You've sent the email, now send your concerns in writing - hard copy. Set up a meeting with those in charge and explain it in person, nicely. If they do not respond, then let them know that you have no choice but to report the lapse to the appropriate authorities. Under no circumstances, crack your employers service unless they ask for a demonstration.

Two Faced (1)

jimmerz28 (1928616) | more than 2 years ago | (#38244126)

You know "good samaritan" was an oxymoron in it's original use.

I think you should keep its original context alive.

Go Up the Ladder (2)

pebbles061679 (2506386) | more than 2 years ago | (#38244128)

I'd say there has to be a proper chain of command which you can go through. I'd start with the IT department. A random email from an unknown address may be filtered or just ignored so if you don't hear back in a day or two, make a phone call. Tell whomever answers the phone you are calling regarding a potential online security breach and you need to speak with the head of the IT Dept. Heck, even speaking with regular security may get you started. In your email, and potential phone call, you need to sound professional, non-threatening, but insistent. As previously stated, credentials and jargon matter. Hacking has a malicious connotation. Also, "I'm sorry, but I need to speak with your supervisor" can do wonders. As each person answers the phone or email take down their name.

If you've gotten to the head of the IT Dept or the head of the company and the issue still hasn't been resolved then you definitely need to go to the investors and shareholders. They are definitely going to listen because this impacts their bottom line. If for some reason they don't, then contact local media.

As with anything it's not necessarily what you are saying but how you are saying it and to whom. I can't help but think you just haven't gotten through to the right person yet.

Ask yourself a question (1)

phorm (591458) | more than 2 years ago | (#38244134)

If a company you were using for services had crap security, and some cracker abused it to plaster *YOUR* CC number all over the internet, how would you feel?
Add to that, how would law-enforcement feel.
Add to that, how do you like prison, because the above two are not likely to have *ANY* sympathy towards you when your trial-date comes.

Seriously, "this hack is too easy to be respectable" makes you sound like the candidate for a news article, but it won't be able some great hacker who revealed a terrible breach, it will be about some jerk who caused a breach which caused a lot of people grief.

CERT (4, Interesting)

Z00L00K (682162) | more than 2 years ago | (#38244148)

Report it to CERT [us-cert.gov] . (Or other corresponding security organization if you are outside the US.)

It's Been Done (0)

Anonymous Coward | more than 2 years ago | (#38244150)

Dude, pretty much everything thing is crackable. Pretty much every program ever has been cracked. Everything is defeated at some point. Let me say that again, EVERYTHING is defeated at some point.

Don't act so surprised. Really, it's not surprising, at all.

Anyway, here we all are, looking at you.

Mission Accomplished.

Now go away.

Should I do a proof of concept? (1)

nurb432 (527695) | more than 2 years ago | (#38244182)

No. unless you wnt to go to jail.

You reported your findings. If they don't fix the problem, discontinue your business with them and move on.

Spill the beans... (1)

Readycharged (2023636) | more than 2 years ago | (#38244188)

...can we see some excerpts of these "confused, aloof and unconvinced" responses? Censored enough to protect your identity of course....

let the card companies know (5, Insightful)

camusflage (65105) | more than 2 years ago | (#38244200)

"If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."

Step 1: You have a right to remain silent (2)

jduhls (1666325) | more than 2 years ago | (#38244202)

Don't publicly admit in a large forum like slashdot to committing a crime unless you're ready to be jailbait. Oops, looks like you failed the first step.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?