×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Australian Teen Reports SQL Injection Vulnerability, Company Calls Police

timothy posted about 3 months ago | from the charged-with-public-embarrassment dept.

Australia 287

FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

287 comments

yesaaah (-1)

Anonymous Coward | about 3 months ago | (#45924647)

well la dee da

The correct way to "inform the authority" (4, Interesting)

Taco Cowboy (5327) | about 3 months ago | (#45924787)

I've been in this field for decades, and there have been far too many similar cases, like the one that TFA is reporting, happened to too many innocent people.

All of them committed one very sinful mistake - they report the flaws to the authority, the WRONG way.

If you ever discover any vulnerability of any official website / db / whatever, don't tell them, and don't tell the media either.

Most of the reporters are spineless creeps who suck up to the power-that-be.

Instead, you have two options -

1. Keep quite.

2. "leak" the info to some hacking circle and let others do the job for you.

If you ever take the 2nd option, you do need to know how to wipe off all your online traces (mag address, ip address, and so on) so nobody, not even the hackers, can trace you.

Re:The correct way to "inform the authority" (-1)

Anonymous Coward | about 3 months ago | (#45924797)

1. Keep quite.

You've already broken rule one, idiot. Stop telling people things! You're going to regret it!

Re:The correct way to "inform the authority" (4, Insightful)

MrNaz (730548) | about 3 months ago | (#45924871)

So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".

We now know that there is no "right way" to deal with government, other than kick them in the ass.

Re:The correct way to "inform the authority" (0)

Anonymous Coward | about 3 months ago | (#45925049)

So this is the way that Snowden should have done it? I guess now we know that those who say "well, some good came from what he did, but he should have gone about it the right way".

We now know that there is no "right way" to deal with government, other than kick them in the ass.

So, you're saying he should have moved to Russia and then leaked it to the press?

Re:The correct way to "inform the authority" (0)

Anonymous Coward | about 3 months ago | (#45925165)

Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.

The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.

Brilliant, make them coconspirators (5, Insightful)

Anonymous Coward | about 3 months ago | (#45924855)

2. "leak" the info to some hacking circle and let others do the job for you.

Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.

If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.

Re:The correct way to "inform the authority" (4, Informative)

VortexCortex (1117377) | about 3 months ago | (#45924865)

If leak the info, then when they go looking into the later breech and ding your name linked to the IP address of a prior breech you'll be every bit as much a suspect as the crackers doing harm.

The problem is that the computer fraud and abuse act is too harsh -- It needs an exemption / amnesty for folks who use responsible disclosure after stumbling on a flaw. The real problem is that folks in charge, like the NSA, FBI, etc. would rather you just didn't do any hacking at all. They'd like to have a monopoly on that, so the laws won't change.

If you're not browsing by proxy in this day and age, you're screwed.

Re:The correct way to "inform the authority" (0)

Anonymous Coward | about 3 months ago | (#45924899)

The real problem is that folks in charge, like the NSA, FBI, etc.

JFC, can we stop shitting all over the US for one fucking day? This happened in fucking Australia.

Re:The correct way to "inform the authority" (0)

Anonymous Coward | about 3 months ago | (#45925215)

Did you miss the memo ?
Australia is state 51 these days.

52 state (1)

Anonymous Coward | about 3 months ago | (#45925345)

There are already 51 real states, the three most recently added being Hawaii, the UK, and Alaska.

Re:The correct way to "inform the authority" (5, Funny)

Anonymous Coward | about 3 months ago | (#45924903)

If you're not browsing by proxy in this day and age, you're screwed.

But baby, proxies don't feel natural! I'll pull out before I post my comment, I promise.

Re:The correct way to "inform the authority" (1)

jcr (53032) | about 3 months ago | (#45925037)

>2. "leak" the info to some hacking circle and let others do the job for you.

Meh... Just post it on 4chan.

-jcr

Re:The correct way to "inform the authority" (2)

SuricouRaven (1897204) | about 3 months ago | (#45925179)

What about sending the information anonymously?

Though this will likely result in a low-level communications clerk dismissing your message as some paranoid crank before it even gets to the technical staff.

Re:The correct way to "inform the authority" (0)

Anonymous Coward | about 3 months ago | (#45925313)

3. Wipe out their entire database, via proxies of course.

These bowels... (-1)

Anonymous Coward | about 3 months ago | (#45924651)

These precious, precious bowels! Quite the gifted bowels you have there!

Was not arrested (5, Insightful)

F'Nok (226987) | about 3 months ago | (#45924663)

The article says he was reported to police, but not arrested or even contacted by the police.

He only even knows he was reported to the police because the journalist told him.

Seriously, can we at least read the article before making up wrong headlines?

Re:Was not arrested (0, Troll)

Z00L00K (682162) | about 3 months ago | (#45924695)

And it really doesn't matter in the overall theme.

What's really messed up is to arrest someone pointing out a problem. The next time a problem is discovered it's then a lot better to just mess up the whole thing instead and let the flawed organization take the full power of the force of a failure.

Re:Was not arrested (5, Insightful)

F'Nok (226987) | about 3 months ago | (#45924707)

Perhaps you missed the point, so I'll make it more clear.
While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

See how that kinda changes the overall theme?

Sure, direct some anger at the idiot company that reported him for this, they are morons and the police should tell them to stop being morons.
But it sounds like they actually might have done just that, because the police did not arrest him.

They did not arrest. The overall theme should be about the idiot company, not the police.

Re:Was not arrested (5, Funny)

Anonymous Coward | about 3 months ago | (#45924723)

Yeah, but regardless, this kid went out of his way to help out this company, and they repay him by having the cops toss him in the clink. The overall theme SHOULD be the idiot company, but in the meantime lets not forget about the cops who arrested him.

Re:Was not arrested (5, Insightful)

Anonymous Coward | about 3 months ago | (#45924745)

And when the kid grows up, he'll know not to help people, because in the real world, people do not deserve it.

Re: Was not arrested (2)

dwarfsoft (461760) | about 3 months ago | (#45924765)

What clink? He wasn't arrested. He hasn't even been approached by the police.

Re: Was not arrested (5, Funny)

Anonymous Coward | about 3 months ago | (#45924791)

Then how did he wind up in prison? He certainly didn't place himself under arrest. I guess we'll just have to hear the rest of the story once he's out on parole, the cops certainly aren't talking.

Re: Was not arrested (4, Informative)

Darinbob (1142669) | about 3 months ago | (#45924877)

He's not in prison...

Although the article does make a mention about someone else who was arrested in the past, an old story that was already here in slashdot. Maybe readers of the article aren't reading for comprehension?

Re: Was not arrested (5, Funny)

Anonymous Coward | about 3 months ago | (#45924929)

Hopefully he'll be available to clear all of this up one the police release him from custody.

Re: Was not arrested (0)

Anonymous Coward | about 3 months ago | (#45924993)

Oh, how I wish I had some mod points. +1 Funny

Re: Was not arrested (5, Funny)

Anonymous Coward | about 3 months ago | (#45925183)

I don't see what's so funny about a kid getting arrested.

Re: Was not arrested (2, Funny)

Anonymous Coward | about 3 months ago | (#45925073)

You know, I really admire your patience with the GP. I can't believe how stupid the GP is, misreading the article like that. If I were you, I'd have thrown the GP in the same jail the hacker kid is.

Re:Was not arrested (4, Funny)

H0p313ss (811249) | about 3 months ago | (#45924771)

in the meantime lets not forget about the cops who arrested him.

The non-existent ones? This is getting very meta-physical, I may have to make some coffee.

Re:Was not arrested (1)

Anonymous Coward | about 3 months ago | (#45924803)

I may have to make some coffee.

Probably a good idea, it should help clear up some of that wooshing noise you've likely been hearing.

Re:Was not arrested (0)

Anonymous Coward | about 3 months ago | (#45925063)

Yea, good troll there you got me.
Unless you're so retarded to not read the article or the post your replying to or any of the parent posts....

Re:Was not arrested (0)

Anonymous Coward | about 3 months ago | (#45924925)

Perhaps you missed the point, so I'll make it more clear.
While it would be really messed up to arrest someone for pointing out a problem, the key factor here is that HE WAS NOT ARRESTED.

See how that kinda changes the overall theme?

No, I don't see how that changes the overall theme.

Being reported to the police for illegally accessing a government database, even if you don't take any of the data, is typically jail time. The fact that they DIDN'T arrest him as of this report simply speaks of how quickly this is being reported rather than of how slowly the police are moving.

Re: Was not arrested (2)

Rational (1990) | about 3 months ago | (#45925251)

You know what's even more messed up? To throw someone in a vat of acid for reporting a problem. Like the arrest, that did not happen either, but since facts don't matter it would have made a better headline, right?

Re:Was not arrested (1, Informative)

Anonymous Coward | about 3 months ago | (#45924711)

This. Fucking scummy submitters. Go write your reports to some fantasy news website. I'm not even going to mention the /. "editors"...

Re:Was not arrested (-1, Flamebait)

jones_supa (887896) | about 3 months ago | (#45924715)

There's also the following internal discrepancy in the article that should be noted.

When The Age called the Transportation Department for comment, it reported Rogers to the police.

That line makes it look like the Transportation Department did the police report. The Slashdot article summary reinforces this impression. However, there is an update in the article:

Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.

So apparently it was actually the stupid reporter for New Age which reported the kid to police.

Re:Was not arrested (4, Informative)

jones_supa (887896) | about 3 months ago | (#45924725)

I cancel that comment. If you read the line "He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age." carefully, you can see that he only heard from the reporter that the kid had been reported to the police (by TD). D'oh!

Re:Was not arrested (1)

Anonymous Coward | about 3 months ago | (#45924763)

The article says he was reported to police, but not arrested or even contacted by the police. / He only even knows he was reported to the police because the journalist told him. / Seriously, can we at least read the article before making up wrong headlines?

This is Slashdot; so what do you expect? In the end though, the article is good lesson. Never use your own name to report a bug. Never report a bug directly yourself. Always use an anonymous mail account. When doing the actual security testing to through Tor (and for the love of god, use an isolated machine created only for that and which you later destroy when connecting to the site). Always go through a local CERT or similar after getting a guarantee of anonymity.

Simply make sure there is no way to trace yourself to the bug report and, unless the company already has a bug bounty program, if you want to get paid for a vulnerability then sell it to someone other than the original company.

The responsible disclosure movement, which basically worked so that companies were allowed to blame security researchers, has very much to answer for. They have made us all much more insecure.

Re:Was not arrested (2, Insightful)

bloodhawk (813939) | about 3 months ago | (#45925305)

Actually the lesson should be never run a pen test against a web site you don't have permission to do against, it really is that simple, especially a government body.

thats when you play stupid (0)

Anonymous Coward | about 3 months ago | (#45924827)

thats when you play stupid and say the reporter showed you some hack....
just be dumb after that....

give right back at the jerk off...
tak eyer pc to a trusted friend and calim you don't even have one.

The law does not care ... (4, Interesting)

perpenso (1613749) | about 3 months ago | (#45924665)

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

If its not your computer and if you don't have the owner's permission you can't do penetration testing without putting yourself at risk.

Re:The law does not care ... (-1)

Anonymous Coward | about 3 months ago | (#45924713)

its australia, the only good aussie is a dead one

Re:The law does not care ... (0)

Anonymous Coward | about 3 months ago | (#45924825)

So would you like to see all aussies dead? Why?

Re:The law does not care ... (0)

Anonymous Coward | about 3 months ago | (#45924835)

Not all aussies. Just the humans.

Re:The law does not care ... (0)

Anonymous Coward | about 3 months ago | (#45924959)

So the Aussies will be fine?

Re:The law does not care ... (1)

deviated_prevert (1146403) | about 3 months ago | (#45925193)

So the Aussies will be fine?

So the conclusion we must draw here is that Aussies are not hooman beins'? Or just maybe all their mothers was a dingo? I have met a few and called their mothers one, but that led to one hell of a bar fight. They tell me that the Cannabis in the outback is worth a walkabout, just maybe that's what you guys are smokin'. By and large they seem all too hooman to me. Though I tend to think the reporter was a certified son of a dingo and 'rooshit latecomer coward to boot one huge disgrace to the good people of Botany Bay!

Re:The law does not care ... (1)

sabri (584428) | about 3 months ago | (#45924863)

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

Re:The law does not care ... (1)

perpenso (1613749) | about 3 months ago | (#45924937)

The law does not care if you are white hat or black hat. Well at least with respect to guilt, it can be considered at sentencing.

Actually, it does. Your intentions can make an important difference. One example of this is the good Samaritan who breaks into a car to rescue a baby locked inside on a hot day. He would be guilty of vandalism according to your logic. Same applies here, if the kid notices a vulnerability and reports it without unnecessarily retrieving data, he is obviously a good Samaritan.

Your analogy is flawed. The vulnerable data is not in plain sight to an innocent bystander as the baby in the car is. A better analogy would be someone sees a panel van and wonders if they can break into it. They do and once they have opened the door they find a baby in distress. They were not aware of the baby until after the break in.

Re:The law does not care ... (0)

Anonymous Coward | about 3 months ago | (#45924997)

Your analogy is flawed. The vulnerable data is not in plain sight to an innocent bystander as the baby in the car is. A better analogy would be someone sees a panel van and wonders if they can break into it. They do and once they have opened the door they find a baby in distress. They were not aware of the baby until after the break in.

Your analogy is flawed too... physically breaking into things usually damages it, and makes it easier for someone else to get in. This is more like finding out that the door is unlocked.

Re:The law does not care ... (4, Insightful)

SuricouRaven (1897204) | about 3 months ago | (#45925201)

That the good Samaritan gets away with it has little to do with the law as written - according to the law, it's still vandalism. What actually happens is the prosecution service decides that, in this instance, the law is best left unenforced. This discretion is important, as it's the only way to manage the very complicated system of laws - everyone commits crimes, every day. If every crime was prosecuted, most countries would need to imprison their entire population.

It goes out the window if you manage to upset someone in a position of wealth or power though. Do that, and they will easily find something to prosecute you for.

Incorrect. (5, Informative)

jamesn (112393) | about 3 months ago | (#45924669)

From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

He hasn't been arrested.

USA (-1)

Anonymous Coward | about 3 months ago | (#45924679)

Welcome to America!

Re:USA (-1)

Anonymous Coward | about 3 months ago | (#45924703)

Victoria is not an American state, retard.

Re:USA (0)

Anonymous Coward | about 3 months ago | (#45924785)

But for how long?

Re:USA (0)

Anonymous Coward | about 3 months ago | (#45924807)

The World belongs to America.

Idiots (4, Funny)

Mistakill (965922) | about 3 months ago | (#45924683)

If you smiled at a safe, and it burst open... its not your fault the safe was faulty...

Re:Idiots (0)

Anonymous Coward | about 3 months ago | (#45924793)

But if you check the safe for faults then open it through one of them it is.

looking at a website is NOT opening it (0)

Anonymous Coward | about 3 months ago | (#45924839)

and if you are just visiting and by accident do something local that causes the hack , it would be like looking at the safe on 45 degree angle and it opened
or opening your window which shine slight on it and it opens...

all not under your control most people would say HEY your safe is light sensitive....

YOU DONT call the cops

Re:looking at a website is NOT opening it (0)

Anonymous Coward | about 3 months ago | (#45924881)

Smart folk belong in jail because they make the stupid folk feel uncomfortable.

Re:Idiots (1)

im_thatoneguy (819432) | about 3 months ago | (#45924917)

If you put a high powered microphone to a safe, pick the lock and then rifle through the contents to see if they're valuable... it's not your fault it was possible for you to break in.

Read your article, submitter... (0)

Anonymous Coward | about 3 months ago | (#45924691)

from the article: "Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

Hardly arrested then...

did he learn his lesson? (3, Insightful)

Anonymous Coward | about 3 months ago | (#45924699)

Do not give what is holy to the dogs; nor cast your pearls before swine, lest they trample them under their feet, and turn and tear you in pieces.

Never put your name to it (-1)

Anonymous Coward | about 3 months ago | (#45924749)

Never. Ever.
Initals in the code? No.
Cleverly named file that points to obscure parts of your family history? No.
Sent at a time of day for which very few people and specifically you can be fingered? No.

People. Go watch all of CSI, NCIS, House, Castle, Bones and read the backlog of crime and mystery books BEFORE you submit evidence to any authority that can result in egg on their face. They WILL look for someone to blame. Do not allow it to be you.

Re:Never put your name to it (0)

Anonymous Coward | about 3 months ago | (#45924777)

Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.

Re:Never put your name to it (5, Interesting)

YttriumOxide (837412) | about 3 months ago | (#45925157)

Wow, I hope you never have a complaint to report to the Complaint Department! Word to the wise: the Complaint Department doesn't exist. You will be arrested.

I'm pretty sure most western countries have a complaints department for law enforcement.

Many years ago in my teenage years in New Zealand, I was chatting to random people on IRC (a pretty new protocol at the time) and there was a guy bragging about bombing a plane - specifically, putting explosives on the landing gear of the plane.

Being young and paranoid, but not yet particularly clever in the ways of the computer security world, I 'anonymously' emailed the police with information about it. My attempts at anonymity were however not good enough and a few days later the police came and took all my computer equipment. The search warrant read "Attempted murder and breach of the telecommunications act" (I still have it, along with the write up I got in the newspaper as a reminder of absurdity). Of course, I was never arrested as I had done nothing illegal.

While that all annoyed me greatly, it didn't annoy me nearly as much as them keeping my stuff for over 3 months before I got it back. When I did finally get it back, the power switch on my main system was physically broken and the HDD was formatted.

I made a complaint to the Police Complaints Authority (a government body) and they ended up writing a letter of apology. So, while complaining certainly didn't do anything useful for me, the point is that there WAS a body for me to complain to.

I'm sure it's a little more complex in countries like the US and Australia since there may be differences by state as well as the federal level to think about, but a quick Google search seems to confirm that complaints departments and/or processes do exist there also.

Re:Never put your name to it (0)

Anonymous Coward | about 3 months ago | (#45925221)

In America they arrest you and take all your stuff without a warrant. Then they put you on trial where the prosecutor declares that an example must be made of you because bad things are happening in this day and age. If they break your stuff and you make a complaint to the complaints department they tell you to shut up and stop complaining or they will blow your head off. So yes the complaints department does exist.

Re:Never put your name to it (0)

Anonymous Coward | about 3 months ago | (#45925075)

Go watch all of CSI, et cetera

Well I'd learn that evidence collectors who play detective always go with the first idea that pops into their head and ignore all other possibilities, plus are full of wisdom like "a man will always cut himself whenever he stabs his victim".

This is BS (5, Insightful)

Anonymous Coward | about 3 months ago | (#45924751)

Whoever posted this should be deleted from /. No where does it say dude was arrested. Learn to read or go back to reddit.

Re:This is BS (2)

Darinbob (1142669) | about 3 months ago | (#45924893)

We've known for many years now that Timothy can't actually read.

Re:This is BS (2)

crossmr (957846) | about 3 months ago | (#45925339)

I'm not shocked at all that this came from Timothy, I can only guess he must have been on the phone with kdawson at the time he posted it.

in software (0)

Anonymous Coward | about 3 months ago | (#45924753)

you hold data or communicate it, write your code accordingly

From TFA (3, Informative)

AlanS2002 (580378) | about 3 months ago | (#45924757)

"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."

HE DID NOT GET ARRESTED. Clearly who ever posted this story can't read.

Re:From TFA (1)

Brett Buck (811747) | about 3 months ago | (#45924889)

More likely, he figured it wouldn't get accepted if it was utterly uninteresting. Faux outrage is far more compelling.

Re:From TFA (1)

AlanS2002 (580378) | about 3 months ago | (#45924901)

You would of thought that who ever accepted it to be posted would of read TFA article and realised it was a crock.

Re: From TFA (0)

Anonymous Coward | about 3 months ago | (#45925023)

Is that the TFA article that's written by the Department for Redundancy Department?

We need a Kickstarter campaign for Timothy (4, Funny)

JohnA (131062) | about 3 months ago | (#45924837)

We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

Anyone with me?

Re:We need a Kickstarter campaign for Timothy (5, Funny)

Anonymous Coward | about 3 months ago | (#45924851)

No. Education is too expensive. Just replace him with a monkey.

Re:We need a Kickstarter campaign for Timothy (3, Insightful)

Anonymous Coward | about 3 months ago | (#45924873)

We could raise money to teach him how to read. And then, maybe, we could send him to a school that will teach him how to read a full article, and apply basic cognitive skills before spewing all over slashdot.

Anyone with me?

Nope... 't's a lost cause, timothy's cognitive skills are in the atto- range

Re:We need a Kickstarter campaign for Timothy (1)

thegarbz (1787294) | about 3 months ago | (#45925213)

You assume Timothy is a person rather than an automated computer program that generates summaries.

Slashdot reader points out error in headline ... (5, Funny)

Grismar (840501) | about 3 months ago | (#45924853)

... and gets arrested.

Re:Slashdot reader points out error in headline .. (0)

Anonymous Coward | about 3 months ago | (#45924971)

.. modded -1 Offtopic

Re:Slashdot reader points out error in headline .. (0)

Anonymous Coward | about 3 months ago | (#45925189)

if that were true, there wouldn't be that many users or readers left here, certainly not enough to amass 83 comments to a story in under two hours.

Misinformation net overload (0)

Anonymous Coward | about 3 months ago | (#45924909)

I expect sensational, laziness and haha u didn't RTFA gotchas... yet ... even in the WWF you don't see wrestlers running over each other with monster trucks, wielding ninja swords or shooting their opponent with machine guns... there are LIMITS...

Now if you'll excuse me I have some endangered turtles to cook.

Metlink IRP (1)

SJ2000 (1128057) | about 3 months ago | (#45924919)

He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

Re:Metlink IRP (0)

Anonymous Coward | about 3 months ago | (#45924939)

Yet another injustice in the holy name of Compliance.

Re:Metlink IRP (0)

Anonymous Coward | about 3 months ago | (#45925051)

What injustice? no one was arrested. Metlink followed good procedures by reporting the incident. We report a dozen attempted SQL injection attacks a week at the government department I work at, I am sure most are simply script kiddies looking to big note themselves but given the data we house we have a responsibility to report it regardless of what we think the intent of the person was. I imagine a few of them get a nasty message from the police, don't know any that have been arrested, foreign users get reported to their ISP and if their ISP does nothing then we blacklist the ISP's address range. The primary concern when dealing with peoples data has to be the protection of the data, it is illegal to do a pen test against a site without the site owners permission.

Re:Metlink IRP (5, Insightful)

waynemcdougall (631415) | about 3 months ago | (#45925055)

He has not yet been arrested and Metlink were simply following their IRP for a security breach which doesn't discriminate based on intent.

No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported.

Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

Re:Metlink IRP (1)

SJ2000 (1128057) | about 3 months ago | (#45925093)

No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported. Instead they did nothing until exposure of their incompetence was threatened by mainstream media.

It all depends on the IRP, most Australian transport organisations do not have a incident response plan for this report from a member of the public (I.T. or otherwise), but they do have them for various PR issues such as public disclosure of security issue (I.T. or otherwise). I'm not saying it's right I'm just explaining how it occurs, and given the public profile of the incident, I'm not sure I'd want to be the one deviating from the established IRP even if it wasn't written with this in mind.

Another Possibility (1)

iamnotasmurf (3464141) | about 3 months ago | (#45925079)

Find a person who practices law or even better an organisation that specialises in law relating to computers and the internet and get their opinion on what to do. If your going to be doing something with legitimate intentions that could be considered as illegal in the eyes of some people, then you better play the game and get legal advice before doing so. Just like when the guitarist of The Who Pete Townshend decided to investigate child pornography, he got legal advise before doing so (He was still arrested for accessing a child pornography site, but in the end he was only given a caution) Just my 2 cents...

Re:Another Possibility (0)

Anonymous Coward | about 3 months ago | (#45925153)

"Do whatever the prosecutor says. No one cares and your case doesn't matter. You have plenty of time to do community service and nothing better to do. Now pay me $1000 because I just gave you expert legal advice."

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...