Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data


#1

[Permalink]


#2

It's better to stay anonymous when dealing with thugs.


#3

I'm boycotting the Australian metro.


#4

If I find a security vulnerability that doesn't affect me: I tell no one. I advise others to do the same absent laws or a direct interest protecting you.


#5

Meanwhile, actual syndicates of criminals are looking for and obtaining this very sort of information daily. Of course, they keep the knowledge to themselves and use it to ruin people's lives, instead of contacting the authorities and trying to get the vulnerabilities fixed.

But since tracking down the actual criminals is hard, why not arrest some innocent kid and try to pass them off as yet another youth "hacker" corrupted by modern influences?


#6

Note the correction posted in the article; he hasn't been arrested, merely reported.

Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.


#7

Pointing out the emperor has no clothes. And then being thrown in the dungeon (or just threatened or whistle-shamed* publicly.)

Typical of those with authority beyond their ability. frowning

. * Whistle-Shamed: I just made this up. To publicly be outed as a whistle-blower as to harm future employment prospects. Remember, No one likes a tattle.

** edited for formatting


#8

Victorian here. Its worth noting that while tickets are sold in shops for cash, the transport department does everything they can to encourage travellers to top their tickets up on line. I am 99% sure that a prime driver in this is a police requirement to collect meta data on the movement of public transport users.

And like pretty much everything these days, the shopping cart for tickets is a business as usual webapp, and full of bugs. What else is new?


#9

It's like the McCarthy era all over again.


#10

The word "Victorian" in the headline made me think of steam-punk London Underground cops...


#11

Okay, no arrest. That's still bad though that this company reported the guy that potentially saved them millions. The little petty turds from this company are setting a bad example. Other less scrupulous people would have sold this info to criminal organizations for a large sum of money. Then the company would have to deal with a backlash from customers and the government. I'm surprised Australia has short-sighted corporate assholes. I expected better from the country that brought the U.S. all sorts of rough and crazy crocodile hunters. Then again, they sound like exports from our shores, so good luck with that!


#12

The concept of a mouthy steam punk insect intrigued me as well.


#13

SQL injection? Is the kid's real name Bobby Tables? Seriously? Building a system susceptible to SQL injection like having a military issue new uniforms with a blinking bulls eye on them.


#14

This cannot be posted enough. The Hacker Crackdown by Bruce Sterling is still relevant and still free on the net Hacker Crackdown or as an ebook ebook While the book is 20 years old, it is still awesome because authorities are still doing the same fucked up things.


#15

I vote 'Whistle-Shamed' as my new word and/or concept of the year!!


#16

It really IS deja vu all over again.


#17

Sorry I don't see your logic. I would like to see better from my country too, but our corporate assholes are the same as your corporate assholes.


#18

We have real bluestone prisons with genuine dank.

(apologies to Damien Broderick...)


#19

In advance: I don't think the kid should be charged (and there is no evidence the kid is being charged).
That said: I vote that people learn what responsible disclosure is.

Timeline:
26/12/2013: Kid e-mails PTV (which e-mail address? who knows) to report vulnerability. This is a public holiday in the middle of a peak holiday period.
08/01/2014: The Age newspaper reports on the story, saying that it contacted PTV after the kid contacted them, waited for PTV to fix the issue, and then published.

That's 2 weeks total in the middle of peak holiday period before reporting the vulnerability and publishing, and between the kid notifying The Age, there was time for The Age to contact PTV and PTV to fix the issue. The Age article said that the kid contacted them after not hearing back from PTV for 'over a week'.

Here's the issue: It is unclear whether the e-mail was ever received. Was the e-mail address being checked during the holiday period? Who knows. Did someone receive the e-mail and not know how to deal with it, or think that it was a scam e-mail? Who knows. I believe responsible disclosure should include reasonable efforts to ensure that the notification was received. A follow-up e-mail would have been a good step towards that.

Maybe the kid went to reasonable lengths to ensure that the notification had been received, but none of the articles make it sound that way - and these articles seem to favour his position, so you'd expect that to be clear if it did happen.

In summary: If PTV did actually receive the e-mail (i.e. it actually entered one of their mailboxes, which it very likely did) then the recipient should have passed it onto an appropriate person. PTV should then have responded to the kid acknowledging the problem and providing a (reasonable) estimate of time-to-fix. Assuming the estimate was indeed reasonable, then the kid should have waited for that time prior to contacting The Age. The kid shouldn't be charged, but we should stop pretending that what he did was reasonable or sensible for someone who refers to himself as a 'white hat'.

Edit: I managed to type my dates incorrectly. Thanks for pointing that out @euansmith


#20

Cory did a full reading of it on his podcast too.