I once pointed out to a chap entering his pin number in front of me at the supermarket that he really ought to be more careful typing it in lest someone malicious gets his pin number.
His response was “Well you shouldn’t be looking should you?”. I just sighed and left.
Well, I think if you become aware of a security vulnerability that exposes the data of large numbers of people then you should be fairly hasty in taking steps to make the relevant people aware. Criminals are not fazed by an Xmas holiday, generally.
The kid (and he is a kid, here) didn’t sell the data, didn’t publish it broadly or otherwise do nefarious things with it. He tried to bring it to their attention, then tried another tack after a few days of non-response. I might do the same (though i wouldn’t know an SQL injection from a flu shot in all honesty).
I wonder how many executives still maintain that much sense of objective reality. One day there was no security issues on their desk, and then suddenly thanks to Joshua there were. How could that not mean he created a problem?
Haven’t we learned this lesson well enough yet? In the 21C, if you learn about a potential security flaw, under no circumstances should you report it to corporate security people. Remember, their job is not to safeguard data - their job is to keep their job.
Therefore, the only sensible thing to do is to contact the Russian Mafia, whose motives are crystal clear and who can be trusted to reward you appropriately.
I don’t think I made myself clear.
I agree with you: you should be taking fairly hasty steps to make sure the relevant people are aware. What I’m saying is that the kid (and I acknowledge he is a kid) didn’t make half-way reasonable steps to do exactly that. One e-mail on a public holiday during a holiday period is not a reasonable effort to notify, because there are many plausible reasons for how the e-mail could have been breezed over or simply not seen at all.
I’m not saying the PTV isn’t entirely responsible for the problem, and assuming that the e-mail was reasonably clear in its meaning then PTV should have responded to it and acted on it. Indeed, they should review what happened and how they should respond in future. However, the correct next step for the kid isn’t to go to a newspaper; it is to try to contact them again, and again, and again if necessary until there can be no reasonable doubt that they are ignoring communications (phone is excellent for this, because you can know for sure whether there is someone on the other end of the line).
So basically, what I’m saying is that when he ‘tried another tack’ he tried the wrong one. The right one would have been to e-mail PTV again, or better yet to call customer service and see who he could talk to.
I’d hazard the vast majority of corporate bastardry going on in this country has indeed been imported by US think tanks and the like; your scumbags frequently visit our shores to educate our scumbags in the latest state-of-the-art advances in scumbaggery.
But on the other hand, our potential paradise has been spoiled from the get-go by clueless conservatives.
We’re talking about the kind of fuckwits who scare people off bikes by maintaining despite all the evidence that cycling is so dangerous everyone must wear a helmet while doing it… meanwhile, for every year of life being saved by helmets, we’re losing twenty years of life to obesity-related disorders as a direct result of scaring people off bikes.
Good going, know-nothing authoritarians. What’s next? Ah, shooting security messengers, I see. Maintaining the form. [mod edit: removed ableist slur]
I suppose you could have continued with something along the lines of “and maybe you shouldn’t live in a world with criminals in it” but what’s the bleedin’ point? You’re not the chap’s mother. A resigned sigh seems just about appropriate here.
Yeah, with logic and reasoning skills like they possess, it gives me hope that I might one day turn to hard liquor and drugs, only to wake up as a CEO of some huge enterprise.
It’s a compliment. Our image of Australia (thanks to Crocodile Dundee, Crocodile Hunter,Mad Max and those Foster beer commercials) is of rough cowboy types. I know there are corporate types with there heads up their butts all over the world, I just figured all of yours get eaten early in life.
And yet the Transport Dept (VTD) took the time to report him to the authorities. Reasonable threshold of communication or not, they still screwed the kid after he attempted to help as a private citizen. It’s the VTD’s responsibility to screen their own communications–the kid has no compunction to help them otherwise (he’s not an employee or contractor for them–he notified them out of altruism or whatever you’d like to call it).
I had no idea, what about your schools? In the U.S. there was an incident in some elementary school where a bully walked up to a kid during class and punched him in the face. He continued to beat on him so the teacher ran out to get a cop. The teacher could have restrained the bully, but the school would have suspended him at the very least. The reason: The bully’s parents could have chosen to pursue assault charges against the teacher and sue the school board for stopping their “innocent angel” from beating the life out of his victim. I would say we are being turned into pussies, but pussies are far tougher what we will soon be.
Thats unlikely here. You can use appropriate force in the defence of yourself or another person. Its fine for a teacher to do that. Our legal system doesn’t hand out ridiculous settlements.
They took the time to do that after they had been contacted by the newspaper, and presumably after the problem had been fixed (since the paper allowed them them time to fix the problem before publishing and the first published report didn’t say that PTV had contacted the police).
I am not sure how that goes against what I was saying at all. I wasn’t arguing that they should have had more time to sort out the problem, but that the kid should have made real efforts (i.e. more than a single e-mail on a public holiday) to contact them to disclose the problem, rather than sending a single e-mail, waiting just over a week, then contacting a newspaper.
Instead, he should have e-mailed them and then when he didn’t receive a response he should have considered the possibility that it wasn’t received (flagged as spam or scam), was dismissed by a customer service person as a scam/phishing e-mail, etc and installed written another e-mail specifically requesting a response when the e-mail was received - perhaps a couple of days after the initial e-mail - and then if he didn’t receive a response to that then he should have made a phone call. You can never be sure asynchronous communication has been received, but with synchronous communication you don’t have that problem.
PTV may have bad policies which meant that the original e-mail was seen but ignored, or not appropriately responded to, and that should be investigated by PTV. However, that doesn’t change my opinion that the kid didn’t make reasonable efforts at ‘responsible disclosure’.
So they put the cops on him after seeing the potential issues he’d so nicely informed them about, instead of sending him a nice fruitcake and thank you card.
Yeah, I got that, and as I mentioned before, the young man is not affiliated with that company in any way and therefore he owes them nothing in terms of how much he had to try to communicate said bug to them–that’s their issue entirely and he was essentially performing work they should have done in the first place. If anything, they should have sent him a check for his time invested in finding the bug and notifying them. So the threshold of communication is a nonstarter in my opinion–it’s their shit and their shit to fix. He gets the nice kid award for the day.
Hell, for that matter, the VTD’s lack of responsible software engineering (or responsible testing) moots any responsible disclosure needs of the young man in question.
Shooting the messenger is a typical reaction both internal and external to government. This young guy should have been praised for doing the right thing and reporting it. I bet he was only reported to the police because the Minister responsible or some senior public servant was either made to look bad or would have looked bad had this information got out, that and the fact that they originally had done nothing about it after the guys first report. Government really has no idea what to do with vulnerability identification, nor does government ITS really seem to care. What will happen now is that people won’t report the vulnerabilities to their governments through fear of retribution. This is a shameful state of affairs !!! However if you knew the state of cybersecurity in Australian State government you would be truly ashamed! - Everyone should ask their state and local governments what they are doing about Information Security… we need the real answers, because after, all its your data !!!