

First State set police on man who showed them how accounts could be ripped off - mopoke
http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html

======
zemaj
Unfortunately this happens more than you might think and other Australian
companies seem to have a similar approach to dealing with security findings.
Many years ago I found a huge hole in a large company's Australian website
that allowed me to download their entire database of customer records
including addresses and plain text passwords, by a similar method of just
changing url parameters. This was millions of consumer records from a -big-
international brand.

Instead of warning the public, that their records may have been compromised,
they focused on me. I was immediately slapped with legal threats via phone,
email and mail. They took my original email apart, saying that by modifying
the url and downloading the database I had illegally obtained this data, I
could be prosecuted under xyz law etc... They ended it by saying that if I
ever spoke about it publicly I would be taken to court.

Needless to say I attempted to take my issue directly to several Australian
newspapers. I talked to a couple, but none wrote a story. I don't understand
why - this was 7 years ago, perhaps they didn't understand the issue. I spoke
to a lawyer who told me that there was nothing I could do. They'd given me a
way out so I should just take it and try to forget what happened. In the end I
convinced myself that perhaps I was in the wrong. No one would listen to me.
At the time I was a lot younger and had less resources. I would of course not
deal with it the same way now. However, I'm not interesting in digging up the
past - the proof is long gone, but the lesson stays the same.

There should be a government body to whom security breaches like these can be
reported. Companies can not be trusted to police themselves when it comes to
private data.

~~~
ra
At least this time around SMH have apparently understood the situation and
called out First State Super.

Also; _NSW Police said it was not taking any further action on this matter.
"There was no criminal offence committed and the company in question has been
informed of the outcome. It was more a case of a civic-minded person reporting
a potential security breach."_

I 100% agree that the government should handle these situations, unfortunately
the closest thing we have is The Privacy Commission - which is completely
toothless.

~~~
pavel_lishin
> I 100% agree that the government should handle these situations

Isn't that like asking the government to intervene when I notice that my next-
door neighbor leaves his car unlocked with the keys in the ignition when he
comes home from work?

~~~
mikeash
Security of one's own property is a completely different matter than a bank's
security of its holdings of other people's property.

~~~
pavel_lishin
What if the car belongs to the local bank manager who left his work laptop on
the passenger seat?

~~~
mikeash
If his work laptop contains customer-related information which endangers their
accounts, that would definitely be a matter for the police.

------
blahedo
A reasonably happy note of sanity is sounded at the end of the article:

'NSW Police said it was not taking any further action on this matter. "There
was no criminal offence committed and the company in question has been
informed of the outcome. It was more a case of a civic-minded person reporting
a potential security breach."'

~~~
jobu
The comments from the First State officials seem fairly sane as well, but this
is completely over the top:

 _"The next day Webster received a letter from First State's law firm, Minter
Ellison, telling him his actions constituted a breach of the Crimes Act and
Criminal Code Act...

...The firm said they may go after him for costs related to the matter."_

Hopefully someone reigns in these vicious lawyers before they screw over one
of the good guys.

~~~
p858snake
As to my very basic understanding of Aus law they can't, they would need to
take him to court and prove he broke the law before they can presue costs,
Which is very hard since the police have decided not to investigate the matter
because they believe he didn't break the law.

------
NinetyNine
This is why I stand by anonymous public disclosure. Companies will not budget
for security unless you make them.

~~~
blahedo
It's true. About five years ago my bank upgraded their systems and, no
kidding, set everyone's password to their login name as part of the
transition. When I called them on it, they stonewalled me and repeatedly
claimed that I was being unreasonable, and as far as I know never fixed it,
and fearing something like the OP I never pushed it. (I closed my account and
switched banks.)

Edit: My summary of that saga, posted at the time:
<http://www.blahedo.org/blog/archives/000836.html>

~~~
nodata
"So, I sent a detailed email to the bank's address"

I've found that a one-line response (i.e. no explaining why, no technical
details, no explanations of explanations) generally works a lot better:

"Wouldn't this mean that everybody now has easy to guess passwords?"

------
steve8918
I learned early on in my career not to mess around with account information,
especially at a bank.

My first job out of university was in corporate IT for a big bank around the
time that l0phtcrack came out. I used it to crack hundreds of user passwords,
and then showed my boss the vulnerability.

He promptly told the director, the director sent out an email saying that
people's NT passwords had been breached, and I got in a little bit of trouble
for cracking people's passwords without authorization, even though people were
using passwords like "password", "apple", etc.

I realize it's dumb to to blame me (or the guy in the original story), but
I've come to learn that when you're dealing with big corporations like banks,
they are eager to cover their own asses and to throw the blame wherever they
can. So it's best to never mess with them.

The fact that the guy downloaded actually customer information is what opened
him up to potential problems, that's the one step I probably would have
avoided.

Of course, this ridiculous behavior by the banks will only make it more likely
that any security breaches won't be reported, which means if you're a
customer, you should change banks immediately to a bank that actually cares
about the security of your information.

~~~
shabble
You're lucky you're not Randall Schwartz[1], who performed an unauthorised
security audit on some intel boxes, and ended up being convicted and spent
something like 10 years (and a hell of a lot of money) getting the ruling
overturned.[2]

[1]
[https://secure.wikimedia.org/wikipedia/en/wiki/Randal_L._Sch...](https://secure.wikimedia.org/wikipedia/en/wiki/Randal_L._Schwartz)

[2] <http://www.lightlink.com/spacenka/fors/>

------
sneak
The exact same thing (except in the USA) is happening to my friend:
<https://freeweev.info>

He's looking at ten years in federal prison for what basically amounts to
whistleblowing. They've charged him with identity theft and conspiracy to
commit unauthorized access for scraping email addresses (and nothing else)
that AT&T had published unauthenticated on the web.

The world is a crazy place, these days.

~~~
redthrowaway
I'll preface this by saying that I like weev, and get a kick out of some of
his antics, but...

He's a _really_ unsympathetic defendant. Put him in front of a jury and they'd
likely convict him regardless of the evidence. If you're going to be engaging
in activities of questionable legality, even if you think you're doing the
right thing, it pays to at least put up a respectable front. Just about
everything he engages in is something his attorney will have to account for in
trial.

"Yes, he founded a grey-hat security firm named after an infamous image of a
man exposing his digestive tract, but..."

"Yes, he claimed responsibility for illegally taking Amazon offline, but..."

"Yes, he exploited a vulnerability in AT&T's site to collect 100k+ user
emails, but..."

"Yes, he is a member of the Gay Nigger Association of America, but..."

He's a defender's nightmare. If you're going to put yourself at odds with the
law, at least give your attorney a fighting chance.

~~~
sneak
He says the whole thing will be worth it even if he just gets to play
Gayniggers From Outer Space in federal court (to illustrate that he is not the
leader of a hate group).

The man epitomizes "doin' it for the lulz". I agree 100% with all your points,
but I personally feel that it's the unpopular or misunderstood speech that
needs the most defending. What he does is not criminal, and should not land
men in prison for a decade, trolling or no.

<http://en.wikipedia.org/wiki/First_they_came..>.

------
josephg
From the article:

 _He said Webster's actions were more serious because he did not just access
his own or a mate's account, but hundreds of other customer accounts, to prove
the security flaw was real. "While we were appreciative of him showing us a
weakness in our security systems the size of the downloads concerned us
greatly and the fact that it was a major breach of the privacy provisions of
our members," Dwyer said in a phone interview._

The guy didn't just find and report on a vulnerability. He also scraped a
whole heap of private customer details ('to prove the problem was real'). If
his intentions were pure, he shouldn't have downloaded & saved the private
information of hundreds of customers. First State Super overreacted, but I can
understand why they're nervous that he might keep the data.

~~~
wpietri
Seriously? I'd say checking that the vulnerability works on "hundreds of
customers" out of 770,000 is a reasonable thing to do to see if it's really
there and to get a bit of proof. I could easily imagine quickly banging out
some shell one-liner with seq+wget to see if it wasn't a fluke.

First State Super shouldn't have worried about this guy. If he were evil, he
_wouldn't have told them_. If some problem later developed with those few
hundred people, they'd know who to nab. This is just scapegoating, presumably
driven by IT people trying to distract execs from their total incompetence.

------
SoftwareMaven
A good deed never goes unpunished. I don't know if I would ever report a
security problem like this for fear of needing to deal with this kind of head
ache (at least with a non-Google-type company).

Anybody have any idea whether my feelings are being unduly influenced by
familiarity with these kinds of stories? I doubt there is any real data to
make a decision with, but I like to try to stay at least a little rational.

~~~
wladimir
Not really strange. I generally don't report security vulnerabilities either
when I find them. Sure, if it's a simple process to file an issue, or I know a
knowledgeable person in charge of the system, I'll do it.

But otherwise I simply don't feel like explaining it. I don't feel I have the
moral obligation to jump through hoops to get through all the customer bla-bla
to someone who understands, and face legal issues, just because I bump on some
'bug'. Someone else will find it eventually. Choose your battles carefully and
such...

------
jcromartie
> he may be liable for any costs in fixing the breach.

How is this even remotely logical? If someone walks by my house and yells
"hey, your window is broken!" can I force them to pay to repair it?

------
buff-a
"I'm confident that when we meet and discuss the matter we can resolve it to
our satisfaction that he is actually not holding those files any longer."

How the fuck are you going to do that, Mr CEO?

------
Joakal
Looks related to this:

<http://risky.biz/fss_idiots>

<http://risky.biz/minter>

There's also a case where Police can arrest you and unarrest you at will (At
Queensland at least). In the process, taking all your equipment (his iPad):
[http://www.news.com.au/technology/facebook-story-arrest-
disp...](http://www.news.com.au/technology/facebook-story-arrest-disputed-on-
twitter/story-e6frfro0-1226057758607)

The young journalist decided to go quiet so as to not upset police(?):
[http://www.reddit.com/r/australia/comments/hn74v/what_happen...](http://www.reddit.com/r/australia/comments/hn74v/what_happened_with_userbengrubbs_interaction_with/)

Even [NSW] politicians think accessing a private URL can be 'hacking':
[http://www.smh.com.au/nsw/minister-a--monkey-could-have-
hack...](http://www.smh.com.au/nsw/minister-a--monkey-could-have-hacked--
secret-transport-site-20100223-p085.html)

Quite frankly, I'm disappointed that companies in Australia can wave the
police wand whenever there's an IT security issue. I want Aussie police to
step up their game and charge the companies with making false police reports.
Especially with demands to seize equipment of individuals as a form of
extortion with malicious intent to silence them.

------
jasonwatkinspdx
I found this fascinating:

 _"But then three and a half weeks later the police just knocked on the door
and said we're here to speak to you about downloading files about First State
Super," said Webster, adding police discussed the matter with him and told him
to stay away from First State's website."_

The implication there is that a website is property so strongly as to use the
police to compel whether someone might choose to point their web browser at
it.

~~~
rmc
That could be advise from the police. As in "We're looking into it, you say
you are innocent, but if we find out you are hacking around that website
again, then we might not be so sure"

------
nodata
So First State try and get revenge on and blame the poor guy who reports the
problem. I can't understand how this is a cheaper or a better solution for
them than fixing the hole. It would be interesting to know if there was a
thought process behind this, because it reads like there wasn't.

~~~
Volpe
There is still the very real chance this guy has all their member information.

In this situation, how can a company ensure he has deleted all of the data,
without legal action?

~~~
burgerbrain
How can a company ensure he has deleted all of the data _with_ legal action?

------
Volpe
"To demonstrate the flaw to First State's IT staff, he wrote a script that
cycled through each ID number and pulled down the relevant report to his
computer. He confirmed that the vulnerability affected the firm's full
customer database."

Seriously? That sounds a little more than just "Checking the vulnerability
exists", that sounds like exploiting it. Tweaking the url, is all he needed to
do to workout that there was a problem... then he writes a script and
downloads all the data?

I'm actually not that shocked by the reaction. Equivelant:

"I noticed your door was unlocked, so I stole all your stuff, and put it in
that truck parked just there. Just thought you might like to know". <\---
Would you take legal action in that case?

~~~
leot
Or: "it seemed like you left your private diary out, so I photocopied every
page to make sure before telling you."

That said, I can see the temptation to want an answer to the question "did the
_really_ leave every account open?"

~~~
cubicle67
more like

"I found your private diary in the hedge near your house, so I had a bit of a
rummage around and also found your cheque book, credit card and driver's
license. There's probably more stuff as well. Just thought I'd let you know
before anyone else finds them"

~~~
bionicbrian
Or, "I found that you, the bank, left all of your customers' money and social
security cards and personal records (including mine) in an unlocked windowed
room facing the street where anyone might walk by and steal all of it. You
might want to lock it up." "Prove it." "Ok, I'll just show you how
ridiculously easy it is to open this door . . ." "Thief!!"

------
bionicbrian
Oh my gosh man. That's so bad. You simply replace the account ID parameter in
the request URL? That's so bad. So so stupid on the bank's part. They should
be showering this guy with gifts for pointing out such a stupid mistake to
them and they should be going after whoever set up their system like that.

------
ArchD
Notwithstanding the right and wrong of this case, if Patrick Webster had done
all his investigation anonymously, e.g. through Tor, and expressed his
findings to First State Super in a way that does not imply that he actually
downloaded anything, I wonder whether it would have put him in a better
position.

Even without investigating anonymously, if he had just described the security
vulnerability without saying what he actually did, would he be legally
vulnerable?

I find it ironic that in helping this company with their IT vulnerability, he
possibly took on himself a legal vulnerability.

------
trebor
That was nice of him to do. And I doubt, after the reaction he got, that he'd
do it again any time soon.

------
jodrellblank
After reporting how easily the Manhatten Project military safes could be
opened, the higher ups sent round an urgent memo addressing the issue. It said
"Don't leave Feynman alone in your offices".

:-/

------
kaze
Unbelievable. Am not aware of US law, but I hope he can sue First State back
for the mental harassment they caused him. This isn't plain ungratefulness -
it is dangerous. It can dissuade well meaning, civic minded members of the
public from helping an company, which by the way is great for the bad guys.

~~~
blahedo
> _Am not aware of US law_

This is in New South Wales (Australia).

~~~
ansgri
Interestingly, these horror stories are assumed to be from US by default.

------
wyclif
Whenever I see the phrase "First State", I think of Delaware, not Australia.

------
seven_stones
The other lesson is that incompetence of this magnitude on one issue is always
a symptom of incompetence generally.

I have seen this over and over again with multiple companies. It's not like
everything else is first-rate and somehow just _one_ glaring thing slipped by
them. That's what we'd like to believe.

Instead, there is a systemic problem with horrible decision-making that will
infect every level of operations, until the organization finally collapses
into a black hole of infinite stupidity.

Well, that may be a little extreme. Some of them putter along as White Dwarfs.

