
Man arrested in VTech hack that exposed data for millions of kids - shawndumas
http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-says-he-wanted-to-expose-inadequate-security/
======
tptacek
Whether you have bounty-style permission to test someone's site or not, a red
line you never cross: post-exploit privilege exploitation and pivoting.

If you find a SQLI vulnerability, you assume you own not just the site but the
whole deployment environment. You won. _Don 't go trying to prove you won._
Very few companies, even the ones that post bug bounties, will put up with
random people on the Internet owning up their backend servers.

Even on professional pentests, you ask permission to pivot. If it wasn't in
the rules of engagement when the test began, chances are the answer is "no".
(That's no surprise: there isn't much to be learned by the target from it. A
gameover is a gameover.)

~~~
ashurov
How would you inform the general public of the severity of the problem?! "Hey
they have an SQLI vulnerability! I own them!" or "Hey I just downloaded
millions of records including the photo's you took". See the difference? I
agree with your point, but that approach doesn't translate the severity of the
problem to the public. I don't have the solution to this problem, except
perhaps educating the general public?!

~~~
tptacek
People ask that all the time. The answer is simple. No matter what you say and
do, some people are going to rationalize and minimize impact. You don't get to
solve that. You make the best argument you can with the facts that are
available to you without pivoting.

------
_Codemonkeyism
I always wonder why the guy is prosecuted and not VTech for failing to protect
the images of children in any way - and worse obviously not making any serious
effort for data protection.

~~~
tptacek
One reason for that is that to be prosecuted, you have to commit a crime that
was on the books when you did it.

As a software developer, how comfortable are you with _criminal liability_ for
security vulnerabilities?

~~~
_Codemonkeyism
Not very comfortable, but I wonder what effects this would have on our
industry.

------
thesehands
Exposing expoits prior to letting the vulnerable party know is a pretty poor
way to go about things, but at what point should legal action be taken against
VTech for not properly securing this info?

------
jacquesm
Choice quote from a thread the other day on HN:

"Us enthusiasts don't mean any harm and almost never perform tests that break
the software (or network). There's a reason why bounty programs exist."

[https://news.ycombinator.com/item?id=10730400](https://news.ycombinator.com/item?id=10730400)

------
therein
VTech made me think it was Virginia Tech.

~~~
geoffpado
I have thought that for the entire time this story has been in the news and
only today realized it wasn't.

