
Teen Reported to Police After Finding Security Hole in Website - Libertatea
http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
======
catenate
In high school I was blacklisted from an admin position for demonstrating that
you could write in Digital Command Language a program that simulated the login
environment, stored login attempts, and then after three tries exited to the
real login environment to let the user in. In college I was nearly expelled
for just mentioning to the IT guys that they didn't have a password on some
database, and I could get in with just telnet. These attitudes haven't changed
much since 1990 at least.

~~~
edvinbesic
Funny enough, I did the exact same thing when I was in high school, only we
were running Novell on NT4 and I did it in basic and started it from
autorun.bat which loaded before the network login screen.

It would let you try one time, tell you you entered the wrong password (saving
it to file) and exit, at which point windows would load the novell login
screen that looked exactly the same.

Good times.

~~~
GrinningFool
Hah! Exact same thing, I used... Borland Basic, IIRC, to build the executable
that I called from autorun.

I collected many passwords - I never used them or intended to, I just wanted
to see if I could do it.

I made the classic mistake though - I told someone about it. A few days later
word got around. I was suspended for a week and was banned from computers for
the rest of my time there.

Edit: Now that I think about it (I haven't in years): What kind of response is
that? Someone shows some creative thinking and does so in a way that is
obviously[1] quite naive/without ill intent. While I understand that you want
to discourage the specific behavior, perhaps steering the culprit to use
talents with more foresight would have been a better answer.

[1] Looking back, I was something of an asshat in the personal skills
department so it's entirely possible that they simply didn't believe my lack
of nefarious intent.

~~~
javajosh
Actually, I doubt it had anything to do with your personality (and if it did,
shame on the authority figures - and the same is true if they were reacting to
being made look foolish). No, instead I imagine this was a pure security play:
you had a bunch of passwords, and you hadn't done anything with them _yet_.
But they would have had to believe that (and chances are they had no way to
independently verify this) and in addition that you would _never do anything
with them in the future_. The second claim is rather tougher to believe than
the first.

So in the simplest possible manner you became a "known threat", and they dealt
with you in the simplest possible manner, digital ostracism.

Now we can all tell the alternative story, about the wise teacher who sees
something special about us in the misdeed, and who takes the time and the risk
to cultivate that positive seed rather than throw the baby out with the
bathwater, so to speak. Our very own Mr. Miyagi to safe us from a misspent
youth, and who understands our behavior as an expression of exploration
ignoring limits, outsmarting the system, rather than your basic mean-spirited
destruction for no reason. (Although tagging and hacking do share many
qualities, and both are driven, I think, by a young man's desire to prove
himself, and yes, even aggrandize himself as someone special - bold, clever,
crafty, and someone who can't be "kept down by the man". Rebellious, but also
desperately needing to prove himself.)

(Of course in this story the Mr. Miyagi would have hacked onto your personal
systems, encrypted the passwords you'd stored, and then left a personal
message notifying you that if you wish to understand what he did and how he
did it, he'll meet you after school in room 10 for a primer on _real_
hacking.)

------
jbrooksuk
I was put into isolation for three weeks during high school when I was found
to be hacking my way through the network. In reality I had found access to the
remote server through the winword.exe open dialog that didn't require
passwords and was displaying in the list of network drives, but didn't in
explorer.

Because I found this, I was able to find the RM _(Research Machines)_
Management Console and use a teachers (actually the deputy head) password
"teacher" (no word of a lie) to create a hidden admin user in the list of
student accounts. Through this I could get to RM Tutor 3 which allowed me to
control every PC in the school.

I was gathering information to give to the IT staff, but I was grassed on
instead, so I was in the wrong. I spent 3 weeks explaining everything and how
to fix it, then I was allowed to continue my quest so long as I asked
permission and gave info straight away rather than hoarding it.

Apparently if I had denied it they would've got the police involved, but I was
honest and upfront when they asked me.

My brother started the same school three years ago (I've been gone for 8
years) and I was still able to access a few things with the remote panel —
after which I alerted the school to it. _I don 't think they were best pleased
to hear from me..._

~~~
chimeracoder
> Apparently if I had denied it they would've got the police involved, but I
> was honest and upfront when they asked me.

The problem is that this is usually a terrible gamble to make. I'm glad it
worked out for you, but my general advice for anybody else would be _not_ to
talk to the administrators, the same way you should never talk to the police.

You never know if they're going to involve the police anyway after you spill
the beans, and if they do, you'd rather they do it _without_ already having a
confession from you.

~~~
jbrooksuk
> You never know if they're going to involve the police anyway after you spill
> the beans, and if they do, you'd rather they do it without already having a
> confession from you.

I was definitely worried about this, but I figured that if anything, I've not
lied to anybody, so I'd be happy with myself.

~~~
chimeracoder
> if anything, I've not lied to anybody, so I'd be happy with myself.

Unfortunately, that's not the way police encounters work in practice. Even if
you've done nothing wrong, talking to the police can really only hurt you. For
example, this re-enactment is based on a true story in which an old lady in
Baltimore was convicted of drug possession because some neighborhood children
had left a dime bag under her sofa (which she didn't even know about)
[https://www.youtube.com/watch?v=s7RYH8Py6lY[0]](https://www.youtube.com/watch?v=s7RYH8Py6lY\[0\])

Just because you think you've done nothing wrong doesn't mean others will
agree, especially when it's their _job_ to think you're guilty.

[0] This is part of an hour-long video which shows several more cases like
this, but for some reason I can't find the full version anymore.

------
jhgg
It's definitely more harmful long term to arrest rather than reward. Arresting
people for reporting security vulnerabilities only causes the people whom
would do so reluctant or even afraid of the repercussions. Meanwhile those who
exploit maliciously will continue to not report their findings. If I was to
find a security vulnerability in a site I frequent, I'd most likely stay quiet
about it out of fear of legal ramifications.

~~~
nobodyshere
After such a motivating action from the govt., they'll simply sell the
vulnerabilities for some BTC to someone else.

------
blueskin_
...and now, all future holes in that site will be sold instead of reported to
the owners.

I'm fine with that.

~~~
falcolas
The problem is that this property transfers to other websites. I'd much rather
a 16 year old report problems with my website to me, but if she doesn't
because of fears that I will call the police as other webmasters have, I'm
worse off as a result.

This is bad news for everyone who runs a website.

~~~
ZoFreX
This is why you should have a page describing your security reporting process.

> (1) Have a security contact, (2) publish a GPG key and accept GPG mail, (3)
> respond promptly with a "security flaw ID".

[https://news.ycombinator.com/item?id=640367](https://news.ycombinator.com/item?id=640367)

------
PythonicAlpha
This seems to be the state of society we are in: If somebody uncovers a
problem that exists, he is reported to the police. But if one organization
spies on everybody and uses the data in irresponsible ways, they are promoted.

I have no doubt, that the coming generations will have big difficulties to
distinguish between right and wrong.

We don't have the problem now with single fallen states, but with a fallen
human kind.

------
ihsw
And thus, once again, it's proven that full _and anonymous_ public disclosure
is the only way to notify website owners of their vulnerabilities.

~~~
sharpneli
And every time that happens a bunch of apologists appear shouting "Why didn't
they inform the site operators first? That is really irresponsible"

And then some poor teen believes it and thinks "maybe it's wise to inform the
site first" and subsequently goes to jail for doing the 'responsible' thing.
And so the cycle continues.

~~~
pavel_lishin
Wouldn't combining the two tactics be the actually responsible thing to do?
Inform the operators anonymously, and tell them that in four weeks a copy of
this e-mail will be publicized.

~~~
dkuntz2
Because that might seem like blackmail to some people...

~~~
mandelbulb
You definitely have to phrase it kindly and explicit and be open for other
options of how to proceed. Otherwise, the point of staying anonymous is to
protect oneself from unnecessarily enraged admins or other responsible people.

------
wglb
When I first read _The Cuckoo 's Egg_ by Cliff Stoll, I was wondering if
anyone would think to criminalize connecting something to the network that had
no protection. So instead of throwing teenagers in jail, they would make an
example of systems administrators. Perhaps that would have quickened the
advance of internet security awareness.

At one time, there was a law in Minnesota that it was a misdemeanor to leave
your car unlocked in a public place, so the idea is not totally without
precedent.

~~~
stcredzero
There are similar laws in many other jurisdictions.

I think there should be a digital whistleblower law to protect people who
report such things in good faith. It should include a clause to make it
negligence to ignore such a valid report.

------
xux
In December I found a glitch in my university's directory that let me have
access to personal info of over 60,000 professors, students, and staff.

I was thinking of writing an email to the IT, but fuck that. I'm not paying
for someone else's mistake.

~~~
brianbarker
Send an anonymous email or other notification to them? I agree it's scary to
be penalized for "hacking" the system (in their eyes), but I also think these
things can't be left alone. It'd be cool if you found a way to let them know.

~~~
r00fus
What's an anonymous email? Even Tor is subject to tracking if the endpoint IPs
are monitored [1].

The issue of anonymous disclosure is a real issue if you don't

Why do you think Wikileaks was such a big/new deal?

[1]
[http://www.forbes.com/sites/runasandvik/2013/12/18/harvard-s...](http://www.forbes.com/sites/runasandvik/2013/12/18/harvard-
student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/)

~~~
brianbarker
Lol, you've never opened a gmail account using fake data and sent from there?
Yahoo? Hotmail?

The FBI will help your sys admin investigate a bomb threat, obviously.
Reporting a security hole will unlikely draw their interest. Yes, just using a
fake gmail account is tracable without more protections (like correctly
accessing Tor). Again, I doubt the FBI is going to investigate.

But hey, I'm all for paranoia and extra caution.

Plus, rtfa you linked. It says clearly in the first few paragraphs that Tor
did NOT fail this guy, but that he's an idiot in how he accessed it.

Lastly, as mentioned, send an anonymous letter. It's not hard, kids!

~~~
r00fus
If what you're reporting is significant enough to threaten the livelihood or
reputation of people important enough, they can and will find a way to trace
you via your fingerprints/IPs … or do you think Google won't simply roll over
on you when they get a subpoena/warrant?

~~~
brianbarker
I already gave you the answer. Send an anonymous letter. Done.

------
stcredzero
_In the U.S., hacker Andrew Auernheimer, aka “weev”, is serving a three-and-a-
half-year sentence for identity theft and hacking after he and a friend
discovered a hole in AT &T’s website that allowed anyone to obtain the email
addresses and ICC-IDs of iPad users._

I don't understand why weev is mentioned in the same article as this teen.
Weev was allegedly discussing the practicalities of making money through fraud
using the information he obtained. It's almost certain he wasn't wearing a
completely white hat. This teen sounds like he was doing the proper white hat
thing, but then got reported to the police anyhow, at least according to the
information provided in the article.

~~~
mullingitover
You beat me to it. The weev paragraph was a total non sequitur; he wasn't
arrested for pointing out their lax security, he went down for attempting to
profit from it.

------
sobkas
Disclosure DOs, Disclosure DON'Ts

A 30c3(30th Chaos Communication Congress) talk by Nate Cardozo(a lawyer) of
EFF.

[https://www.youtube.com/watch?v=oSi6PxVBOx4](https://www.youtube.com/watch?v=oSi6PxVBOx4)

My take on it? Don't do it, You will gain nothing and can loose everything.

------
watty
(DEVIL'S ADVOCATE)

Am I allowed to go to businesses and try to pick the locks, look inside, and
then report to the business owner that their lock was pickable? Well... yes,
but I'd probably be reported to police.

Websites, like locks, aren't bullet proof. How many web applications out there
don't have a security flaw somewhere? Doing penetration tests on unwilling
victims is risky. Trying to break wifi, company intranets, people's computers,
etc. It's best to pentest as a professional, with willing victims or wait for
a "pentest" contest.

~~~
seabee
> Am I allowed to go to businesses and try to pick the locks, look inside, and
> then report to the business owner that their lock was pickable? Well... yes,
> but I'd probably be reported to police.

Sometimes these discoveries aren't intentional. Let's say I lean against a
door and it's not locked. Well, I never meant to open it up, but since I can't
prove I didn't intend to, and since the business can't distinguish people with
honorable intentions vs. those without, why risk telling them?

If you tar the helpful with the same brush as the crooks then you shall always
learn the hard way from your mistakes.

~~~
nhangen
The articled states that the kid used SQL injection techniques to access the
site and gauge the vulnerability.

~~~
scarmig
It's perfectly possible to accidentally stumble across SQL injection.

E.g. my street address growing up was 1901 Mayor's Road.

~~~
politician
Yeah, I had a hard time with my street address: 5987 O'Drop Table users; Go

------
unethical_ban
I'm most shocked by the fact that the news agency reported the white-hat. I
thought revealing a source was looked down on in journalism.

~~~
forgottenpass
Where do you see that the paper gave them the kid's info? All I see is he
contacted them directly, and no indication that the followup from the paper is
where they got his info.

~~~
ASpring
>When The Age called the Transportation Department for comment, it reported
Rogers to the police.

Last sentence in the third paragraph.

~~~
pavel_lishin
I assumed that "it" refers to the Transportation Department.

~~~
skeletonjelly
It went like this. Kid didn't get a response from PTV, so he contact The Age.
The Age went and called PTV to call them out. PTV responded to The Age and
then stupidly went "whelp we have no choice but to notify the Police".

------
jayhuang
Back in high school I found a vulnerability in the website of a major online
DVD retailer.

I notified them about it, and included information on what specifically was
wrong, the impact it had (over 6 million credit cards, social insurance
numbers, addresses, full names, and telephone numbers), and they hired me to
help them fix it.

I often look back on that event and am quite thankful for how it turned out.
I've read about plenty of stories where the person who found the vulnerability
was not as fortunate.

------
aaron695
The article isn't to specific but they imply he used SQL injection.

It's pretty simple people this is against the law in most countries. SQL
injection, default passwords, remote injection are illegal.

The big thing for me is not what happened to him but young people thinking
this is legal. Why didn't he try and be anonymous?

Don't care whether it should or should not be legal to hack sites but how
could he not know it was illegal? (I guess that's slightly rhetorical, he was
16)

------
tn13
A lot of these kind of things we seen in news these days is a result of a
highly networked society colliding with a hierarchical
administration/governance system.

A typical college management or government is designed to take orders from
top. A persons ability to make decisions and process information is not often
correlated with this position. But in this real world a 16 year old can beat a
50 years on basis of pure merit. As a society we are adapted to it but
governments and management practices haven't. So when a teen calls up to
report a security hole the lower level of administration panics.

------
onion2k
Clearly, the government department is wholly responsible for putting up a
rubbish website, but from another article on the story, _" He first contacted
PTV by email on Boxing Day.."_. I wonder if the "white-hat hacker" didn't time
his notification quite intentionally knowing there was a much lower
probability of action being taken promptly. If they'd just patched the
security hole he wouldn't get any exposure. It makes me wonder if there's more
to this story than we're hearing - that he actually found the security flaw
much earlier and sat on it for a while for example. Or that he downloaded all
the available information first.

As ever, a couple of short articles may not be giving us the big picture.

~~~
Fuxy
By that logic why would he even bother reporting it and have security experts
poking around the logs and potentially find traces of his download.

Personally i would have sold it to the highest bidder. Being "white hat" gets
you in trouble more often than not.

Il stick to "gray hat" thank you very much. If i ever choose to disclose any
vulnerability to the owners i will not reveal my identity and after arbitrary
amount of time say... (1 month) if it's still present sell it to the highest
bidder let them deal with the consequences.

You have to be strict when teaching people and this is no different. If you
let them set the rules they could choose and unreasonable length of time like
1 year before they allow you to disclose anything.

You are the one in the position of power never let them take that away from
you. By revealing you identity you give away all your power.

If you're not a threat people don't take you seriously.

~~~
mike-cardwell
Your statement:

    
    
      Being "white hat" gets you in trouble more often than not.
    

Is beyond absurd.

~~~
andyhmltn
I would argue that your reply is the one that's absurd. Why is the quote you
mentioned unreasonable?

~~~
mike-cardwell
Because "Being white hat gets you in trouble more often than not." is so
obviously untrue to anybody with even the vaguest relation to the industry. It
implies that more than 50% of the time, when you disclose a vulnerability
responsibly you get in trouble. When it's more likely much much less than 0.1%
of the time.

People getting in trouble for reporting vulnerabilities is highly rare. Show
me 100 cases of it, and I'll still tell you it's rare.

~~~
Fuxy
Most of the industry wouldn't characterize themselves as "white hat" just ask
them and they will say their more "gray hat" then white hat.

At least in private anyway if you ask them in public their force to keep up
appearances.

Now we can argue about the percentages all day but you have to agree being
"gray hat" and keeping the power on your side by not exposing your identity is
the safer way to go about it unless you want bragging rights which is whole
other level of psychology.

I'm not after the attention I'd rather be the guy who nobody notices.

------
Eye_of_Mordor
It's about time for legislation making it a crime to report whistleblowers to
the police and a criminal offense to search or seize their equipment. Perhaps
an independent review body could be set up to arbitrate these situations?

~~~
rlpb
It should never be a crime to report something to the police.

It should be the police's responsibility to make a decision about whether
reports should be followed up or not. We should hold the police, prosecutors
and the courts culpable for making reasonable judgements here, not random
uninformed members of the public.

~~~
betterunix
"It should never be a crime to report something to the police."

I am not sure about that:

[http://www.wired.com/politics/law/news/2008/02/blind_hacker?...](http://www.wired.com/politics/law/news/2008/02/blind_hacker?currentPage=all)

~~~
aaronem
False reporting is already a crime, and I think it's fair to assume that by
'something' (parent (parent)) meant 'a crime', rather than assuming that he
meant false reporting should be made lawful.

~~~
betterunix
Finding and reporting a security problem should not be a crime; neither should
whistleblowing. Sending the police after someone who demonstrates your
incompetence or corruption should be a crime.

------
amckenna
While I agree that the websites response and the response of many
organizations is overly harsh and draconian in situations like these, if the
teen in the story did use SQLi to exfiltrate 500 records then he crossed the
line. He should have just shown that the vuln existed without pulling customer
data. If the organization pushed back and said it didn't see a problem, then
he could offer to write a proof of concept to pull that data, but to just go
from discovery to pulling credit card data is a bad move on his part.

------
bertil
A lot of comments here:

\- complain how white-hat practice are not well understood;

\- advise to report, but anonymously.

It sounds like a simple enough website to set up. It would encourage script-
kiddies to report anonymously, send a warning to the right person, and include
explanations — maybe free best practice tips and references to known security
professionals if necessary. Now that Scheider is in the news, his name could
help reassure uninformed admins that this is not a racket.

I'm not a coder, and the furthest thing from a security professional, though.

------
vividmind
To me this is really weird. If a neighbor knocks on your door to tell you that
you forgot the keys in the keyhole outside you thank him, you don't call the
police...

~~~
nhangen
This is a bit different and would be like the neighbor opening the door and
waking into your bedroom to tell you.

~~~
ihsw
No, the kid didn't log into the website and make some postings to their
internal communication systems (forums, email listings, etc). He attempted to
contact them through official channels but was ignored.

After that, he went to the local news agency. This is totally different.

~~~
nhangen
OK, so he went into your room, you weren't there, and he came back to knock on
the door to let you know he went to your room to find you. It's close enough.

Edit: I just want to clarify that I don't think the kid should be prosecuted,
but I also don't like the fact that he went as far as to check for sensitive
information inside of their system.

~~~
genwin
It would be like a passerby finding your door continuously wide open, stepping
into your foyer and shouting to let you know, you weren't there or didn't
respond, so he told your neighbor to tell you. Then you call the police
because of trespassing.

------
eyeareque
It's sad but most people would rather you didn't tell them about a security
issue. until they get hacked and then they wished someone warned them prior.

------
axilmar
I think the difference lies in finding the security hole and testing the
security hole. In most of the cases that the hacker is persecuted, the hacker
has tested the hole, i.e. downloaded data illegally.

If the hacker simply notified the people responsible before retrieving any
data, I don't think that the hacker would be persecuted.

------
suprjami
I wonder how it would go if you went to the police, showing them a website
which displays tens of thousands of customers' personal data, and tried to get
the website owner busted for violating privacy legislation?

------
thirdsight
And the Streisand effect occurs again...

------
qwerta
Perhaps he will get medal from security officers, that is why he was
reported... Oh wait...

------
ams6110
Suppose while you were away from your house someone came to your front door
and found it unlocked. Assume he entered your house and had a look around, but
didn't take anything. He then later notified you that you had left your house
unlocked. Did he do anything wrong?

~~~
jerf
Physical metaphors DO NOT WORK in this scenario. This is not a house or a car
or commercial warehouse or anything else... it's a website. There are far too
many _relevant_ differences between physical locations and web sites for
metaphorical reasoning to work.

~~~
stcredzero
_Physical metaphors DO NOT WORK in this scenario._

Well, we need to know more about the particulars. It says it was SQL
injection. It's entirely possible, given the limited information, that he just
sent a correctly crafted GET request. In that case, a more apt analogy would
be a warehouse where stepping on a particular part of the sidewalk unlocks the
door.

------
guard-of-terra
Always pastebin it on reddit anonymously.

And if you care about users' private data being leaked, said users can always
use the assassinaton market to dispose said sites' admin staff.

I'm dead serious on both point. I would love to see somebody die a violent
death over such shit as exposing user data and then reporting white hat to the
police without even securing the system in the first place.

