
Hacker dumps thousands of sensitive Mexican embassy documents online - oropolo
https://techcrunch.com/2019/04/19/mexican-embassy-hack/
======
moftz
Any cables from the German Empire in there?

~~~
teddyh
Context:
[https://en.wikipedia.org/wiki/Zimmermann_Telegram](https://en.wikipedia.org/wiki/Zimmermann_Telegram)

~~~
adolph
My child and I recently read “Treaties, Trenches, Mud, and Blood” and found it
a very accessible telling of WWI.

[https://www.goodreads.com/book/show/18405492-treaties-
trench...](https://www.goodreads.com/book/show/18405492-treaties-trenches-mud-
and-blood)

------
daRealDodo
So normally he's a white hat that gets paid for bounties, but once he misses a
single reply he dumps everything to the public? This barely earns him anything
and puts government workers in unnecessary risk.

~~~
ggggtez
"Normally" is a strong word, when it seems pretty clear his "bounties" are
more like blackmail payments.

White hat hackers release bugs to get them fixed. This is clearly just a case
of extortion. You release a bug, you don't steal documents yourself.

~~~
Waterluvian
Done properly you'd discover that you could copy sensitive files. You don't
actually copy them.

~~~
burtonator2011
I kind of got in a shit storm with Sun Microsystems back in the day about
this...

One of their servlets had a query parameter like

/servlet/com.sun.projectname.SuperCrazyServlet?url=some_url_encoded_param

and I found out that it accepted file:// URLs.

They had the daemon running as root and I could read everything on the box.

Anyway. I sent them an email to webmaster and to a few PMs I new but heard
nothing back.

About a week later I got a REALLY nasty legal as apparently they thought my
email was an attempt to extort them and not just a nice guy trying to point
out the problem.

I think they thought I downloaded source code ...

The PMs I emailed had to step in and vouch for me but I think that without
their help I would have ended up with a really shitty lawsuit.

~~~
wolco
Never disclose things like that. It does nothing positive for you. You could
endup in legal hell.

If you really want it fixed post to pastebin and the traffic will bring
attention to it. But it's better to just ignore and move on.

~~~
lobotryas
Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the
company has a bug bounty program then MAYBE disclose. You only stand to lose
by trying to be a good samaritan otherwise.

------
tomatotomato37
To clarify, this is the Mexican embassy in Guatemala. I doubt there's anything
interesting in there beyond the usual political maneuvering of border
countries

------
Simulacra
Did anyone else read the headline and think we were about to see a WikiLeaks
style dump?

~~~
techntoke
The Hacker apparently had never heard of sharing the documents via Torrent or
posting a link to them on the dark web.

------
downrightmike
I wonder what is going on between Mexico and Guatemala, given the large amount
of Guatemalans going through Mexico to reach the US.

~~~
nyolfen
you are in a marvelous position to find out

------
sgt
But will this wake up the Mexican ambassador?

------
DyslexicAtheist
fair game:

[...] In previous correspondence with the hacker, he said he tries to report
problems and has received bounty payouts for his discoveries. “But when I
don’t get a reply, then it’s going public,” he said. [...]

Before we speak about responsible disclosure and call people _" hackers"_ in a
negative context, we have to talk about irresponsible QA processes. this is
true for both tech companies or anyone utilizing technology for whatever
means.

it's similar to saying: "yes I left a loaded gun there, but let's blame the
evil criminal who picked it up and did a bad thing", ...

... I'm not defending him. My point is responsibility has to be on both sides.
Today companies rather participate in PR circle jerks (and mistake bug
bounties for real audits) instead of cleaning up their own actual security
problems.

Edit: in a similar thread this week we had WIPRO breached which then claimed
that they did everything

> “Wipro has a multilayer security system,” the company wrote. “The company
> has robust internal processes and a system of advanced security technology
> in place to detect phishing attempts and protect itself from such attacks.
> We constantly monitor our entire infrastructure at heightened level of
> alertness to deal with any potential cyber threat.”

if they'd really be using industry best practices against phishing they'd have
used U2F. Nobody is using it at Wipro though. CISO's today rather point to how
well they've outsourced the problem (at least the damage control part) by
pointing at their insurance policies (which often won't even cover a breach,
and which does nothing to protect the user/data and only protects the company
bottom line). Talk is cheap, fuck them all.

~~~
ggggtez
I mean, it's not fair game though.

You can release a bug, tell other people how it works, publicly shame the
government into having better security. But stealing the documents and holding
the stolen documents for ransom?

Why _should_ they pay him? He's clearly acting like a criminal, not someone
trying to just make a living by making society safer. He's making it worse on
purpose because he didn't get his way.

~~~
DyslexicAtheist
I wasn't saying they should pay him. I don't think they should. But having
been on the receiving end of this behavior for far too long my point is that
he should be listened to and not ignored like this. It would be OK if it's
just ignoring, I've seen companies very eager to use legal threats too
especially if the researcher is an isolated individual and not company.

It's not too much to ask to have a security@ mailbox and actually pay
attention to it. If you don't have a disclosure process in 2019 then there is
no reason you should have your systems exposed (whether that's a gov site or
company doesn't make a difference) IMHO

The moment you answered I was still editing my post trying to point out that
I'm not defending him. Sorry if there was an overlap here.

