Hacker News new | comments | ask | show | jobs | submit login
18yo arrested for reporting a bug in the new Budapest e-Ticket system (marai.me)
874 points by atleta on July 24, 2017 | hide | past | web | favorite | 309 comments

I remember coming across a serious bug in a site that belonged to a top multi-billion company. My brother also found what essentially an unrestricted privacy leak (and possibly editing access) in a top university (leaked data is sensitive personal information, not academic). Neither of us reported (or exploited) what we found.

Protection from this kind of blame-shifting and misdirected retaliation should be guaranteed by law. Until it is, bugs in critical and important infrastructure will go on unreported, and remain available for malicious actors to exploit.

I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.

My guess would be:

- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.

- This guy reported it to BKK who obviously don't have any technical knowledge

- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."

- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)

That's unlikely. Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing. So the "BKK obviously don't have any technical knowledge" claim is bogus.

It's possible the particular BKK person dealing with the report does not have technical knowledge, but that's more a fail on BKK side as they let incompetent people to deal with reports of security incidents.

But I'd bet it's merely a matter of covering broken shit and shifting blame. BKK is (probably?) a public company, managing transport in the capital city. They manage a lot of money, and it's not uncommon to funnel lucrative contracts to friendly companies, even if it increases price and the quality is dubious. Whoever came up with this project / awarded the contract / accepted the solution is probably scared people might start digging into the details. Better blame the problems on a hacker!

> Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing.

I don't think this is true. When you buy a house, do you have to be able to do the specification and evaluate? This is a good analogy, because T-Systems have delivered similar solutions to other clients, what they needed here is a little bit of tailoring and integration (which is not the part that failed).

It is common for a typical western government to have domain specialists, working directly for them, to help write the contracts and requirements for their external contractors and vendors.

In my experience, clients rarely have any technical expertise at all.

Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.

I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.

Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.

Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.


Two wears ago it was Chinese hackers. And ten years ago it was American ones. So extrapolating, I declare the next year The Year of Indian hackers!

I think there is a disconnect in how techies and non-techies think about web security in general.

To push your analogy further, the non-tech person thinks of this type of exploit discovery as if someone has trespassed onto their private yard in the cover of darkness, trying every door and window.

A tech savvy person might instead think of it as a row of doors lined up next to a busy street, in broad daylight.

Knocking, and telling someone that they have "forgot their keys in the door" seems a bit creepy in the first scenario, but completely legitimate in the second.

I think that the second scenario in your analogy is somewhat creepy too. Why are they trying all of the doors? A person should have a reasonable expectation of privacy in their house, to be able to walk around in their underwear or whatever without someone just opening the door on them.

Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out

If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:

"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".

Is that still creepy?

I would find it creepy that someone was testing their key on other people's doors.

If I caught someone trying their key on my door I would call the cops, even if they said they were just testing it to see if it would work.

who is the sheriff in this case?

I'm the sheriff!

But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.

That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.

If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.

That seems unreasonable.

If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately!

Discovering an actual vulnerability in the first place requires doing something that could be considered hacking.

You consider it "hacking" to change a url from example.com/1234 to example.com/1235?

Ask Weev, while being a troll... Apparently he gets to go to jail for using numbers at the end of a url... ICC ID... So you try one number than another, then disclose it, and yeah... Go to prison. Welcome to America.

Sorry, I didn't word that correctly. I was referring to actually leaving the keys on the outside. What I was trying to get at is the mental image of a shady person skulking around in a backyard. I think many people have that sort of "what were you even doing there" perception of so-called hackers regardless of their flavour. If they instead realized that a public facing interface is something that will inevitably be explored over and over again, they would have a different opinion.

Never underestimate the diversity of the concept of Justice in those who are uneducated, unwise, and dishonest to what is real. If you try to trace this behavior you'll find truly random causes. There are an infinite number of ideas one can substitute for something they don't know or willfully ignore in their own perceived interests. The real problem is when those substitutions are guiding determinations for someone with authority over others.

I'll also add: when I was a teenager I've been in this position countless times, reporting security issues at school, etc. The reactions I received from fully grown adults was nothing short of stochastic. This fascinated me enough to minor in political science and philosophy/ethics. I draw on that for insight, but it doesn't really provide a final answer.

This. Executives who usually have no trouble treating engineers as replaceable parts, suddenly fail to believe someone else can and possibly has found the same vulnerability. They think getting rid of the one person capable of finding it is all it takes to be safe.

Because if they acknowledge it, it shows their own incompetence. It is much better to blame the issue on some "hacker" than to acknowledge that you failed. The latter might mean that you get kicked out by investors.

And multi-billion companies or governments are in the business of bending over customers and effing them. So another guy getting fked is business as usual.

> "Would they also prosecute a person who told them one of their doors was left unlocked after-hours?"

Perhaps not, but they probably would be tempted to prosecute someone who opened the door with a toothbrush and told them about it...

The temptation is to squash anything that comes along and potentially makes you look like you weren't doing your job properly (installing a better lock in the first place) rather than thank the person and then install a better lock, or fix the design of the lock.

maybe you're projecting your own ability to them, have you considered that maybe they are highly incompetent and do sincerely believe this was a cracking attempt on their system.

Then again there is this culture of making an example to discourage others to even try, similar to prison, which we know is not that effective if at all.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

Well, those aren't quite the same thing.

If someone told me I'd left my key in the lock, I'd say thanks and remove the key.

If someone told me I'd left my door unlocked after-hours, I might wonder what they were doing trying my door after-hours in the first place.

They paid a lot of money for a system they were told was totally secure, so damnit they're going to believe that despite any evidence to the contrary. Thus any bugs reported to them are not bugs but malicious attacks on their innocent system.

You fear what you don't understand

I don't know of it happening in hacking lore, but certainly it might be a strategy for a malicious actor to report a flaw so as to gain trust in order to exploit another flaw.

I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.

In hindsight it was a huge risk and I was dangerously trusting.

If you are nice and don't threaten to publish, at least without giving them any time to fix it - which for a large back is a couple of months - then I don't think it's a risk at all.

What they don't like is the publicity.

Edit: but maybe not in Hungary. It's the bad child in EU.

In Poland there was a case few years back of a company (I have no idea if that means a one person company or a bigger one) owner finding out by putting a name of his client into google that it indexed documents containing private information of over a 1000 of companies that are clients of PKO BP and reported it to the bank.

At first the bank security department said no one will find it so it's safe and later when he pressed the issue as a dangerous leak they reported him to the police for "hacking and extortion". All the computers from his company got confiscated for investigation so he had to buy new computers and software to continue running his company. In the end he was found not guilty by the police investigation of his computers so the prosecution dropped the case (it didn't even go to court) and all his stuff returned after 6 months.

Source in Polish (sorry, there is no English source): https://niebezpiecznik.pl/post/glebokie-ukrycie-danych-w-pko... http://www.tvn24.pl/wiadomosci-z-kraju,3/haker-mimo-woli,132...

Bank spokesperson later explained that the files were "deeply hidden" ("głębokie ukrycie", he said it's an IT term, it's not) and only one person found them in 4 years of their existence there so it's not a big deal.

And in general misusing, testing, etc. a website is illegal without owners permission, there is now a small exception for acting in good faith but it's narrow, a bit strangely worded and it doesn't prevent stuff like above.

Ah, yes. Actually Poland is the other bad child in EU...

The European commission is currently threatening to remove Poland's voting rights due to the changes to the juridical system, but it will not happen as Hungary will veto.

I think they are on their own cultural axis somehow.


> Poland is very much its own cultural axis since last election

Election results are largely a reaction to existing "cultural" state. I don't think it's accurate to consider them to be changing it (think "effect does not imply cause").


> The thing is that PiS, Kukiz and TVP have normalized and brought into daily life in Poland extremely aggressive language and rhetoric.

Same thing as with Trump. It's because literally nothing else works today against self-righteous leftists.

You said in another comment that majority of Poles would rather leave EU than deal with the Islamic mess. AFAIK the most credible opposition to the current government is still PO, who were the ruling party before and literally in the last days of their term they signed an extremely unpopular obligation to accept forced resettlement of German Muslims, which the current government had to backpedal from, damaging the country's international credibility.

The Polish government doesn't really have to do anything to stay in power indefinitely now. Until something changes on the political scene and a credible opposition arrives which isn't a puppet of Brussels, it's enough that they shake their fist at Merkel's social policies every now and then and they are literally guaranteed to win every election forever.

Poland is drifting towards Russia.

To clarify: they're drifting towards a political system reminiscent of Russia today, but they would never ally with Russia. The Soviet regime is still fresh in the zeitgeist's memory.

Unfortunately they just need a "bigger evil" to forget it and move into their arms.

> What they don't like is the publicity.

> Edit: but maybe not in Hungary. It's the bad child in EU.

The article suggests that they reported this guy to the police only after the info leaked out (or possibly was independently discovered by others) and made it to the press.

Scapegoating of non-malicious hackers isn't really anything new or unique to Hungary. It's a common reaction of IT-illiterates to people "cheating" on their systems everywhere.

I've reported two vulnerabilities. One to a fairly large web hosting provider that allowed me to access the databases of anyone else on the shared server my website was on. Another to a major credit card company -- Given a person's first and last name I was able to see what kind of credit cards they had.

In both cases, they fixed it, thanked me, no arrests or threats were made. I think your experience is only outside the norm in the sense that you got monetary compensation out of it! Nice!

Had a similar issue with Wolfram Alpha some years ago. I reported a dozen different XSS vulnerabilities to them and their answer was: "We forwarded this email to our legal department.".

So even technical companies can react in really silly ways.

I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.

What isn't cool is legal deciding to go after the party disclosing the vulnerability.

Not having much experience on this subject, I have to ask: would you not get your developers to verify that the vulnerability is there and fix it while the legal department is doing its thing? The vulnerability is already out there, and the sooner it's fixed the better. While would they forward everything to their lawyers first thing?

If the email contains code or something that looks like code, or otherwise looks like it is discussing technical things it is not unusual to run it through legal before letting any engineers see it.

That's because companies routine receive unsolicited product proposals, ideas for new features or enhancements, and the like. Often these overlap with things they have been working on internally but that are not known to the public.

If they let engineers see these unsolicited mails and then later come out with an even vaguely similar feature they may find themselves in an intellectual property dispute with the emailer.

Aw gee, that makes sense, yes. Never worked for a company big enough to need this. Also, I'm in Italy, so some things might work differently here.

I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.

I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.

Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.

I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.

Doing the right thing is admirable. Doing something that helps a little bit, when the group that you are trying to help may or may not try to destroy you, seems like its not such a great idea. If a company doesn't have a set of published procedures for reporting a bug its not worth helping them

It depends. Sometimes the organization may be handling your personal data, other times a bug in some Ukrainian tax software may be exploited and cause downtime in a global shipping company.

I realize that big incidents are probably the only way to get laypeople to care about IT security in the long run, but still it may be preferable to help averting them when possible for various quite practical reasons.

> And you can always do it anonymously.

Assuming you have done the hacking anonymously in the first place.

Yeah, you have to consider if there might be logs likely showing you to be the only person to have used the system in the manner you described.

That's yet another reason to run something like Qubes OS, split up your online presence into distinct "domains" and heavily firewall each domain, only connecting it through VPNs and/or Tor in most cases.

Because TOR is safe...

What I would suggest is report the bug in an anonymous manner if possible. They're not going to be able to do much if you report a bug anonymously I would think? I mean in the case of people who find bugs by "accident" I mean I'm guilty of messing with a URL here or there to get the true HQ picture of a website.

Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:

"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."

Maybe they will panic strongly enough to actually do something about the issue.

That is quite straightforward and makes it clear from all perspectives.

From the hacker "hat classification" perspective, that's obviously black hat, nothing gray about it.

From the legal perspective it's not a debate anymore (like in the original article) if you do this, it's clearly a crime, if you get caught in whatever way (e.g. by bragging about it someplace later that leads to your person, or by testing a "discounted" pass in some place that has cameras), it's a straightforward conviction for extortion.

From the ethical perspective, that is an unethical action, doing that shows that the person is immoral.

But you are right, yes, it can be quite effective, and definitely makes it more likely that they will panic strongly enough to actually do something about the issue. It's just that if this happens, then it's not sufficient to just fix the hole, identifying and catching the perpetrator becomes a big part of what they should be doing.

My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk.

Okay, if private data of the company's customers is at risk, then it is a reason to push for some action, but it matters how you do it. In this case I don't see a big need for reinventing the wheel - this is a common issue for which all the options, pros, cons and risks have already been discussed and there is a somewhat clear consensus (with some debate about nuances) on the expected ethical action, and that is https://en.wikipedia.org/wiki/Responsible_disclosure or http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...? . Many nations have some more specific guidelines issued by e.g. their local CERT that are adapted to their local legal situation.

The process works reasonably well even if the vendor is not cooperative. In that case it is somewhat similar to the message proposed above, but substantially different - first, the threat is not that you'll destroy or publish their data (which is extortion) but that you'll publish your description of the vulnerability (which generally is not); second, the threat is not that you might consider damaging the data (i.e. stating that you'd be willing to do an immoral thing) instead that some other immoral people might damage the data; and third, the disclosure is not conditional on receiving money from them.

I can see that the proposed threat was meant in the same direction, and is somewhat similar to the "threat" implied in general responsible disclosure, i.e., if you don't fix it in 45 days then we'll publish info that most likely will mean that you'll get hacked. But it's substantially different, the details are quite important, and you'd need a good reason to deviate from the standard responsible disclosure guidelines.

I mean, what do you do when after sending a message "I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention." you see that they have not fixed the issue but have transferred the requested Bitcoins? It'd be a possible direct result of your actions. Is that a desirable outcome? Is that an ethical outcome?

I really can't see how this is unethical or immoral in any way.

You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"? It's obviously a crime.

> You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"?

I do, however loup-vaillant's post also contained the following, which makes it not immoral nor unethical:

> accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time>

Also, you need to panic them, you do not necessarily need to delete or copy their data (but even if you did, I see nothing evil in it. They are the ones that refused to fix it within the time given after all).

> It's obviously a crime.

Doesn't mean that it's immoral or unethical.

If you point out that my front door is unlocked, and I decide to keep it unlocked forever (i.e. refuse to fix it), then it doesn't mean that it somehow becomes ethical to enter my house and take my stuff. It might be stupid on my part to keep it unlocked, but a thief is still ethically a thief even if I carelessly kept it unlocked forever. My "door" might as well be a line in sand or a sign "don't enter" on a pathway - not a security measure at all, just an indication where the boundary is, but still unethical to cross it. Much more so would be sending a note "lock your door, send me money or I'll take or damage your stuff", as in the original example.

Threatening to harm someone unless they do what you say is immoral even if you don't harm them; it's not ethically acceptable to threaten others.

If you had classified information behind your open door, you could be sued if anyone stole it (or worse, depending on the level of classification). Sometimes, one is legally required to take appropriate steps not to unwillingly disclose information. I believe users' personal information should fall under this category. (I believe it does in some cases.)

If your leaving the door open leaves not only you, but others, vulnerable, the discoverer of the broken lock may very well have a moral obligation to protect those innocent people, by whatever means appropriate.

What is appropriate depends on the situation. I expect in most cases, just telling you the door is open may be enough. But if you are being particularly obnoxious, threats may be the only way. In some extreme cases, burning the house down to avoid the disclosure of the sensitive information that would harm countless innocents may be the best course of action.

The legal system even have analogous situations, where a judge can order the orderly destruction of some unsafe building. The only (yet crucial) difference is, judges aren't vigilantes. But this is fixable: one could have the law allow the vigilante to send a cease & desist letter saying "fix your door or I'll have a judge burn your house down".

It's obviously a crime.

Perhaps. But being a crime does not automatically mean something is immoral or unethical.

So you should just become a malicious actor and actually break the law? Good plan.

Becoming a malicious actor, no. Looking like one, definitely. Break the law, most probably. Also, I would rather threaten to publish if I did this for real.

It's risky and scary, but also the right thing to do in some cases.

You could also fail to report at all, and let their ship sink. Maybe they deserved it.

What difference does it make if the outcome is the same?

Not the outcome for the informer in case one gets caught and accused of threatening for ransom.

Better hope you've not left any evidence on their systems then, you know, like a discounted transport pass.

Wrong. The latter half should read:

You have <this time> to fix the issue, or I <copy or trash> your database.

Asking for extortion does not push them to fix their systems, only to pay you and/or find you.

I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case. Does anybody have an experience with such way?

In France, you can report vulnerabilities to the ANSSI (National Cybersecurity Agency of France). The agency stays somewhat neutral between justice and the company with vulnerabilities since ANSSI must protect confidentiality of their informer. Informations can be sent by email or postal service.


I report all the vulnerabilities I find to the NSA. Very nice people.

I understand that it's good to have cover for this sort of thing.

I think the line is pretty grey though.

One analogy is telling a company that their front door is unlocked.

Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.

IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.

EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this

Note: the nature of the reported vulnerability was such that the teenager didn't even have to access the servers to do it —only change a value that was sent by his own browser.

If that was tantamount to not-breaking & entering, it means the it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides (here, the price of the ticket), must be observed by the rest of the system (here, the price sent in the HTTP request wasn't the price decided by the web page).

The consequences of such thinking are chilling. If this is the kind of cyberpunk we're heading to, I'll seriously consider becoming a Runner.

On the Internet there is also the problem of remote attackers. Even if you preemptively jail all people in your jurisdiction, your system still isn't safe. It doesn't make any sense at all to call sending some malicious data to your server "breaking in" when anybody and his dog can do it from the comfort of their chair on the other side of the planet.

it means that it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides, must be observed by the rest of the system

I don't know about Hungary, but in the US the DMCA has exactly these provisions.

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

Exactly. Often to validate the door is unlocked one needs to use the knob and open it a little - shall one get a permission for that just for a sake of a check. Is this already a breach to open the door without crossing the threshold?

Friends of mine have a small company (and a nice Ultimaker 2) and left their front door wide open, lights on and went home one evening. However one manages to do that. I called them, stayed a bit to secure it and since then it's free print and free beers for me :)

I disagree. It's more akin to trying the handle on the door, and noticing it's unlocked, and then telling them, and being arrested for touching the door handle.

report anonymously!?

Why didn't you report it?

Seems somewhat negligent - at the very least from a Good Samaritan™ point of view

You're replying to a comment about news of someone being arrested for a similar thing.

There's such a thing as anonymous reporting

What if you don't do it anonymously enough? And they trace it back to you? Not that this has ever happened (I have no idea. I'm assuming not). But being paranoid isn't unwarranted either.

If he reported it, he runs the risk of the company turning on him (as was the case in the article above). If he doesn't report it, nothing happens.

It's a choice between the certainty of no loss vs the possibility of great loss.

If he does not report it, and somebody else does, then he runs the risk of being rightfully accused of hacking, as the motivation can be understood as financially motivated.

Budapest != United States

You're often opening up yourself to a LOT of bad exposure, where you'll be accused of hacking the software (along with the 20+ jail term this might eventually entail) and just generally putting the spotlight on yourself as a potentially dangerous person.

Better to report anonymously, or report directly to someone who might appreciate or is responsible (and hope they appreciate responsible disclosure).

Did you not see the top post?

Reporting these things can get you in trouble. Once burnt twice shy.

That's how the DMCA works. Remember the guy who gave a talk about Adobe's PDF creator which purported to produce "secure" documents (required a password) but the feature was easily bypassed.

Adobe had him arrested the day after he gave his talk.

Link to a Wired article here: https://www.google.com/amp/s/www.wired.com/2001/07/russian-a...

EDIT: I have a terrible memory-- thanks to the folks who replied to my comment with corrections.

> Adobe had him arrested on the stage as he gave his talk.

I was there!

The FBI arrested him in a hallway, 1 day after his talk. Dmitry at first thought it was a joke put on by a Defcon prankster.

During his talk, the panel moderator asked Dmitry to pause for a minute... and said "Would you mind saying 'Can you tell me where are the nuclear vessels in Alameda'?" Dmitry was confused by this request and said, in his Russian accent, "I do not know where the nuclear wessels are in Alameda?" The mostly American Trek-familiar audience had a good laugh, and Dmitry continued with his talk.

Sounds kinda mean spirited to mock of the accent of someone who is presenting in their second language.

A lot of the amateur security scene is pretty mean-spirited, unfortunately for anyone trying to get into it.

I believe it isn't about mocking but making the point about US / Russia and nuclear weapons

I'm confused by his request as well, I can't understand why he asked it. Any context?

I think it is a Star Trek reference.

Yep, Hungarian story. And indeed the law in this case is not that bad at all. It doesn't penalize what the guy did. The sad part is of course the corporate & governmental reaction, the frightening part is that the police was so eager to jump in and overreact.

This story takes place in Hungary.

But inspired by the DMCA, the EU has also adopted anti-circumvention legislation. Though I'm dubious either would apply here, as this would be very difficult to spin as a copyright issue.

Has it? Can you link to it?

General info: https://en.wikipedia.org/wiki/Anti-circumvention#European_Un...

More about the directive: https://en.wikipedia.org/wiki/Copyright_Directive

Actual text of the directive: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:320... (see Chapter III, containing things like "Member States shall provide adequate legal protection against the circumvention of any effective technological measures" and then going on to define "effective" to mean "not necessarily effective")

Some parts have been amended (for example, copyright duration has been expanded from 50 to 70 years after death), but I believe the anti-circumvention parts to be unchanged. I'm not sure how to find up-to-date codified versions of EU laws, though.


A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.

They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:

http://demosoftware.com/reports/ajax.php?sql=SELECT * FROM debts

I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.

At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.

You don't erase just your debt, you open up Tor browser and drop the entire database. That'll teach them for next time.

> you open up Tor browser and drop the entire database

Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.

A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.

Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.

I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`

Why not? Destroying the company means they won't be there anymore to put everyone's PII at risk.

Because private property is a cornerstone of a free society?

You can't just destroy someone else's property because you have some personal anarchist notion of justice.

If they are really being negligent then they should face the proper penalties.

Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.

Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.

Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.

Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.

Make a backup for them first too, just in case they don't have one..

This is very evil...

In most of my D&D games it might be considered chaotic good depending on the debt collector.

Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.

Would you gladly go to prison for it?

An interesting moral query: how much debt erased is worth a prison sentence of X years?

No, which is why I mentioned tor.

In case anyone feels like doing something like that, this talk is worth a listen:


A talk on how Tor users got caught. In a nutshell: it wasn't Tor's fault, but bad OPSEC on the part of the users.

Also, it is worth considering that debt collection agencies are very good at finding people, and very bad at upholding ethical standards. Going to prison is not the worst case scenario.

Is it actually profitable to do that sort of unethical activity though? These aren't exactly loan sharks right?

If you think you can't get caught because you use Tor, I know of a few people who can testify otherwise. See, e.g., Ross Ulbricht and Christopher Grief, to name a few.

Go to the public library and use a pc there? Or a free wifi in a mall?

See the previous point about Ross Ulbricht (arrested in a public library)

This is where anonymous notification / bug reports are useful, and then follow ups in public if no action after a period of time.

I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"

Sounds like you are threatening them. The idea is OK but the language should be much more subtle to be effective.

In my country, the laws are draconian and totally against this kind of responsible disclosure. But being a good guy, whenever I find something I write a strongly worded email explaining why the company's IT department messed up, how to test said mess-up, and how they can hire my company to ensure these kinds of stupid things don't happen again.

I've reported several of these issues, sometimes all I get is single reply months later saying: "fixed".. mostly, nothing.

Once I found a SQL injection in a courier service's (very broken) web portal. This was very serious because any idiot could drop all the tables, so I sent an email to the most important worded member of their tiny, yet already bureaucratically structured team. I followed up several times because I knew someone saw my email (I embed beacons in my emails) but gave up after the sixth time. Three months later someone else replied saying "thanks Amin, we've fixed it"

On a separate occasion, a large government agency's emails routinely ended up in my spam folder. It was a huge problem, and they acknowledged it and said they couldn't figure out what was wrong. I took five minutes and found the problem to be a misconfigured server on the domain. The server sending the email thought it was `server-a.governmentdomain.com` but there were no DNS entries pointing the subdomain to the server. I reported this problem with clear instructions to test and fix the issue, but I was called despite the instructions, multiple times, to explain the issue with my words over the phone. This was 2 years ago, last I checked, the issue was still present.

Offering your company's services could be risky. Whatever your good intentions, it could be portrayed as extortion.

That's why you speak to a lawyer first, the law is an ass, and they're the right tool for telling you how to avoid these nasty little traps.

...provided the law in your country really works.

If they use Google's GSuite for their emails, I think that prefetches all content and makes beacons pretty useless (by design).

They don't, usually companies in my country opt for a home rolled solution, or Microsoft Outlook.

That aside, Streak.com's beacons work even in Gsuite readers! They're awesome. It's essentially just a unique image included in the email body.

How do you embed beacons into your emails?

<img src="https://my.server.net/beacon-uuid.png" height=1 width=1 />

Streak.com does it for you, it's awesome

Two takeaways, one from this and one from my other past experience.

First, when testing whether you can change a price and have a transaction go through successfully, RAISE THE PRICE. If you lower the price the affected entity may come back and say "See??? He's STEALING from us! Lock him up!" If you've overpaid for something through their web interface that complaint and issue goes completely away.

Second, if you're going to suggest that they contact you for assistance in fixing it also suggest other options. My typical handling for this is with hacked websites, so I'll basically say "Your website has problems X, Y and Z. You should work with whoever you have working on your site to resolve these. If you don't have anyone I may be able to assist you, or I recommend talking with a firm like Sucuri.net which has dealing with and preventing issues like this as their primary business. (My only link with Sucuri is having seen some of their folks do presentations at trade shows.)"

3rd takeaway - don't do this in turkey unless you want to end up in a literal Turkish prison.

4th takeaway - the Budapest metro system doesn't quite go that far...

> If you've overpaid for something through their web interface that complaint and issue goes completely away.

Or it doesn't, because you have still "hacked them". Doing it in a seemingly bizarre way may only raise more suspicions; obviously you must have maliciously cheated them, since who would give them money?

Please don't put people at risk by giving such "advice".

What I was talking about was the question of being accused of theft (by having completed an order/purchase after lowering the price). This was also in the context of someone already intending to push a transaction with an attempted price change. At that point nothing you do with the price is going to prevent a "hacking" charge if there's going to be one, but you may be able to prevent a corresponding "stole from us" charge.

Side note: this page gives me the weirdest Firefox behaviour I've ever seen: https://gfycat.com/HandyRapidJabiru

That is weird! Would you mind providing your system configuration and Firefox version info so I can file a bug? (Or you could file one here yourself if you're so inclined: https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=b...)

Do not file a bug, you might get arrested.

Using firefox too, I cannot replicate the behaviour. Could it be something from your side of things causing this ? Have you tried turning it off and on again ?

I am having this exact issue.

- Firefox 54.0.1 (64-bit)

- Arch Linux 4.11.5-1-ARCH

I'm on the 4.11.9-1-ARCH kernel, but same Firefox version. I'm only able to reproduce with the Zotero addon enabled, are you using it too?

I also have this issue, interestingly also on Arch. I also seen other site with that issue before but I can't find it now.

I want to emulate that behavior somehow.

So I tried but the results were... um, unexpected: https://gfycat.com/negligiblesnivelingastarte


    var db = document.body;document.onscroll = function(){db.style.transform = 'scaleY(1)'; db.style.transform = 'scaleY('+db.scrollHeight / (db.scrollHeight - db.scrollTop)+')'}

That looks like it would be a good April Fool's Day prank.

It seems from the code you first stretch it out to Infinity and then when scrollTop is bigger than scrollHeight, you go from negative Infinity back to 1. Negative values of scale() 'mirrors' the element. Maybe make sure scrollTop is never equal to or bigger than scrollHeight.

This result is by itself amazing, but if you want to make it behave a bit more like the bug you can set the transform-origin to "center bottom".

That's probably the weirdest browser behaviour I've seen on any browser! I don't even know how I would describe that to someone :/

Like it's printed on some form of mathematical hyper-rubber sheet, and scrolling pulls it down until it stretches into invisibility, rendering the next rubber page visible.


It looks like the scrolling in Firefox is implemented in screen-height tiles, and when he's scrolling it's picking a smaller and smaller portion of the top tile (as the top portion of the tile is scrolling out of the window) but not updating the bottom coordinate of the rectangle it's supposed to render to (so instead of moving up, instead the smaller and smaller portion gets stretched out to fill the window). Then when the top tile is supposed to be completely off-screen, it jumps to the second tile in one go.

We've seen two[1] cases[2] of this in Denmark in the last couple of years surrounding systems that kindergartens are using. The second one is currently (still) being investigated, but the first one was rightfully concluded earlier this year with the "hacker" being acquitted.

In both cases, it was dads of children in the institution that noticed the bugs when they were rightfully using the system and were ignored when notifying the responsible party about it until they "shouted it so loudly" that they couldn't be ignored anymore, in which case they were reported to the police for hacking.

Links below are in danish, but they can probably be translated if needed.

1: https://www.version2.dk/artikel/boernehavehackeren-frifundet...

2: https://www.version2.dk/artikel/interview-hacker-tiltalt-jeg...

"this outrageous move from the police brought about fierce reaction resulting in tens of thousands of 1-star reviews on the facebook pages of the companies involved"

In the old days, protesters used to physically go and picket in front of company offices. These days, protesters leave one-star reviews. I wonder which is more effective.

Yep, a few people were frowning, especially since the democracy is in pretty bad shape in Hungary right know. However, in this case it works: it will be seen and remembered longer this way. Also, there were quite heated discussions on facebook, the case received a lot of attention even from non-tech people, the guy will be represented by the lawyers of a human rights association, etc.

And actually there will be a protest in front of the office of the Public Transport Authority tomorrow. But I think in this case, the online petitioning worked pretty well.

As every other country on earth right now, Hungary is not a democracy at all. So there's that.

At some point we need to understand the novlang used here, by squatting the word democracy to label the political system based on elections, people in power manage to prevent to emergence of an actual democracy.

Please stop misusing this word so we have a better chance of actually having a democracy somwhere at some point in the future.

Please stop misusing this word so we have a better chance of actually having a democracy somwhere at some point in the future.

Please stop promoting democracy as the be-all end-all of systems for organizing human society. As the old saw goes "Democracy is two wolves and a lamb voting on what to have for dinner. Liberty is a well armed sheep contesting the outcome".

A practical democracy must be an abstraction of a pure, idealistic democracy. You cannot have millions of people deciding on every issue. Democratically elected representatives are one way we can do this.

There may be better ways of doing things but it doesn't make democracies not democracies.

> You cannot have millions of people deciding on every issue.

From a technical perspective, this is clearly untrue.

> From a technical perspective, this is clearly untrue.

It's impossible if you take “every issue” literally, as you are multiplying the number of pdecisions that must be made by each participant per unit of time so much that the time to consider them is non-existent.

It's less impossible if you reduce it to the kind of decisions typically made by a legislature, which mainly just sets rules for executive and judicial officials to apply in deciding more specific issues.

But even then it's of dubious practicality; obviously not every citizen can have a full-time legislative staff, and most of other things besides legislation to devote their time to.

"democracy is in pretty bad shape in Hungary right know"

I thought that Hungary has a democratically elected government. Did I miss something?

There's a saying that democracy is not when a government gets installed by fair elections, democracy is when a government gets removed by fair elections.

Hitler was democratically elected as well, that is not sufficient to label his regime as democracy.

> Hitler was democratically elected as well

No he wasn't, it is not that simple. His party at that time had no majority despite being the largest one. He got appointed chancellor not by democratic vote but by backroom negotiations - mostly because he was expected to be easy to control.

From this state he went for the dictatorship but again not by democratic election but rather by scaring the other parties into voting him the Enabling Act in 1933 after the supposedly communist-inspired Reichstag Fire.

"Democratically elected government" does not imply "democracy is not in bad shape".

We have several examples of such situations right now.

"Democratically elected government" implies that it is not a democracy but anything from aristocraty to plutocracy with q few things inbetween such as kleptocracy, oligarchy, etc.

The very definition of election means aristocracy. To have a democracy it requires sortition instead.

Yes, you probably missed a few lessons in high school. When I went there, I was taught that separation of powers is an important element, amongst others. This clearly does not apply to Hungary anymore, as the highest juridical power is an inner circle person (Tunde Hando), other important positions have also been filled with Fidesz's (the ruling party) people without any consensus with the opposition. This includes the constitutional court, the president of the republic (wait, what? Hungary is not even a republic anymore :) ). The police got and executed on direct commands from the PM.

But if you don't like that, here's a short excerpt from Wikipedia: "No consensus exists on how to define democracy, but legal equality, political freedom and rule of law have been identified as important characteristics."[1]

We don't have any of these. Or, to put it in an easier to digest way: all of these have been regularly (and increasingly) violated by the govt.

As probably a fellow Hungarian who likes (is emotionally attached to) this government, I understand you are OK with it, but it doesn't make the current system any more democratic. Fun fact: the Kadar system called itself democratic too. But it's judged from the outside, for obvious reasons.

[1]: https://en.wikipedia.org/wiki/Democracy#Characteristics

Here's Human Rights Watch on Hungary: https://www.hrw.org/europe/central-asia/hungary

Much of it focuses on the treatment of refugees, but you'll also find information about the suppression of free speech and the like. A "democratically elected government" in a country where the opposition is suppressed is not that democratically elected after all.

Only the sentence about refugees is true, but that has nothing to do with democracy.

<tinfoil>Financier and philanthropist George Soros of the Open Society Foundation announced in 2010 his intention to grant US $100 million to HRW over a period of ten years to help it expand its efforts internationally.</tinfoil>

So does Russia. And many African countries.

I'm as much of a curmudgeon when it comes to slacktivism as you can get. But damaging a companies online presence with negative reviews, ratings, posts on social media, blogs, and more, will live on. It will hurt the company quite a bit. In this case I think the online element is quite effective.

Also there seems to be some irl protesting going on as well, at least in this case.

Honestly, I wouldn't be surprised if the reviews are effective—I bet reviews are a metric that's tied a lot more directly to executive compensation/promotions than "number of people protesting outside HQ"! Both attack the company's reputation, and, unless a protest gets on a major news network, I suspect acting out on Facebook has greater reach.

Furthermore the 4500 1* review is there to stay and a single protest fades away :)

Having 1.1 avg review on the T-Systems International's official FB and Google page can affect the sentiment of their investors.


When the story made it to Slashdot's front page, it had ~46k 1-start reviews and a few hundred ratings in the 2-5 stars range.

Methinks whoever is in charge of company reviews at BKK is despairing right now. Unless they somehow convince FB to drop the recent cohort of 1-star ratings (which will almost certainly yield a Streisand effect) and keep a low profile for a very long time before allowing star ratings again, there's simply no way the BKK will rescue the rating.

It's unfortunate for the BKK and its staff. The quality of their service and vehicles is good overall and the staff is friendly. It's admittedly not 5-star grade, but it's certainly not 1-star material either. Yet this sequence of event might haunt them for years.

People can, and do, do both things.

There are still protests at their offices as well. Source: I went to one a little while ago.

Although deeply unfair, this is not unusual, there have been many reported cases of companies shooting the messenger.

Unless the company concerned has a well documented and trusted bug bounty procedure, it can be very risky to report a bug in a system, if it involves any kind of hacking.

What happens is once the "bug" is reported, someone inside the company asks "How did this happen?". Now the person responsible has 2 options, admit it was their fault and the vulnerability exists and risk being accused of incompetence, or say that the system was hacked.

Human nature being what it is, one tends to complain of being hacked, thus snow-balling effects, which lead to the arrest of an 18 year old just trying to help.

My advice: Don't report these types of bugs at all, or if you really feel you must, report anonymously.

One thing that solves this is stating the obvious, something getting hacked means someone was incompetent.

Indeed, I fail to see the distinction. Perhaps "hackers" have some kind of mythical superpowers in the eyes of the common folk.

"There was nothing I could do boss! He's a hacker!"

> the poor 18 year old 'hacker' who was stupid enough to email them

s/stupid/trusting/. There's no reason to think this guy isn't bright, and he's faced enough trouble without piling on.

I believe the author meant it to sound sarcastic

It's definitely a jab at the company, but seems to cast a little shade too on the bug-finder. Cf the lede "The amount of stupidity in this story warrants that this is going to be somewhat long". That might not be the author's intent! I hope they'll see this as helpful.

Sounds a lot like what happens here in India [1].

Also, if such behaviour is systemic, how should we bring about the paradigm shift in handling such events? Such incidents will happen more often across the world as e-governance becomes more predominant.

1 - https://thewire.in/119578/aadhaar-sting-uidai-files-fir-jour...

> We knew that they have been working on an NFC/smart card based system for around 4 years, without any visible result despite having spent over 4 million EURs.

The public procurement process for the current system called RIGO was indeed 2013 but the whole process is much, much older than that. A more than 300 page feasibility study was published in 2011 https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pd... And a completely different system, called Elektra was announced in 2004 with a 2006 deadline.

This whole clusterfuck with RIGO starting in less than a year was absolutely unnecessary since the 2011 study already suggested supporting contactless credit cards so once RIGO starts the only ones using this online ticket purchasing system will be those who have a credit card but not a contactless one. This is a (very) rapidly shrinking audience.

The list of bullet points of the egregious flaws in the software just get worse and worse. It's crazy how I thought the first one or two would be the worst since, but it just got worse.

It's 20 freaking 17. How can people release software with these totally elementary mistakes? Just one is bad enough, but... admin/admin?? This is easily worthy of a Daily WTF article to itself.

And this software was written by a professional contractor - pretty sure you'd get better quality from a kid fresh out of university, because on my course, it was drilled into me - NEVER TRUST THE CLIENT BROWSER!

Companies need to understand, if they want an internet presence, no matter how strong the laws are in their own country, laws don't stop a crime in progress, especially when all they need to do is send a fairly simple message to the website. Computers are dumb, they do what they're told. Giving anyone the loophole to tell them to do something you didn't intend is asking to have it exploited.

Going after the messenger will solve nothing. The guy who discovered the payment flaw could easily have kept quiet, letting others discover it, or quietly told his friends, who tell their friends, ad infinitum, and suddenly the whole country is buying valid passes for a penny, costing the company a hideous amount of money. Prosecuting the whistleblower will actually hurt their bottom line.

I find one of the worst arguments I come across is "it is <year>" because it doesn't actually mean anything.

Correct, but in exasperation it's often the only thing to reach for, because programming is not a new thing, even web programming, and these are such elemental flaws that should have long been eliminated. It's just cringe-worthy they are still causing problems.


Isn't it mostly in multiplayer game programming where this gets said over and over "Never trust the game client" even though it should be said in all aspects of programming really

I would have ended at 'client' but figured it could extend to the human (although that's true too). But yes, there is still so much naivety in implementing distributed or client-server systems that they should trust input from remote sources.

The software industry better start investing more in educating the general public/government officials about how web applications work, or this is only going to get worse with technologies like WebAssembly in the hands of similar companies. If anything, people need to understand that these endpoints can be accessed without a browser, and we can't be arresting people/hauling them in for questioning for sending bad data to such an endpoint. After all, what does "bad data" even mean in such a context ?

Also, a question: does the EU have the legal concept of "fair use" ? I would have thought that messing around with a web application would fall under fair use, given that the web application can, and probably will, be stored on a person's computer. A computer that they (also probably) personally own, I might add...

This sort of thing teaches people to exploit or ignore rather than report. Anyone who reports should be commended, even if they did real hacking (which using dev tools on a web browser is not.)

Someone's going to probe your system; you should be glad to hear about it in email rather than in the news or your accountants or from angry customers.

Someone pointed out to me the other day that just connecting to a poorly configured system is illegal in some places (Finland in his case). A form of trespass he said. This was a ship in international waters registered in Russia Federation so not sure whose law applies lol. Perhaps if there were more cases where full advantage was taken of such incompetence with spectacular newsworthy results then people would be more appreciative of the work we do and the laws changed to protect whistle-blowers and activists generally.

> someone found out that the admin password was adminadmin and managed to log in using that.

Wtf ,I thought I was bad at my job.

Conversely, the person who set it to adminadmin probably thought they were doing a great job.

"if you just typed in the url (shop.bkk.hu), the site just wouldn't appear. At first I thought they've taken it offline, but it turns out that they just didn't set up the http -> https redirection. And it was left like that for days. If you just heard about it, you couldn't use it. You had to click a link (normal users won't figure out to put an https in front of the host name, even I didn't think of it)."

I'd really like to know which of these is the better solution.

It seems to me that if people go to the http address, they could be redirected to an attacker's address with a simple MITM attack. So there's an argument to be made for not using http at all, even for a legitimate redirect, because it can be so easily MITM'ed.

On the other hand, if the http address is left unused, then people who try it anyway and it fails will be confused. For this solution to work, it seems the users have to be educated to always and only use the https address.

For these reasons, the whole separate http/https scheme seems broken by design.

What's the consensus from the security community as to the right setup here? Am I missing something, or is there a better way?

Not having an http site doesn't help in a MITM scenario as the attacker will happily serve up an http site even if you don't.

The only solution is to always go for the HTTPS resource disregarding any suggestion. On browsers a strict configuration of Smart HTTPS [0] covers that, for everything else I think the best solution would be to intercept all HTTP traffic, request the HTTPS counterpart (and decide if falling back on failure is acceptable instead of just dropping the connection), then serving locally the decrypted response. Worse than properly requesting the right one from the start but harder enough to exploit.

[0] https://mybrowseraddon.com/smart-https.html

HSTS helps for this.

It's true that it doesn't help once the user has been MITM'ed.

But before that happens, if the user always goes to the http address and it works for them (whether by legitimate redirect or by the legitimate site simply supporting http) it lulls them in to a false sense of security, and a belief that going to the http address is ok.

So the idea behind having the http address be broken from the start is to make the users see that the address they're trying is broken, and therefore the wrong one for them to use. Hopefully at that point they'll investigate why (perhaps complaining or talking to their sysadmin, if they have one), and be straightened out by someone providing the https link to them (or the more tech-savvy users like the OP figuring it out for themselves).

Ok, so that works for Chrome, but every other application is still going to be subject to an MITM attack if their users try to connect via http?

As long as the other application is Firefox, Safari, IE11/Edge, or Opera, then it probably has a HSTS preload list that is at least in part generated from the Chrome one.

Firefox have some scripts which go through and check to make sure everything still on the Chrome list is still announcing the preload headers, and will autoremove if that isn't that case, IIRC. I wouldn't be too shocked if Apple/Microsoft were doing something similar.

"As long as the other application is Firefox, Safari, IE11/Edge, or Opera, then it probably has a HSTS preload list that is at least in part generated from the Chrome one."

Is there any documentation for these browsers that officially say exactly what they're doing and how their preload lists are generated?

When I was in Budapest a few weeks ago, I heard from multiple locals that the metro system was owned by some sort of mafia. I wonder if that explains the subpar security and overreaction to the bug report.

edit: a few weeks ago, not this past summer that is still occurring

I'm not aware of any actual mafia. They were almost certainly metaphorical and they must have been just bashing the local government. Because what they do is really a shame. One of the lines is de facto in a life threatening condition. Trains caught fire multiple times. Instead of being replaced, the 40 year old cars are being refurbished/modernized. This has something to do with the EU (they gave money for this, but not that). There was a tender, but miraculously it was the Russians who won it, despite their offer was quite a lot more expensive than that of the Estonians. And of course, as it happens with corruption, they failed to deliver a properly working version, so after a few weeks of testing, the first few trains were sent back.

About the security (or rather the extremely low quality) of the eTicket system: that was developed by a 3rd party that belongs to the Deutsche Telekom group, and that company is indeed quite a high profile system integrator working with a lot of large companies, banks, etc. So it's a bit of surprising (even if corruption is involved) that they released it in this form. Actually I'm surprised by these bugs even for a prototype that was forcefully pushed out of the door, because you just never do these things in the first place.

> Instead of being replaced, the 40 year old cars are being refurbished/modernized.

Age seems like a bit of a red herring to me. Here in San Francisco BART cars are about that old, Muni runs 90 year old Italian trams and American ones that are close to 70 years old. And, of course, the cable cars. BART bears about the worst of it because many parts are no longer available.

Interesting point. Don't forget that this is 40-50 year old Soviet technology :). And cars are actually in pretty bad shape, well over their planned lifetime of 30 years (AFAIK). Full of rust, sometimes catch fire. The drive system is also problematic, because it doesn't have regenerative breaking so the cars heat the tunnels quite a lot which is pretty bad during the summer.

They are in such a bad shape and/or hard to rebuild that not much remains of the original during the refurbishment.

Actually the Russian company and the tender has received attacks that the cars are actually new, only some identifiers have been transferred from the old cars, as Metrowagonmash had a dozen or so surplus cars of the type the used cars were supposed to be upgraded to.

Actually yes, the EU some money for refurb, not new trains.

The Russians didn't magically win the tender, i think it was realpolitik. They manufactured them originally in the first place, they have the means to do the work, and without knowing if the proposals were technically equivalent, Hungary needs to maintain a good relation not only to its neighbors, and fellow EU members, but to Moscow.

Also the trains are not in a worse working condition than the Siemens Combino trams or the Siemens and Alstom technology at Metro 4 line, which also had integration problems during the first months of operation. The problems will be addressed by the russian firm as well as as the western firms addressed those problems.

Well, only if you want to explain away the fact that the Estonians should have won the tender based on the official scoring and criteria. In other words, you are rationalizing. There's a reason why tenders always have a fixed scoring system. And this is it.

Maintaining good relationships with the Russians wasn't part of it, of course. We'll pay them enough for Pask2 (awarded without tendering). But even if not, because enough does not exist, more is always better, if this is the price of a 'good relationship' then we already have a bad relationship with them. I.e. they are blackmailing us. (Of course, it's not the case, but they are probably more willing to pay back than the Estonians...)

No, these problems are not like other problems, though Siemens and Alstrom were also both involved in corruption cases (I mean outside of Hungary), these are more serious and didn't happen with the others. It's not simply only integration problems.

Nothing like the cars build for berlin that were slightly too big for the narrowest part of the tunnels.

Please don't spread fake news!

The metro system is owned by the city, and ultimately the government. With all its problems, it is still not a mafia.

Although you are in a different part of the world, but when visiting the poor and backwards Eastern Europe, please use your common sense, or at least do some fact check.

TBH in Eastern Europe something being owned by government usually means that it's being ran (basically owned) by mafia.

It's just the old commie era thinking. Some people think of the government as a hostile entity. Strangely the same people believe in a strong state acting as a nanny, so they don't have to solve their problems themselves. Hopefully this will heal with time and people start to take responsibility in both their private life and politically.

Wow, there is some really funny shit going on in your head behind that pink goggles of yours? We are trying to deal with that for several years now, still a lot of work to be done. And no - that's not just thinking. Some of those government guys became so insolent that their shady schemes are basically open to public.

No, it isn't. Sorry but this is exactly the kind of "there must be a hidden agenda to this" thinking which skews your reality. Our governments are simply highly incompetent and terribly mismanaged, but not in the hands of organised crime. You can still draw parallels between ANY government and mafia.

Depends on the country, I guess. Come visit Ukraine - there is almost nothing hidden regarding those agendas here. One question, tho - if they are so incompetent and mismanaged, how come they're your government?

Ah, you are from Ukraine. This explains your bitterness. There are differences between Eastern-Europe and Eastern-Europe. Ukraine is in a whole different dimension regarding corruption, than Hungary.

Yeah, you're right, as the guy from Ukraine I'm probably preconceived quite a bit. But as an IT guy, I still do not believe that everything is clear with those 4 years and 9 million euro.

> if they are so incompetent and mismanaged, how come they're your government?

Because we elected them based on their skills in lying rather than governance. And also because government jobs naturally attract and promote incompetence.

Hanlon's Razor - Don't attribute malice to what could just as easily be explained by incompetence.

Turns out there are just a lot of incompetent people.

What do you mean eastern Europe ? This could be said for governments all over the world.

Why does a group of criminals need a subway? As a local guy using the public transport on a daily basis, I highly doubt this.

That pretty easy. Let's say you're a government official who's in charge of a local subway. One of the stations is in need of renovation. You're opening a tender for that and got 3 participants - 2 of them are some independent companies with bids around market price of the work required. Lets say 105 and 107 thousands euro. And the third company belongs to your brother in law and he wants 500 thousand euros for his services. In perfect world such bid won't stand a chance. But, since you're the one responsible for the tender, you can change requirements for the set of documents required for participation like one day before start, making it impossible for other participants to provide documents in time and thus making them unable to participate. So your brother in law wins the tender, sub-contract work to some third party for the market price and you split the rest of the money. And even if you're will be charged with "improper use of municipal funds" you'll be fined with something around 500 euro and will keep your job.

That is what I've meant by saying "basically own" - you can do whatever you want with company and you can't be held responsible for any of your actions.

And that's not just some imaginary scheme - that shit happens on daily basis in most of Eastern Europe countries. I'm from Ukraine and we're trying to fight that shit for several years now.

Not Just former Warsaw pact countries, This is a common form of low level corruption in many companies I was told that in British Telecom it was the most common form on financial misconduct that people got disciplined for.

I see I admit I was naive when I thought we do not play with services that are used by hundreds of thousands of people in the capital. But yeah the same shit happened here, too. We have to pay back part of the EU money we received for Subway 4 (Négyes metró) due to corruption investigated by EU.

To take EU funding, obviously :)

Why do criminals need to be re-elected at election time ?

Hm.. money laundering?

This is simple demagogue populism. This is not a critique of the problems, and does not start any fruitful discussion, and will not lead eventually to better conditions.

Oh, you seem to be using the code words of state-sponsored media pretty well. Demagogue and populism in the same sentence, nice! : )

Lets not pretend that the tenders made by the BKK is any more lawful or fair than the rest of the tenders that dominate the market around here.

Actually that is a critique of a problem. Because one of the biggest problem of Eastern Europe is corruption which leads to many different problems, that eventually result in such stories.

The biggest problem in Eastern Europe is corruption? Citation needed. In the USA you can influence politicians, even elections and it is called lobbying. The result is that roughly 70% of the legislation passed for companies. In Eastern Europe people keep re-electing politicians who are corrupt than it is on the voters not on the corrupt politicians. I think the real issue is exactly that, people cannot use their power (voting) too well and have limited knowledge about the economy so they are easy to fool.


Yeah, right, because in countries with high corruption level elections are always work as they supposed to.

Someone probably misunderstood something. Our government is usually referred to as a mafia government because of their tactics and modus operandi. The Metro is state owned and with a bit of a stretch I can understand where this is coming from.

You remind me of the Dutch railroad system. It has a monopoly despite having been privatized, and the majority stockholder is.... the Dutch government.

Since I can't edit the post, apologies to any offense I may have caused. Although I did hear this from locals, it was likely a communications breakdown.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact