Hacker News new | past | comments | ask | show | jobs | submit login
18yo arrested for reporting a bug in the new Budapest e-Ticket system (marai.me)
874 points by atleta on July 24, 2017 | hide | past | favorite | 309 comments

I remember coming across a serious bug in a site that belonged to a top multi-billion company. My brother also found what essentially an unrestricted privacy leak (and possibly editing access) in a top university (leaked data is sensitive personal information, not academic). Neither of us reported (or exploited) what we found.

Protection from this kind of blame-shifting and misdirected retaliation should be guaranteed by law. Until it is, bugs in critical and important infrastructure will go on unreported, and remain available for malicious actors to exploit.

I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.

My guess would be:

- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.

- This guy reported it to BKK who obviously don't have any technical knowledge

- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."

- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)

That's unlikely. Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing. So the "BKK obviously don't have any technical knowledge" claim is bogus.

It's possible the particular BKK person dealing with the report does not have technical knowledge, but that's more a fail on BKK side as they let incompetent people to deal with reports of security incidents.

But I'd bet it's merely a matter of covering broken shit and shifting blame. BKK is (probably?) a public company, managing transport in the capital city. They manage a lot of money, and it's not uncommon to funnel lucrative contracts to friendly companies, even if it increases price and the quality is dubious. Whoever came up with this project / awarded the contract / accepted the solution is probably scared people might start digging into the details. Better blame the problems on a hacker!

> Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing.

I don't think this is true. When you buy a house, do you have to be able to do the specification and evaluate? This is a good analogy, because T-Systems have delivered similar solutions to other clients, what they needed here is a little bit of tailoring and integration (which is not the part that failed).

It is common for a typical western government to have domain specialists, working directly for them, to help write the contracts and requirements for their external contractors and vendors.

In my experience, clients rarely have any technical expertise at all.

Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.

I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.

Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.

Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.

I think there is a disconnect in how techies and non-techies think about web security in general.

To push your analogy further, the non-tech person thinks of this type of exploit discovery as if someone has trespassed onto their private yard in the cover of darkness, trying every door and window.

A tech savvy person might instead think of it as a row of doors lined up next to a busy street, in broad daylight.

Knocking, and telling someone that they have "forgot their keys in the door" seems a bit creepy in the first scenario, but completely legitimate in the second.

I think that the second scenario in your analogy is somewhat creepy too. Why are they trying all of the doors? A person should have a reasonable expectation of privacy in their house, to be able to walk around in their underwear or whatever without someone just opening the door on them.

Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out

If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:

"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".

Is that still creepy?

I would find it creepy that someone was testing their key on other people's doors.

If I caught someone trying their key on my door I would call the cops, even if they said they were just testing it to see if it would work.

who is the sheriff in this case?

I'm the sheriff!

But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.

That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.

If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.

That seems unreasonable.

If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately!

Discovering an actual vulnerability in the first place requires doing something that could be considered hacking.

You consider it "hacking" to change a url from example.com/1234 to example.com/1235?

Ask Weev, while being a troll... Apparently he gets to go to jail for using numbers at the end of a url... ICC ID... So you try one number than another, then disclose it, and yeah... Go to prison. Welcome to America.

Sorry, I didn't word that correctly. I was referring to actually leaving the keys on the outside. What I was trying to get at is the mental image of a shady person skulking around in a backyard. I think many people have that sort of "what were you even doing there" perception of so-called hackers regardless of their flavour. If they instead realized that a public facing interface is something that will inevitably be explored over and over again, they would have a different opinion.

Never underestimate the diversity of the concept of Justice in those who are uneducated, unwise, and dishonest to what is real. If you try to trace this behavior you'll find truly random causes. There are an infinite number of ideas one can substitute for something they don't know or willfully ignore in their own perceived interests. The real problem is when those substitutions are guiding determinations for someone with authority over others.

I'll also add: when I was a teenager I've been in this position countless times, reporting security issues at school, etc. The reactions I received from fully grown adults was nothing short of stochastic. This fascinated me enough to minor in political science and philosophy/ethics. I draw on that for insight, but it doesn't really provide a final answer.

This. Executives who usually have no trouble treating engineers as replaceable parts, suddenly fail to believe someone else can and possibly has found the same vulnerability. They think getting rid of the one person capable of finding it is all it takes to be safe.

Because if they acknowledge it, it shows their own incompetence. It is much better to blame the issue on some "hacker" than to acknowledge that you failed. The latter might mean that you get kicked out by investors.

And multi-billion companies or governments are in the business of bending over customers and effing them. So another guy getting fked is business as usual.

> "Would they also prosecute a person who told them one of their doors was left unlocked after-hours?"

Perhaps not, but they probably would be tempted to prosecute someone who opened the door with a toothbrush and told them about it...

The temptation is to squash anything that comes along and potentially makes you look like you weren't doing your job properly (installing a better lock in the first place) rather than thank the person and then install a better lock, or fix the design of the lock.

maybe you're projecting your own ability to them, have you considered that maybe they are highly incompetent and do sincerely believe this was a cracking attempt on their system.

Then again there is this culture of making an example to discourage others to even try, similar to prison, which we know is not that effective if at all.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

Well, those aren't quite the same thing.

If someone told me I'd left my key in the lock, I'd say thanks and remove the key.

If someone told me I'd left my door unlocked after-hours, I might wonder what they were doing trying my door after-hours in the first place.

They paid a lot of money for a system they were told was totally secure, so damnit they're going to believe that despite any evidence to the contrary. Thus any bugs reported to them are not bugs but malicious attacks on their innocent system.

You fear what you don't understand

I don't know of it happening in hacking lore, but certainly it might be a strategy for a malicious actor to report a flaw so as to gain trust in order to exploit another flaw.

I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.

In hindsight it was a huge risk and I was dangerously trusting.

If you are nice and don't threaten to publish, at least without giving them any time to fix it - which for a large back is a couple of months - then I don't think it's a risk at all.

What they don't like is the publicity.

Edit: but maybe not in Hungary. It's the bad child in EU.

In Poland there was a case few years back of a company (I have no idea if that means a one person company or a bigger one) owner finding out by putting a name of his client into google that it indexed documents containing private information of over a 1000 of companies that are clients of PKO BP and reported it to the bank.

At first the bank security department said no one will find it so it's safe and later when he pressed the issue as a dangerous leak they reported him to the police for "hacking and extortion". All the computers from his company got confiscated for investigation so he had to buy new computers and software to continue running his company. In the end he was found not guilty by the police investigation of his computers so the prosecution dropped the case (it didn't even go to court) and all his stuff returned after 6 months.

Source in Polish (sorry, there is no English source): https://niebezpiecznik.pl/post/glebokie-ukrycie-danych-w-pko... http://www.tvn24.pl/wiadomosci-z-kraju,3/haker-mimo-woli,132...

Bank spokesperson later explained that the files were "deeply hidden" ("głębokie ukrycie", he said it's an IT term, it's not) and only one person found them in 4 years of their existence there so it's not a big deal.

And in general misusing, testing, etc. a website is illegal without owners permission, there is now a small exception for acting in good faith but it's narrow, a bit strangely worded and it doesn't prevent stuff like above.

Ah, yes. Actually Poland is the other bad child in EU...

The European commission is currently threatening to remove Poland's voting rights due to the changes to the juridical system, but it will not happen as Hungary will veto.

I think they are on their own cultural axis somehow.

Poland is drifting towards Russia.

To clarify: they're drifting towards a political system reminiscent of Russia today, but they would never ally with Russia. The Soviet regime is still fresh in the zeitgeist's memory.

Unfortunately they just need a "bigger evil" to forget it and move into their arms.

> What they don't like is the publicity.

> Edit: but maybe not in Hungary. It's the bad child in EU.

The article suggests that they reported this guy to the police only after the info leaked out (or possibly was independently discovered by others) and made it to the press.

Scapegoating of non-malicious hackers isn't really anything new or unique to Hungary. It's a common reaction of IT-illiterates to people "cheating" on their systems everywhere.

I've reported two vulnerabilities. One to a fairly large web hosting provider that allowed me to access the databases of anyone else on the shared server my website was on. Another to a major credit card company -- Given a person's first and last name I was able to see what kind of credit cards they had.

In both cases, they fixed it, thanked me, no arrests or threats were made. I think your experience is only outside the norm in the sense that you got monetary compensation out of it! Nice!

Had a similar issue with Wolfram Alpha some years ago. I reported a dozen different XSS vulnerabilities to them and their answer was: "We forwarded this email to our legal department.".

So even technical companies can react in really silly ways.

I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.

What isn't cool is legal deciding to go after the party disclosing the vulnerability.

Not having much experience on this subject, I have to ask: would you not get your developers to verify that the vulnerability is there and fix it while the legal department is doing its thing? The vulnerability is already out there, and the sooner it's fixed the better. While would they forward everything to their lawyers first thing?

If the email contains code or something that looks like code, or otherwise looks like it is discussing technical things it is not unusual to run it through legal before letting any engineers see it.

That's because companies routine receive unsolicited product proposals, ideas for new features or enhancements, and the like. Often these overlap with things they have been working on internally but that are not known to the public.

If they let engineers see these unsolicited mails and then later come out with an even vaguely similar feature they may find themselves in an intellectual property dispute with the emailer.

Aw gee, that makes sense, yes. Never worked for a company big enough to need this. Also, I'm in Italy, so some things might work differently here.

I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.

I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.

Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.

I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.

Doing the right thing is admirable. Doing something that helps a little bit, when the group that you are trying to help may or may not try to destroy you, seems like its not such a great idea. If a company doesn't have a set of published procedures for reporting a bug its not worth helping them

It depends. Sometimes the organization may be handling your personal data, other times a bug in some Ukrainian tax software may be exploited and cause downtime in a global shipping company.

I realize that big incidents are probably the only way to get laypeople to care about IT security in the long run, but still it may be preferable to help averting them when possible for various quite practical reasons.

> And you can always do it anonymously.

Assuming you have done the hacking anonymously in the first place.

Yeah, you have to consider if there might be logs likely showing you to be the only person to have used the system in the manner you described.

That's yet another reason to run something like Qubes OS, split up your online presence into distinct "domains" and heavily firewall each domain, only connecting it through VPNs and/or Tor in most cases.

Because TOR is safe...

What I would suggest is report the bug in an anonymous manner if possible. They're not going to be able to do much if you report a bug anonymously I would think? I mean in the case of people who find bugs by "accident" I mean I'm guilty of messing with a URL here or there to get the true HQ picture of a website.

Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:

"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."

Maybe they will panic strongly enough to actually do something about the issue.

That is quite straightforward and makes it clear from all perspectives.

From the hacker "hat classification" perspective, that's obviously black hat, nothing gray about it.

From the legal perspective it's not a debate anymore (like in the original article) if you do this, it's clearly a crime, if you get caught in whatever way (e.g. by bragging about it someplace later that leads to your person, or by testing a "discounted" pass in some place that has cameras), it's a straightforward conviction for extortion.

From the ethical perspective, that is an unethical action, doing that shows that the person is immoral.

But you are right, yes, it can be quite effective, and definitely makes it more likely that they will panic strongly enough to actually do something about the issue. It's just that if this happens, then it's not sufficient to just fix the hole, identifying and catching the perpetrator becomes a big part of what they should be doing.

My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk.

Okay, if private data of the company's customers is at risk, then it is a reason to push for some action, but it matters how you do it. In this case I don't see a big need for reinventing the wheel - this is a common issue for which all the options, pros, cons and risks have already been discussed and there is a somewhat clear consensus (with some debate about nuances) on the expected ethical action, and that is https://en.wikipedia.org/wiki/Responsible_disclosure or http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...? . Many nations have some more specific guidelines issued by e.g. their local CERT that are adapted to their local legal situation.

The process works reasonably well even if the vendor is not cooperative. In that case it is somewhat similar to the message proposed above, but substantially different - first, the threat is not that you'll destroy or publish their data (which is extortion) but that you'll publish your description of the vulnerability (which generally is not); second, the threat is not that you might consider damaging the data (i.e. stating that you'd be willing to do an immoral thing) instead that some other immoral people might damage the data; and third, the disclosure is not conditional on receiving money from them.

I can see that the proposed threat was meant in the same direction, and is somewhat similar to the "threat" implied in general responsible disclosure, i.e., if you don't fix it in 45 days then we'll publish info that most likely will mean that you'll get hacked. But it's substantially different, the details are quite important, and you'd need a good reason to deviate from the standard responsible disclosure guidelines.

I mean, what do you do when after sending a message "I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention." you see that they have not fixed the issue but have transferred the requested Bitcoins? It'd be a possible direct result of your actions. Is that a desirable outcome? Is that an ethical outcome?

I really can't see how this is unethical or immoral in any way.

You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"? It's obviously a crime.

> You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"?

I do, however loup-vaillant's post also contained the following, which makes it not immoral nor unethical:

> accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time>

Also, you need to panic them, you do not necessarily need to delete or copy their data (but even if you did, I see nothing evil in it. They are the ones that refused to fix it within the time given after all).

> It's obviously a crime.

Doesn't mean that it's immoral or unethical.

If you point out that my front door is unlocked, and I decide to keep it unlocked forever (i.e. refuse to fix it), then it doesn't mean that it somehow becomes ethical to enter my house and take my stuff. It might be stupid on my part to keep it unlocked, but a thief is still ethically a thief even if I carelessly kept it unlocked forever. My "door" might as well be a line in sand or a sign "don't enter" on a pathway - not a security measure at all, just an indication where the boundary is, but still unethical to cross it. Much more so would be sending a note "lock your door, send me money or I'll take or damage your stuff", as in the original example.

Threatening to harm someone unless they do what you say is immoral even if you don't harm them; it's not ethically acceptable to threaten others.

If you had classified information behind your open door, you could be sued if anyone stole it (or worse, depending on the level of classification). Sometimes, one is legally required to take appropriate steps not to unwillingly disclose information. I believe users' personal information should fall under this category. (I believe it does in some cases.)

If your leaving the door open leaves not only you, but others, vulnerable, the discoverer of the broken lock may very well have a moral obligation to protect those innocent people, by whatever means appropriate.

What is appropriate depends on the situation. I expect in most cases, just telling you the door is open may be enough. But if you are being particularly obnoxious, threats may be the only way. In some extreme cases, burning the house down to avoid the disclosure of the sensitive information that would harm countless innocents may be the best course of action.

The legal system even have analogous situations, where a judge can order the orderly destruction of some unsafe building. The only (yet crucial) difference is, judges aren't vigilantes. But this is fixable: one could have the law allow the vigilante to send a cease & desist letter saying "fix your door or I'll have a judge burn your house down".

It's obviously a crime.

Perhaps. But being a crime does not automatically mean something is immoral or unethical.

So you should just become a malicious actor and actually break the law? Good plan.

Becoming a malicious actor, no. Looking like one, definitely. Break the law, most probably. Also, I would rather threaten to publish if I did this for real.

It's risky and scary, but also the right thing to do in some cases.

You could also fail to report at all, and let their ship sink. Maybe they deserved it.

What difference does it make if the outcome is the same?

Not the outcome for the informer in case one gets caught and accused of threatening for ransom.

Better hope you've not left any evidence on their systems then, you know, like a discounted transport pass.

Wrong. The latter half should read:

You have <this time> to fix the issue, or I <copy or trash> your database.

Asking for extortion does not push them to fix their systems, only to pay you and/or find you.

I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case. Does anybody have an experience with such way?

In France, you can report vulnerabilities to the ANSSI (National Cybersecurity Agency of France). The agency stays somewhat neutral between justice and the company with vulnerabilities since ANSSI must protect confidentiality of their informer. Informations can be sent by email or postal service.


I report all the vulnerabilities I find to the NSA. Very nice people.

I understand that it's good to have cover for this sort of thing.

I think the line is pretty grey though.

One analogy is telling a company that their front door is unlocked.

Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.

IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.

EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this

Note: the nature of the reported vulnerability was such that the teenager didn't even have to access the servers to do it —only change a value that was sent by his own browser.

If that was tantamount to not-breaking & entering, it means the it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides (here, the price of the ticket), must be observed by the rest of the system (here, the price sent in the HTTP request wasn't the price decided by the web page).

The consequences of such thinking are chilling. If this is the kind of cyberpunk we're heading to, I'll seriously consider becoming a Runner.

On the Internet there is also the problem of remote attackers. Even if you preemptively jail all people in your jurisdiction, your system still isn't safe. It doesn't make any sense at all to call sending some malicious data to your server "breaking in" when anybody and his dog can do it from the comfort of their chair on the other side of the planet.

it means that it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides, must be observed by the rest of the system

I don't know about Hungary, but in the US the DMCA has exactly these provisions.

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

Exactly. Often to validate the door is unlocked one needs to use the knob and open it a little - shall one get a permission for that just for a sake of a check. Is this already a breach to open the door without crossing the threshold?

Friends of mine have a small company (and a nice Ultimaker 2) and left their front door wide open, lights on and went home one evening. However one manages to do that. I called them, stayed a bit to secure it and since then it's free print and free beers for me :)

I disagree. It's more akin to trying the handle on the door, and noticing it's unlocked, and then telling them, and being arrested for touching the door handle.

report anonymously!?

Why didn't you report it?

Seems somewhat negligent - at the very least from a Good Samaritan™ point of view

You're replying to a comment about news of someone being arrested for a similar thing.

There's such a thing as anonymous reporting

What if you don't do it anonymously enough? And they trace it back to you? Not that this has ever happened (I have no idea. I'm assuming not). But being paranoid isn't unwarranted either.

If he reported it, he runs the risk of the company turning on him (as was the case in the article above). If he doesn't report it, nothing happens.

It's a choice between the certainty of no loss vs the possibility of great loss.

If he does not report it, and somebody else does, then he runs the risk of being rightfully accused of hacking, as the motivation can be understood as financially motivated.

Budapest != United States

You're often opening up yourself to a LOT of bad exposure, where you'll be accused of hacking the software (along with the 20+ jail term this might eventually entail) and just generally putting the spotlight on yourself as a potentially dangerous person.

Better to report anonymously, or report directly to someone who might appreciate or is responsible (and hope they appreciate responsible disclosure).

Did you not see the top post?

Reporting these things can get you in trouble. Once burnt twice shy.

That's how the DMCA works. Remember the guy who gave a talk about Adobe's PDF creator which purported to produce "secure" documents (required a password) but the feature was easily bypassed.

Adobe had him arrested the day after he gave his talk.

Link to a Wired article here: https://www.google.com/amp/s/www.wired.com/2001/07/russian-a...

EDIT: I have a terrible memory-- thanks to the folks who replied to my comment with corrections.

> Adobe had him arrested on the stage as he gave his talk.

I was there!

The FBI arrested him in a hallway, 1 day after his talk. Dmitry at first thought it was a joke put on by a Defcon prankster.

During his talk, the panel moderator asked Dmitry to pause for a minute... and said "Would you mind saying 'Can you tell me where are the nuclear vessels in Alameda'?" Dmitry was confused by this request and said, in his Russian accent, "I do not know where the nuclear wessels are in Alameda?" The mostly American Trek-familiar audience had a good laugh, and Dmitry continued with his talk.

Sounds kinda mean spirited to mock of the accent of someone who is presenting in their second language.

A lot of the amateur security scene is pretty mean-spirited, unfortunately for anyone trying to get into it.

I believe it isn't about mocking but making the point about US / Russia and nuclear weapons

I'm confused by his request as well, I can't understand why he asked it. Any context?

I think it is a Star Trek reference.

Yep, Hungarian story. And indeed the law in this case is not that bad at all. It doesn't penalize what the guy did. The sad part is of course the corporate & governmental reaction, the frightening part is that the police was so eager to jump in and overreact.

This story takes place in Hungary.

But inspired by the DMCA, the EU has also adopted anti-circumvention legislation. Though I'm dubious either would apply here, as this would be very difficult to spin as a copyright issue.

Has it? Can you link to it?

General info: https://en.wikipedia.org/wiki/Anti-circumvention#European_Un...

More about the directive: https://en.wikipedia.org/wiki/Copyright_Directive

Actual text of the directive: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:320... (see Chapter III, containing things like "Member States shall provide adequate legal protection against the circumvention of any effective technological measures" and then going on to define "effective" to mean "not necessarily effective")

Some parts have been amended (for example, copyright duration has been expanded from 50 to 70 years after death), but I believe the anti-circumvention parts to be unchanged. I'm not sure how to find up-to-date codified versions of EU laws, though.


A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.

They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:

http://demosoftware.com/reports/ajax.php?sql=SELECT * FROM debts

I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.

At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.

You don't erase just your debt, you open up Tor browser and drop the entire database. That'll teach them for next time.

> you open up Tor browser and drop the entire database

Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.

A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.

Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.

I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`

Why not? Destroying the company means they won't be there anymore to put everyone's PII at risk.

Because private property is a cornerstone of a free society?

You can't just destroy someone else's property because you have some personal anarchist notion of justice.

If they are really being negligent then they should face the proper penalties.

Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.

Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.

Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.

Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.

Make a backup for them first too, just in case they don't have one..

This is very evil...

In most of my D&D games it might be considered chaotic good depending on the debt collector.

Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.

Would you gladly go to prison for it?

An interesting moral query: how much debt erased is worth a prison sentence of X years?

No, which is why I mentioned tor.

In case anyone feels like doing something like that, this talk is worth a listen:


A talk on how Tor users got caught. In a nutshell: it wasn't Tor's fault, but bad OPSEC on the part of the users.

Also, it is worth considering that debt collection agencies are very good at finding people, and very bad at upholding ethical standards. Going to prison is not the worst case scenario.

Is it actually profitable to do that sort of unethical activity though? These aren't exactly loan sharks right?

If you think you can't get caught because you use Tor, I know of a few people who can testify otherwise. See, e.g., Ross Ulbricht and Christopher Grief, to name a few.

Go to the public library and use a pc there? Or a free wifi in a mall?

See the previous point about Ross Ulbricht (arrested in a public library)

This is where anonymous notification / bug reports are useful, and then follow ups in public if no action after a period of time.

I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"

Sounds like you are threatening them. The idea is OK but the language should be much more subtle to be effective.

In my country, the laws are draconian and totally against this kind of responsible disclosure. But being a good guy, whenever I find something I write a strongly worded email explaining why the company's IT department messed up, how to test said mess-up, and how they can hire my company to ensure these kinds of stupid things don't happen again.

I've reported several of these issues, sometimes all I get is single reply months later saying: "fixed".. mostly, nothing.

Once I found a SQL injection in a courier service's (very broken) web portal. This was very serious because any idiot could drop all the tables, so I sent an email to the most important worded member of their tiny, yet already bureaucratically structured team. I followed up several times because I knew someone saw my email (I embed beacons in my emails) but gave up after the sixth time. Three months later someone else replied saying "thanks Amin, we've fixed it"

On a separate occasion, a large government agency's emails routinely ended up in my spam folder. It was a huge problem, and they acknowledged it and said they couldn't figure out what was wrong. I took five minutes and found the problem to be a misconfigured server on the domain. The server sending the email thought it was `server-a.governmentdomain.com` but there were no DNS entries pointing the subdomain to the server. I reported this problem with clear instructions to test and fix the issue, but I was called despite the instructions, multiple times, to explain the issue with my words over the phone. This was 2 years ago, last I checked, the issue was still present.

Offering your company's services could be risky. Whatever your good intentions, it could be portrayed as extortion.

That's why you speak to a lawyer first, the law is an ass, and they're the right tool for telling you how to avoid these nasty little traps.

...provided the law in your country really works.

If they use Google's GSuite for their emails, I think that prefetches all content and makes beacons pretty useless (by design).

They don't, usually companies in my country opt for a home rolled solution, or Microsoft Outlook.

That aside, Streak.com's beacons work even in Gsuite readers! They're awesome. It's essentially just a unique image included in the email body.

How do you embed beacons into your emails?

<img src="https://my.server.net/beacon-uuid.png" height=1 width=1 />

Streak.com does it for you, it's awesome

Two takeaways, one from this and one from my other past experience.

First, when testing whether you can change a price and have a transaction go through successfully, RAISE THE PRICE. If you lower the price the affected entity may come back and say "See??? He's STEALING from us! Lock him up!" If you've overpaid for something through their web interface that complaint and issue goes completely away.

Second, if you're going to suggest that they contact you for assistance in fixing it also suggest other options. My typical handling for this is with hacked websites, so I'll basically say "Your website has problems X, Y and Z. You should work with whoever you have working on your site to resolve these. If you don't have anyone I may be able to assist you, or I recommend talking with a firm like Sucuri.net which has dealing with and preventing issues like this as their primary business. (My only link with Sucuri is having seen some of their folks do presentations at trade shows.)"

3rd takeaway - don't do this in turkey unless you want to end up in a literal Turkish prison.

4th takeaway - the Budapest metro system doesn't quite go that far...

> If you've overpaid for something through their web interface that complaint and issue goes completely away.

Or it doesn't, because you have still "hacked them". Doing it in a seemingly bizarre way may only raise more suspicions; obviously you must have maliciously cheated them, since who would give them money?

Please don't put people at risk by giving such "advice".

What I was talking about was the question of being accused of theft (by having completed an order/purchase after lowering the price). This was also in the context of someone already intending to push a transaction with an attempted price change. At that point nothing you do with the price is going to prevent a "hacking" charge if there's going to be one, but you may be able to prevent a corresponding "stole from us" charge.

Side note: this page gives me the weirdest Firefox behaviour I've ever seen: https://gfycat.com/HandyRapidJabiru

That is weird! Would you mind providing your system configuration and Firefox version info so I can file a bug? (Or you could file one here yourself if you're so inclined: https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=b...)

Do not file a bug, you might get arrested.

Using firefox too, I cannot replicate the behaviour. Could it be something from your side of things causing this ? Have you tried turning it off and on again ?

I am having this exact issue.

- Firefox 54.0.1 (64-bit)

- Arch Linux 4.11.5-1-ARCH

I'm on the 4.11.9-1-ARCH kernel, but same Firefox version. I'm only able to reproduce with the Zotero addon enabled, are you using it too?

I also have this issue, interestingly also on Arch. I also seen other site with that issue before but I can't find it now.

I want to emulate that behavior somehow.

So I tried but the results were... um, unexpected: https://gfycat.com/negligiblesnivelingastarte


    var db = document.body;document.onscroll = function(){db.style.transform = 'scaleY(1)'; db.style.transform = 'scaleY('+db.scrollHeight / (db.scrollHeight - db.scrollTop)+')'}

That looks like it would be a good April Fool's Day prank.

It seems from the code you first stretch it out to Infinity and then when scrollTop is bigger than scrollHeight, you go from negative Infinity back to 1. Negative values of scale() 'mirrors' the element. Maybe make sure scrollTop is never equal to or bigger than scrollHeight.

This result is by itself amazing, but if you want to make it behave a bit more like the bug you can set the transform-origin to "center bottom".

That's probably the weirdest browser behaviour I've seen on any browser! I don't even know how I would describe that to someone :/

Like it's printed on some form of mathematical hyper-rubber sheet, and scrolling pulls it down until it stretches into invisibility, rendering the next rubber page visible.


It looks like the scrolling in Firefox is implemented in screen-height tiles, and when he's scrolling it's picking a smaller and smaller portion of the top tile (as the top portion of the tile is scrolling out of the window) but not updating the bottom coordinate of the rectangle it's supposed to render to (so instead of moving up, instead the smaller and smaller portion gets stretched out to fill the window). Then when the top tile is supposed to be completely off-screen, it jumps to the second tile in one go.

We've seen two[1] cases[2] of this in Denmark in the last couple of years surrounding systems that kindergartens are using. The second one is currently (still) being investigated, but the first one was rightfully concluded earlier this year with the "hacker" being acquitted.

In both cases, it was dads of children in the institution that noticed the bugs when they were rightfully using the system and were ignored when notifying the responsible party about it until they "shouted it so loudly" that they couldn't be ignored anymore, in which case they were reported to the police for hacking.

Links below are in danish, but they can probably be translated if needed.

1: https://www.version2.dk/artikel/boernehavehackeren-frifundet...

2: https://www.version2.dk/artikel/interview-hacker-tiltalt-jeg...

"this outrageous move from the police brought about fierce reaction resulting in tens of thousands of 1-star reviews on the facebook pages of the companies involved"

In the old days, protesters used to physically go and picket in front of company offices. These days, protesters leave one-star reviews. I wonder which is more effective.

Yep, a few people were frowning, especially since the democracy is in pretty bad shape in Hungary right know. However, in this case it works: it will be seen and remembered longer this way. Also, there were quite heated discussions on facebook, the case received a lot of attention even from non-tech people, the guy will be represented by the lawyers of a human rights association, etc.

And actually there will be a protest in front of the office of the Public Transport Authority tomorrow. But I think in this case, the online petitioning worked pretty well.

As every other country on earth right now, Hungary is not a democracy at all. So there's that.

At some point we need to understand the novlang used here, by squatting the word democracy to label the political system based on elections, people in power manage to prevent to emergence of an actual democracy.

Please stop misusing this word so we have a better chance of actually having a democracy somwhere at some point in the future.

Please stop misusing this word so we have a better chance of actually having a democracy somwhere at some point in the future.

Please stop promoting democracy as the be-all end-all of systems for organizing human society. As the old saw goes "Democracy is two wolves and a lamb voting on what to have for dinner. Liberty is a well armed sheep contesting the outcome".

A practical democracy must be an abstraction of a pure, idealistic democracy. You cannot have millions of people deciding on every issue. Democratically elected representatives are one way we can do this.

There may be better ways of doing things but it doesn't make democracies not democracies.

> You cannot have millions of people deciding on every issue.

From a technical perspective, this is clearly untrue.

> From a technical perspective, this is clearly untrue.

It's impossible if you take “every issue” literally, as you are multiplying the number of pdecisions that must be made by each participant per unit of time so much that the time to consider them is non-existent.

It's less impossible if you reduce it to the kind of decisions typically made by a legislature, which mainly just sets rules for executive and judicial officials to apply in deciding more specific issues.

But even then it's of dubious practicality; obviously not every citizen can have a full-time legislative staff, and most of other things besides legislation to devote their time to.

"democracy is in pretty bad shape in Hungary right know"

I thought that Hungary has a democratically elected government. Did I miss something?

There's a saying that democracy is not when a government gets installed by fair elections, democracy is when a government gets removed by fair elections.

Hitler was democratically elected as well, that is not sufficient to label his regime as democracy.

> Hitler was democratically elected as well

No he wasn't, it is not that simple. His party at that time had no majority despite being the largest one. He got appointed chancellor not by democratic vote but by backroom negotiations - mostly because he was expected to be easy to control.

From this state he went for the dictatorship but again not by democratic election but rather by scaring the other parties into voting him the Enabling Act in 1933 after the supposedly communist-inspired Reichstag Fire.

"Democratically elected government" does not imply "democracy is not in bad shape".

We have several examples of such situations right now.

"Democratically elected government" implies that it is not a democracy but anything from aristocraty to plutocracy with q few things inbetween such as kleptocracy, oligarchy, etc.

The very definition of election means aristocracy. To have a democracy it requires sortition instead.

Yes, you probably missed a few lessons in high school. When I went there, I was taught that separation of powers is an important element, amongst others. This clearly does not apply to Hungary anymore, as the highest juridical power is an inner circle person (Tunde Hando), other important positions have also been filled with Fidesz's (the ruling party) people without any consensus with the opposition. This includes the constitutional court, the president of the republic (wait, what? Hungary is not even a republic anymore :) ). The police got and executed on direct commands from the PM.

But if you don't like that, here's a short excerpt from Wikipedia: "No consensus exists on how to define democracy, but legal equality, political freedom and rule of law have been identified as important characteristics."[1]

We don't have any of these. Or, to put it in an easier to digest way: all of these have been regularly (and increasingly) violated by the govt.

As probably a fellow Hungarian who likes (is emotionally attached to) this government, I understand you are OK with it, but it doesn't make the current system any more democratic. Fun fact: the Kadar system called itself democratic too. But it's judged from the outside, for obvious reasons.

[1]: https://en.wikipedia.org/wiki/Democracy#Characteristics

Here's Human Rights Watch on Hungary: https://www.hrw.org/europe/central-asia/hungary

Much of it focuses on the treatment of refugees, but you'll also find information about the suppression of free speech and the like. A "democratically elected government" in a country where the opposition is suppressed is not that democratically elected after all.

Only the sentence about refugees is true, but that has nothing to do with democracy.

<tinfoil>Financier and philanthropist George Soros of the Open Society Foundation announced in 2010 his intention to grant US $100 million to HRW over a period of ten years to help it expand its efforts internationally.</tinfoil>

So does Russia. And many African countries.

I'm as much of a curmudgeon when it comes to slacktivism as you can get. But damaging a companies online presence with negative reviews, ratings, posts on social media, blogs, and more, will live on. It will hurt the company quite a bit. In this case I think the online element is quite effective.

Also there seems to be some irl protesting going on as well, at least in this case.

Honestly, I wouldn't be surprised if the reviews are effective—I bet reviews are a metric that's tied a lot more directly to executive compensation/promotions than "number of people protesting outside HQ"! Both attack the company's reputation, and, unless a protest gets on a major news network, I suspect acting out on Facebook has greater reach.

Furthermore the 4500 1* review is there to stay and a single protest fades away :)

Having 1.1 avg review on the T-Systems International's official FB and Google page can affect the sentiment of their investors.


When the story made it to Slashdot's front page, it had ~46k 1-start reviews and a few hundred ratings in the 2-5 stars range.

Methinks whoever is in charge of company reviews at BKK is despairing right now. Unless they somehow convince FB to drop the recent cohort of 1-star ratings (which will almost certainly yield a Streisand effect) and keep a low profile for a very long time before allowing star ratings again, there's simply no way the BKK will rescue the rating.

It's unfortunate for the BKK and its staff. The quality of their service and vehicles is good overall and the staff is friendly. It's admittedly not 5-star grade, but it's certainly not 1-star material either. Yet this sequence of event might haunt them for years.

People can, and do, do both things.

There are still protests at their offices as well. Source: I went to one a little while ago.

Although deeply unfair, this is not unusual, there have been many reported cases of companies shooting the messenger.

Unless the company concerned has a well documented and trusted bug bounty procedure, it can be very risky to report a bug in a system, if it involves any kind of hacking.

What happens is once the "bug" is reported, someone inside the company asks "How did this happen?". Now the person responsible has 2 options, admit it was their fault and the vulnerability exists and risk being accused of incompetence, or say that the system was hacked.

Human nature being what it is, one tends to complain of being hacked, thus snow-balling effects, which lead to the arrest of an 18 year old just trying to help.

My advice: Don't report these types of bugs at all, or if you really feel you must, report anonymously.

One thing that solves this is stating the obvious, something getting hacked means someone was incompetent.

Indeed, I fail to see the distinction. Perhaps "hackers" have some kind of mythical superpowers in the eyes of the common folk.

"There was nothing I could do boss! He's a hacker!"

> the poor 18 year old 'hacker' who was stupid enough to email them

s/stupid/trusting/. There's no reason to think this guy isn't bright, and he's faced enough trouble without piling on.

I believe the author meant it to sound sarcastic

It's definitely a jab at the company, but seems to cast a little shade too on the bug-finder. Cf the lede "The amount of stupidity in this story warrants that this is going to be somewhat long". That might not be the author's intent! I hope they'll see this as helpful.

Sounds a lot like what happens here in India [1].

Also, if such behaviour is systemic, how should we bring about the paradigm shift in handling such events? Such incidents will happen more often across the world as e-governance becomes more predominant.

1 - https://thewire.in/119578/aadhaar-sting-uidai-files-fir-jour...

> We knew that they have been working on an NFC/smart card based system for around 4 years, without any visible result despite having spent over 4 million EURs.

The public procurement process for the current system called RIGO was indeed 2013 but the whole process is much, much older than that. A more than 300 page feasibility study was published in 2011 https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pd... And a completely different system, called Elektra was announced in 2004 with a 2006 deadline.

This whole clusterfuck with RIGO starting in less than a year was absolutely unnecessary since the 2011 study already suggested supporting contactless credit cards so once RIGO starts the only ones using this online ticket purchasing system will be those who have a credit card but not a contactless one. This is a (very) rapidly shrinking audience.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact