Hacker News new | past | comments | ask | show | jobs | submit login
Hacker dumps thousands of sensitive Mexican embassy documents online (techcrunch.com)
113 points by oropolo 31 days ago | hide | past | web | favorite | 27 comments

Any cables from the German Empire in there?

My child and I recently read “Treaties, Trenches, Mud, and Blood” and found it a very accessible telling of WWI.


The reading of German communications by the US is more direct these days. https://www.google.co.nz/amp/s/amp.theguardian.com/us-news/2...

So normally he's a white hat that gets paid for bounties, but once he misses a single reply he dumps everything to the public? This barely earns him anything and puts government workers in unnecessary risk.

> once he misses a single reply he dumps everything to the public

Also known as "black hat", aka criminal.

Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.

"Normally" is a strong word, when it seems pretty clear his "bounties" are more like blackmail payments.

White hat hackers release bugs to get them fixed. This is clearly just a case of extortion. You release a bug, you don't steal documents yourself.

> ... are more like blackmail payments.

nothing in this article concludes that he asked for payment.

Done properly you'd discover that you could copy sensitive files. You don't actually copy them.

I kind of got in a shit storm with Sun Microsystems back in the day about this...

One of their servlets had a query parameter like


and I found out that it accepted file:// URLs.

They had the daemon running as root and I could read everything on the box.

Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.

About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.

I think they thought I downloaded source code ...

The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.

Never disclose things like that. It does nothing positive for you. You could endup in legal hell.

If you really want it fixed post to pastebin and the traffic will bring attention to it. But it's better to just ignore and move on.

Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the company has a bug bounty program then MAYBE disclose. You only stand to lose by trying to be a good samaritan otherwise.

Sounds like blackmail “Pay me or else.”

To clarify, this is the Mexican embassy in Guatemala. I doubt there's anything interesting in there beyond the usual political maneuvering of border countries

Did anyone else read the headline and think we were about to see a WikiLeaks style dump?

The Hacker apparently had never heard of sharing the documents via Torrent or posting a link to them on the dark web.

I wonder what is going on between Mexico and Guatemala, given the large amount of Guatemalans going through Mexico to reach the US.

you are in a marvelous position to find out

But will this wake up the Mexican ambassador?


The article says the hacker tried to disclose the vuln before going public but was ignored. You can put your internet pitchfork down.

Yes, they tried disclosing to officials. Not the ambassador. You're inserting your own interpretation, while I am curious about the intentions of the parent comment. I was assuming no ill-will, by the way.

I think they're saying the Mexican ambassador hasn't been "paying attention", probably meaning they've been ignoring important issues. More like "wake up sheeple".

You're overreacting.

I said that I hoped I was reading this wrong, so I'd posit that I was simply asking a question.

fair game:

[...] In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said. [...]

Before we speak about responsible disclosure and call people "hackers" in a negative context, we have to talk about irresponsible QA processes. this is true for both tech companies or anyone utilizing technology for whatever means.

it's similar to saying: "yes I left a loaded gun there, but let's blame the evil criminal who picked it up and did a bad thing", ...

... I'm not defending him. My point is responsibility has to be on both sides. Today companies rather participate in PR circle jerks (and mistake bug bounties for real audits) instead of cleaning up their own actual security problems.

Edit: in a similar thread this week we had WIPRO breached which then claimed that they did everything

> “Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

if they'd really be using industry best practices against phishing they'd have used U2F. Nobody is using it at Wipro though. CISO's today rather point to how well they've outsourced the problem (at least the damage control part) by pointing at their insurance policies (which often won't even cover a breach, and which does nothing to protect the user/data and only protects the company bottom line). Talk is cheap, fuck them all.

I mean, it's not fair game though.

You can release a bug, tell other people how it works, publicly shame the government into having better security. But stealing the documents and holding the stolen documents for ransom?

Why should they pay him? He's clearly acting like a criminal, not someone trying to just make a living by making society safer. He's making it worse on purpose because he didn't get his way.

I wasn't saying they should pay him. I don't think they should. But having been on the receiving end of this behavior for far too long my point is that he should be listened to and not ignored like this. It would be OK if it's just ignoring, I've seen companies very eager to use legal threats too especially if the researcher is an isolated individual and not company.

It's not too much to ask to have a security@ mailbox and actually pay attention to it. If you don't have a disclosure process in 2019 then there is no reason you should have your systems exposed (whether that's a gov site or company doesn't make a difference) IMHO

The moment you answered I was still editing my post trying to point out that I'm not defending him. Sorry if there was an overlap here.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact