Also known as "black hat", aka criminal.
Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.
White hat hackers release bugs to get them fixed. This is clearly just a case of extortion. You release a bug, you don't steal documents yourself.
nothing in this article concludes that he asked for payment.
One of their servlets had a query parameter like
and I found out that it accepted file:// URLs.
They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.
If you really want it fixed post to pastebin and the traffic will bring attention to it. But it's better to just ignore and move on.
[...] In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said. [...]
Before we speak about responsible disclosure and call people "hackers" in a negative context, we have to talk about irresponsible QA processes. this is true for both tech companies or anyone utilizing technology for whatever means.
it's similar to saying: "yes I left a loaded gun there, but let's blame the evil criminal who picked it up and did a bad thing", ...
... I'm not defending him. My point is responsibility has to be on both sides. Today companies rather participate in PR circle jerks (and mistake bug bounties for real audits) instead of cleaning up their own actual security problems.
Edit: in a similar thread this week we had WIPRO breached which then claimed that they did everything
> “Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”
if they'd really be using industry best practices against phishing they'd have used U2F. Nobody is using it at Wipro though. CISO's today rather point to how well they've outsourced the problem (at least the damage control part) by pointing at their insurance policies (which often won't even cover a breach, and which does nothing to protect the user/data and only protects the company bottom line). Talk is cheap, fuck them all.
You can release a bug, tell other people how it works, publicly shame the government into having better security. But stealing the documents and holding the stolen documents for ransom?
Why should they pay him? He's clearly acting like a criminal, not someone trying to just make a living by making society safer. He's making it worse on purpose because he didn't get his way.
It's not too much to ask to have a security@ mailbox and actually pay attention to it. If you don't have a disclosure process in 2019 then there is no reason you should have your systems exposed (whether that's a gov site or company doesn't make a difference) IMHO
The moment you answered I was still editing my post trying to point out that I'm not defending him. Sorry if there was an overlap here.