[goodplay]

I remember coming across a serious bug in a site that belonged to a top multi-billion company. My brother also found what essentially an unrestricted privacy leak (and possibly editing access) in a top university (leaked data is sensitive personal information, not academic). Neither of us reported (or exploited) what we found.

Protection from this kind of blame-shifting and misdirected retaliation should be guaranteed by law. Until it is, bugs in critical and important infrastructure will go on unreported, and remain available for malicious actors to exploit.

[jogjayr]

I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.

[jannes]

My guess would be:

- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.

- This guy reported it to BKK who obviously don't have any technical knowledge

- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."

- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)

[pgaddict]

That's unlikely. Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing. So the "BKK obviously don't have any technical knowledge" claim is bogus.

It's possible the particular BKK person dealing with the report does not have technical knowledge, but that's more a fail on BKK side as they let incompetent people to deal with reports of security incidents.

But I'd bet it's merely a matter of covering broken shit and shifting blame. BKK is (probably?) a public company, managing transport in the capital city. They manage a lot of money, and it's not uncommon to funnel lucrative contracts to friendly companies, even if it increases price and the quality is dubious. Whoever came up with this project / awarded the contract / accepted the solution is probably scared people might start digging into the details. Better blame the problems on a hacker!

[aries1980]

> Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing.

I don't think this is true. When you buy a house, do you have to be able to do the specification and evaluate? This is a good analogy, because T-Systems have delivered similar solutions to other clients, what they needed here is a little bit of tailoring and integration (which is not the part that failed).

[afuchs]

It is common for a typical western government to have domain specialists, working directly for them, to help write the contracts and requirements for their external contractors and vendors.

[geon]

In my experience, clients rarely have any technical expertise at all.

[thirstymonkeys]

Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.

I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.

[pgaddict]

Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.

Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.

[mekkkkkk]

I think there is a disconnect in how techies and non-techies think about web security in general.

To push your analogy further, the non-tech person thinks of this type of exploit discovery as if someone has trespassed onto their private yard in the cover of darkness, trying every door and window.

A tech savvy person might instead think of it as a row of doors lined up next to a busy street, in broad daylight.

Knocking, and telling someone that they have "forgot their keys in the door" seems a bit creepy in the first scenario, but completely legitimate in the second.

[falcor84]

I think that the second scenario in your analogy is somewhat creepy too. Why are they trying all of the doors? A person should have a reasonable expectation of privacy in their house, to be able to walk around in their underwear or whatever without someone just opening the door on them.

Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out

[beobab]

If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:

"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".

Is that still creepy?

[jklein11]

I would find it creepy that someone was testing their key on other people's doors.

If I caught someone trying their key on my door I would call the cops, even if they said they were just testing it to see if it would work.

[mgkimsal]

who is the sheriff in this case?

[jermaustin1]

I'm the sheriff!

But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.

That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.

If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.

[mekkkkkk]

Sorry, I didn't word that correctly. I was referring to actually leaving the keys on the outside. What I was trying to get at is the mental image of a shady person skulking around in a backyard. I think many people have that sort of "what were you even doing there" perception of so-called hackers regardless of their flavour. If they instead realized that a public facing interface is something that will inevitably be explored over and over again, they would have a different opinion.

[jasonzemos]

Never underestimate the diversity of the concept of Justice in those who are uneducated, unwise, and dishonest to what is real. If you try to trace this behavior you'll find truly random causes. There are an infinite number of ideas one can substitute for something they don't know or willfully ignore in their own perceived interests. The real problem is when those substitutions are guiding determinations for someone with authority over others.

I'll also add: when I was a teenager I've been in this position countless times, reporting security issues at school, etc. The reactions I received from fully grown adults was nothing short of stochastic. This fascinated me enough to minor in political science and philosophy/ethics. I draw on that for insight, but it doesn't really provide a final answer.

[emiliobumachar]

This. Executives who usually have no trouble treating engineers as replaceable parts, suddenly fail to believe someone else can and possibly has found the same vulnerability. They think getting rid of the one person capable of finding it is all it takes to be safe.

[csomar]

Because if they acknowledge it, it shows their own incompetence. It is much better to blame the issue on some "hacker" than to acknowledge that you failed. The latter might mean that you get kicked out by investors.

And multi-billion companies or governments are in the business of bending over customers and effing them. So another guy getting fked is business as usual.

[SeanDav]

> "Would they also prosecute a person who told them one of their doors was left unlocked after-hours?"

Perhaps not, but they probably would be tempted to prosecute someone who opened the door with a toothbrush and told them about it...

The temptation is to squash anything that comes along and potentially makes you look like you weren't doing your job properly (installing a better lock in the first place) rather than thank the person and then install a better lock, or fix the design of the lock.

[bigbugbag]

maybe you're projecting your own ability to them, have you considered that maybe they are highly incompetent and do sincerely believe this was a cracking attempt on their system.

Then again there is this culture of making an example to discourage others to even try, similar to prison, which we know is not that effective if at all.

[Silhouette]

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

Well, those aren't quite the same thing.

If someone told me I'd left my key in the lock, I'd say thanks and remove the key.

If someone told me I'd left my door unlocked after-hours, I might wonder what they were doing trying my door after-hours in the first place.

[nkrisc]

They paid a lot of money for a system they were told was totally secure, so damnit they're going to believe that despite any evidence to the contrary. Thus any bugs reported to them are not bugs but malicious attacks on their innocent system.

[pavanred]

You fear what you don't understand

[askvictor]

I don't know of it happening in hacking lore, but certainly it might be a strategy for a malicious actor to report a flaw so as to gain trust in order to exploit another flaw.

[patryn20]

I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.

In hindsight it was a huge risk and I was dangerously trusting.

[kpil]

If you are nice and don't threaten to publish, at least without giving them any time to fix it - which for a large back is a couple of months - then I don't think it's a risk at all.

What they don't like is the publicity.

Edit: but maybe not in Hungary. It's the bad child in EU.

[FRex]

In Poland there was a case few years back of a company (I have no idea if that means a one person company or a bigger one) owner finding out by putting a name of his client into google that it indexed documents containing private information of over a 1000 of companies that are clients of PKO BP and reported it to the bank.

At first the bank security department said no one will find it so it's safe and later when he pressed the issue as a dangerous leak they reported him to the police for "hacking and extortion". All the computers from his company got confiscated for investigation so he had to buy new computers and software to continue running his company. In the end he was found not guilty by the police investigation of his computers so the prosecution dropped the case (it didn't even go to court) and all his stuff returned after 6 months.

Source in Polish (sorry, there is no English source): https://niebezpiecznik.pl/post/glebokie-ukrycie-danych-w-pko... http://www.tvn24.pl/wiadomosci-z-kraju,3/haker-mimo-woli,132...

Bank spokesperson later explained that the files were "deeply hidden" ("głębokie ukrycie", he said it's an IT term, it's not) and only one person found them in 4 years of their existence there so it's not a big deal.

And in general misusing, testing, etc. a website is illegal without owners permission, there is now a small exception for acting in good faith but it's narrow, a bit strangely worded and it doesn't prevent stuff like above.

[kpil]

Ah, yes. Actually Poland is the other bad child in EU...

The European commission is currently threatening to remove Poland's voting rights due to the changes to the juridical system, but it will not happen as Hungary will veto.

I think they are on their own cultural axis somehow.

[lawless123]

Poland is drifting towards Russia.

[Asooka]

To clarify: they're drifting towards a political system reminiscent of Russia today, but they would never ally with Russia. The Soviet regime is still fresh in the zeitgeist's memory.

[qb45]

> What they don't like is the publicity.

> Edit: but maybe not in Hungary. It's the bad child in EU.

The article suggests that they reported this guy to the police only after the info leaked out (or possibly was independently discovered by others) and made it to the press.

Scapegoating of non-malicious hackers isn't really anything new or unique to Hungary. It's a common reaction of IT-illiterates to people "cheating" on their systems everywhere.

[erroneousfunk]

I've reported two vulnerabilities. One to a fairly large web hosting provider that allowed me to access the databases of anyone else on the shared server my website was on. Another to a major credit card company -- Given a person's first and last name I was able to see what kind of credit cards they had.

In both cases, they fixed it, thanked me, no arrests or threats were made. I think your experience is only outside the norm in the sense that you got monetary compensation out of it! Nice!

[LunaSea]

Had a similar issue with Wolfram Alpha some years ago. I reported a dozen different XSS vulnerabilities to them and their answer was: "We forwarded this email to our legal department.".

So even technical companies can react in really silly ways.

[enraged_camel]

I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.

What isn't cool is legal deciding to go after the party disclosing the vulnerability.

[kidmenot]

Not having much experience on this subject, I have to ask: would you not get your developers to verify that the vulnerability is there and fix it while the legal department is doing its thing? The vulnerability is already out there, and the sooner it's fixed the better. While would they forward everything to their lawyers first thing?

[tzs]

If the email contains code or something that looks like code, or otherwise looks like it is discussing technical things it is not unusual to run it through legal before letting any engineers see it.

That's because companies routine receive unsolicited product proposals, ideas for new features or enhancements, and the like. Often these overlap with things they have been working on internally but that are not known to the public.

If they let engineers see these unsolicited mails and then later come out with an even vaguely similar feature they may find themselves in an intellectual property dispute with the emailer.

[kidmenot]

Aw gee, that makes sense, yes. Never worked for a company big enough to need this. Also, I'm in Italy, so some things might work differently here.

[Gustomaximus]

I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.

I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.

Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.

I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.

[lovich]

Doing the right thing is admirable. Doing something that helps a little bit, when the group that you are trying to help may or may not try to destroy you, seems like its not such a great idea. If a company doesn't have a set of published procedures for reporting a bug its not worth helping them

[qb45]

It depends. Sometimes the organization may be handling your personal data, other times a bug in some Ukrainian tax software may be exploited and cause downtime in a global shipping company.

I realize that big incidents are probably the only way to get laypeople to care about IT security in the long run, but still it may be preferable to help averting them when possible for various quite practical reasons.

[qb45]

> And you can always do it anonymously.

Assuming you have done the hacking anonymously in the first place.

[Natanael_L]

Yeah, you have to consider if there might be logs likely showing you to be the only person to have used the system in the manner you described.

[etatoby]

That's yet another reason to run something like Qubes OS, split up your online presence into distinct "domains" and heavily firewall each domain, only connecting it through VPNs and/or Tor in most cases.

[DerpStar_K]

Because TOR is safe...

[giancarlostoro]

What I would suggest is report the bug in an anonymous manner if possible. They're not going to be able to do much if you report a bug anonymously I would think? I mean in the case of people who find bugs by "accident" I mean I'm guilty of messing with a URL here or there to get the true HQ picture of a website.

[loup-vaillant]

Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:

"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."

Maybe they will panic strongly enough to actually do something about the issue.

[PeterisP]

That is quite straightforward and makes it clear from all perspectives.

From the hacker "hat classification" perspective, that's obviously black hat, nothing gray about it.

From the legal perspective it's not a debate anymore (like in the original article) if you do this, it's clearly a crime, if you get caught in whatever way (e.g. by bragging about it someplace later that leads to your person, or by testing a "discounted" pass in some place that has cameras), it's a straightforward conviction for extortion.

From the ethical perspective, that is an unethical action, doing that shows that the person is immoral.

But you are right, yes, it can be quite effective, and definitely makes it more likely that they will panic strongly enough to actually do something about the issue. It's just that if this happens, then it's not sufficient to just fix the hole, identifying and catching the perpetrator becomes a big part of what they should be doing.

[OscarCunningham]

My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

[PeterisP]

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

[OscarCunningham]

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

[PeterisP]

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

[snakeanus]

I really can't see how this is unethical or immoral in any way.

[lightbyte]

You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"? It's obviously a crime.

[snakeanus]

> You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"?

I do, however loup-vaillant's post also contained the following, which makes it not immoral nor unethical:

> accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time>

Also, you need to panic them, you do not necessarily need to delete or copy their data (but even if you did, I see nothing evil in it. They are the ones that refused to fix it within the time given after all).

> It's obviously a crime.

Doesn't mean that it's immoral or unethical.

[PeterisP]

If you point out that my front door is unlocked, and I decide to keep it unlocked forever (i.e. refuse to fix it), then it doesn't mean that it somehow becomes ethical to enter my house and take my stuff. It might be stupid on my part to keep it unlocked, but a thief is still ethically a thief even if I carelessly kept it unlocked forever. My "door" might as well be a line in sand or a sign "don't enter" on a pathway - not a security measure at all, just an indication where the boundary is, but still unethical to cross it. Much more so would be sending a note "lock your door, send me money or I'll take or damage your stuff", as in the original example.

Threatening to harm someone unless they do what you say is immoral even if you don't harm them; it's not ethically acceptable to threaten others.

[mindcrime]

It's obviously a crime.

Perhaps. But being a crime does not automatically mean something is immoral or unethical.

[pfisch]

So you should just become a malicious actor and actually break the law? Good plan.

[loup-vaillant]

Becoming a malicious actor, no. Looking like one, definitely. Break the law, most probably. Also, I would rather threaten to publish if I did this for real.

It's risky and scary, but also the right thing to do in some cases.

You could also fail to report at all, and let their ship sink. Maybe they deserved it.

[Duplicated]

What difference does it make if the outcome is the same?

[imhoguy]

Not the outcome for the informer in case one gets caught and accused of threatening for ransom.

[wlll]

Better hope you've not left any evidence on their systems then, you know, like a discounted transport pass.

[etatoby]

Wrong. The latter half should read:

You have <this time> to fix the issue, or I <copy or trash> your database.

Asking for extortion does not push them to fix their systems, only to pay you and/or find you.

[imhoguy]

I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case. Does anybody have an experience with such way?

[bondant]

In France, you can report vulnerabilities to the ANSSI (National Cybersecurity Agency of France). The agency stays somewhat neutral between justice and the company with vulnerabilities since ANSSI must protect confidentiality of their informer. Informations can be sent by email or postal service.

http://www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-decla...

[pyroinferno]

I report all the vulnerabilities I find to the NSA. Very nice people.

[rtpg]

I understand that it's good to have cover for this sort of thing.

I think the line is pretty grey though.

One analogy is telling a company that their front door is unlocked.

Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.

IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.

EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this

[loup-vaillant]

Note: the nature of the reported vulnerability was such that the teenager didn't even have to access the servers to do it —only change a value that was sent by his own browser.

If that was tantamount to not-breaking & entering, it means the it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides (here, the price of the ticket), must be observed by the rest of the system (here, the price sent in the HTTP request wasn't the price decided by the web page).

The consequences of such thinking are chilling. If this is the kind of cyberpunk we're heading to, I'll seriously consider becoming a Runner.

[qb45]

On the Internet there is also the problem of remote attackers. Even if you preemptively jail all people in your jurisdiction, your system still isn't safe. It doesn't make any sense at all to call sending some malicious data to your server "breaking in" when anybody and his dog can do it from the comfort of their chair on the other side of the planet.

[etatoby]

it means that it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides, must be observed by the rest of the system

I don't know about Hungary, but in the US the DMCA has exactly these provisions.

[alanfranzoni]

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

[imhoguy]

Exactly. Often to validate the door is unlocked one needs to use the knob and open it a little - shall one get a permission for that just for a sake of a check. Is this already a breach to open the door without crossing the threshold?

[TomK32]

Friends of mine have a small company (and a nice Ultimaker 2) and left their front door wide open, lights on and went home one evening. However one manages to do that. I called them, stayed a bit to secure it and since then it's free print and free beers for me :)

[madaxe_again]

I disagree. It's more akin to trying the handle on the door, and noticing it's unlocked, and then telling them, and being arrested for touching the door handle.

[posterboy]

report anonymously!?

[warrenm]

Why didn't you report it?

Seems somewhat negligent - at the very least from a Good Samaritan™ point of view

[skinnymuch]

You're replying to a comment about news of someone being arrested for a similar thing.

[warrenm]

There's such a thing as anonymous reporting

[skinnymuch]

What if you don't do it anonymously enough? And they trace it back to you? Not that this has ever happened (I have no idea. I'm assuming not). But being paranoid isn't unwarranted either.

[JohnGB]

If he reported it, he runs the risk of the company turning on him (as was the case in the article above). If he doesn't report it, nothing happens.

It's a choice between the certainty of no loss vs the possibility of great loss.

[kodfodrasz]

If he does not report it, and somebody else does, then he runs the risk of being rightfully accused of hacking, as the motivation can be understood as financially motivated.

[warrenm]

Budapest != United States

[grrowl]

You're often opening up yourself to a LOT of bad exposure, where you'll be accused of hacking the software (along with the 20+ jail term this might eventually entail) and just generally putting the spotlight on yourself as a potentially dangerous person.

Better to report anonymously, or report directly to someone who might appreciate or is responsible (and hope they appreciate responsible disclosure).

[Antrikshy]

Did you not see the top post?

[Cerium]

Reporting these things can get you in trouble. Once burnt twice shy.