[jogjayr]

I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.

[jannes]

My guess would be:

- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.

- This guy reported it to BKK who obviously don't have any technical knowledge

- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."

- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)

[pgaddict]

That's unlikely. Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing. So the "BKK obviously don't have any technical knowledge" claim is bogus.

It's possible the particular BKK person dealing with the report does not have technical knowledge, but that's more a fail on BKK side as they let incompetent people to deal with reports of security incidents.

But I'd bet it's merely a matter of covering broken shit and shifting blame. BKK is (probably?) a public company, managing transport in the capital city. They manage a lot of money, and it's not uncommon to funnel lucrative contracts to friendly companies, even if it increases price and the quality is dubious. Whoever came up with this project / awarded the contract / accepted the solution is probably scared people might start digging into the details. Better blame the problems on a hacker!

[aries1980]

> Every if you don't develop the system on your own and buy it from a third party (be it T-Systems or someone else), you still need technical expertise to prepare the requirements, evaluate the proposed solution (possibly proposals from multiple vendors) and do then do acceptance testing.

I don't think this is true. When you buy a house, do you have to be able to do the specification and evaluate? This is a good analogy, because T-Systems have delivered similar solutions to other clients, what they needed here is a little bit of tailoring and integration (which is not the part that failed).

[afuchs]

It is common for a typical western government to have domain specialists, working directly for them, to help write the contracts and requirements for their external contractors and vendors.

[geon]

In my experience, clients rarely have any technical expertise at all.

[thirstymonkeys]

Definitely not the case. Huge numbers of SME clients evaluate tendered work on visual inspection alone. I've only had one or two clients ever (having worked in-house, contract, and for an agency) have had any knowledge of cyber security.

I think the hypothetical above is very reasonable. Lots of technical vendors will elect to shift blame. They should take responsibility for their issues, but they often don't.

[pgaddict]

Except that BKK is not a SME, but a company managing transportation in a city with nearly 2 million people. I've done work for similar organizations founded by municipalities (although smaller and not in Hungary), and pretty much all of them involved technically-skipped people in the process.

Perhaps BKK operates in a different way, but well - incompetence is not an excuse. It's a management failure.

[mekkkkkk]

I think there is a disconnect in how techies and non-techies think about web security in general.

To push your analogy further, the non-tech person thinks of this type of exploit discovery as if someone has trespassed onto their private yard in the cover of darkness, trying every door and window.

A tech savvy person might instead think of it as a row of doors lined up next to a busy street, in broad daylight.

Knocking, and telling someone that they have "forgot their keys in the door" seems a bit creepy in the first scenario, but completely legitimate in the second.

[falcor84]

I think that the second scenario in your analogy is somewhat creepy too. Why are they trying all of the doors? A person should have a reasonable expectation of privacy in their house, to be able to walk around in their underwear or whatever without someone just opening the door on them.

Edit: Note that in this analogy the keys aren't fully visible from outside and it requires opening the door to be sure that the keys were accidentally left out

[beobab]

If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:

"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".

Is that still creepy?

[jklein11]

I would find it creepy that someone was testing their key on other people's doors.

If I caught someone trying their key on my door I would call the cops, even if they said they were just testing it to see if it would work.

[mgkimsal]

who is the sheriff in this case?

[jermaustin1]

I'm the sheriff!

But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.

That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.

If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.

[TeMPOraL]

That seems unreasonable.

If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately!

Discovering an actual vulnerability in the first place requires doing something that could be considered hacking.

[mekkkkkk]

Sorry, I didn't word that correctly. I was referring to actually leaving the keys on the outside. What I was trying to get at is the mental image of a shady person skulking around in a backyard. I think many people have that sort of "what were you even doing there" perception of so-called hackers regardless of their flavour. If they instead realized that a public facing interface is something that will inevitably be explored over and over again, they would have a different opinion.

[jasonzemos]

Never underestimate the diversity of the concept of Justice in those who are uneducated, unwise, and dishonest to what is real. If you try to trace this behavior you'll find truly random causes. There are an infinite number of ideas one can substitute for something they don't know or willfully ignore in their own perceived interests. The real problem is when those substitutions are guiding determinations for someone with authority over others.

I'll also add: when I was a teenager I've been in this position countless times, reporting security issues at school, etc. The reactions I received from fully grown adults was nothing short of stochastic. This fascinated me enough to minor in political science and philosophy/ethics. I draw on that for insight, but it doesn't really provide a final answer.

[emiliobumachar]

This. Executives who usually have no trouble treating engineers as replaceable parts, suddenly fail to believe someone else can and possibly has found the same vulnerability. They think getting rid of the one person capable of finding it is all it takes to be safe.

[csomar]

Because if they acknowledge it, it shows their own incompetence. It is much better to blame the issue on some "hacker" than to acknowledge that you failed. The latter might mean that you get kicked out by investors.

And multi-billion companies or governments are in the business of bending over customers and effing them. So another guy getting fked is business as usual.

[SeanDav]

> "Would they also prosecute a person who told them one of their doors was left unlocked after-hours?"

Perhaps not, but they probably would be tempted to prosecute someone who opened the door with a toothbrush and told them about it...

The temptation is to squash anything that comes along and potentially makes you look like you weren't doing your job properly (installing a better lock in the first place) rather than thank the person and then install a better lock, or fix the design of the lock.

[bigbugbag]

maybe you're projecting your own ability to them, have you considered that maybe they are highly incompetent and do sincerely believe this was a cracking attempt on their system.

Then again there is this culture of making an example to discourage others to even try, similar to prison, which we know is not that effective if at all.

[Silhouette]

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

Well, those aren't quite the same thing.

If someone told me I'd left my key in the lock, I'd say thanks and remove the key.

If someone told me I'd left my door unlocked after-hours, I might wonder what they were doing trying my door after-hours in the first place.

[nkrisc]

They paid a lot of money for a system they were told was totally secure, so damnit they're going to believe that despite any evidence to the contrary. Thus any bugs reported to them are not bugs but malicious attacks on their innocent system.

[pavanred]

You fear what you don't understand

[askvictor]

I don't know of it happening in hacking lore, but certainly it might be a strategy for a malicious actor to report a flaw so as to gain trust in order to exploit another flaw.