WingNews

jogjayr|8 years ago

I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.

jannes|8 years ago

My guess would be:

- BKK is the client of T-Systems. They have a contract for the development and maintenance of this system which might contain clauses about liability or indemnification in cases of hacking, security bugs, negligency, etc.

- This guy reported it to BKK who obviously don't have any technical knowledge

- BKK (the client) forwards the email to T-Systems (the contractor): "What's this about? Looks like hacking or something."

- Now T-Systems has two options: 1. Blame it on the guy, or 2. Take the blame for overpromising and screwing it up, possibly taking a financial loss of an unkown amount (depending on the contract and how widespread exploitation was)

mekkkkkk|8 years ago

I think there is a disconnect in how techies and non-techies think about web security in general.

To push your analogy further, the non-tech person thinks of this type of exploit discovery as if someone has trespassed onto their private yard in the cover of darkness, trying every door and window.

A tech savvy person might instead think of it as a row of doors lined up next to a busy street, in broad daylight.

Knocking, and telling someone that they have "forgot their keys in the door" seems a bit creepy in the first scenario, but completely legitimate in the second.

jasonzemos|8 years ago

Never underestimate the diversity of the concept of Justice in those who are uneducated, unwise, and dishonest to what is real. If you try to trace this behavior you'll find truly random causes. There are an infinite number of ideas one can substitute for something they don't know or willfully ignore in their own perceived interests. The real problem is when those substitutions are guiding determinations for someone with authority over others.

I'll also add: when I was a teenager I've been in this position countless times, reporting security issues at school, etc. The reactions I received from fully grown adults was nothing short of stochastic. This fascinated me enough to minor in political science and philosophy/ethics. I draw on that for insight, but it doesn't really provide a final answer.

emiliobumachar|8 years ago

This. Executives who usually have no trouble treating engineers as replaceable parts, suddenly fail to believe someone else can and possibly has found the same vulnerability. They think getting rid of the one person capable of finding it is all it takes to be safe.

csomar|8 years ago

Because if they acknowledge it, it shows their own incompetence. It is much better to blame the issue on some "hacker" than to acknowledge that you failed. The latter might mean that you get kicked out by investors.

And multi-billion companies or governments are in the business of bending over customers and effing them. So another guy getting fked is business as usual.

SeanDav|8 years ago

> "Would they also prosecute a person who told them one of their doors was left unlocked after-hours?"

Perhaps not, but they probably would be tempted to prosecute someone who opened the door with a toothbrush and told them about it...

The temptation is to squash anything that comes along and potentially makes you look like you weren't doing your job properly (installing a better lock in the first place) rather than thank the person and then install a better lock, or fix the design of the lock.

bigbugbag|8 years ago

maybe you're projecting your own ability to them, have you considered that maybe they are highly incompetent and do sincerely believe this was a cracking attempt on their system.

Then again there is this culture of making an example to discourage others to even try, similar to prison, which we know is not that effective if at all.

Silhouette|8 years ago

Would they also prosecute a person who told them one of their doors was left unlocked after-hours?

A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.

Well, those aren't quite the same thing.

If someone told me I'd left my key in the lock, I'd say thanks and remove the key.

If someone told me I'd left my door unlocked after-hours, I might wonder what they were doing trying my door after-hours in the first place.

nkrisc|8 years ago

They paid a lot of money for a system they were told was totally secure, so damnit they're going to believe that despite any evidence to the contrary. Thus any bugs reported to them are not bugs but malicious attacks on their innocent system.

pavanred|8 years ago

You fear what you don't understand

askvictor|8 years ago

I don't know of it happening in hacking lore, but certainly it might be a strategy for a malicious actor to report a flaw so as to gain trust in order to exploit another flaw.

patryn20|8 years ago

I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.

In hindsight it was a huge risk and I was dangerously trusting.

kpil|8 years ago

If you are nice and don't threaten to publish, at least without giving them any time to fix it - which for a large back is a couple of months - then I don't think it's a risk at all.

What they don't like is the publicity.

Edit: but maybe not in Hungary. It's the bad child in EU.

erroneousfunk|8 years ago

I've reported two vulnerabilities. One to a fairly large web hosting provider that allowed me to access the databases of anyone else on the shared server my website was on. Another to a major credit card company -- Given a person's first and last name I was able to see what kind of credit cards they had.

In both cases, they fixed it, thanked me, no arrests or threats were made. I think your experience is only outside the norm in the sense that you got monetary compensation out of it! Nice!

LunaSea|8 years ago

Had a similar issue with Wolfram Alpha some years ago. I reported a dozen different XSS vulnerabilities to them and their answer was: "We forwarded this email to our legal department.".

So even technical companies can react in really silly ways.

enraged_camel|8 years ago

I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.

What isn't cool is legal deciding to go after the party disclosing the vulnerability.

Gustomaximus|8 years ago

I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.

I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.

Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.

I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.

lovich|8 years ago

Doing the right thing is admirable. Doing something that helps a little bit, when the group that you are trying to help may or may not try to destroy you, seems like its not such a great idea. If a company doesn't have a set of published procedures for reporting a bug its not worth helping them

qb45|8 years ago

> And you can always do it anonymously.

Assuming you have done the hacking anonymously in the first place.

giancarlostoro|8 years ago

What I would suggest is report the bug in an anonymous manner if possible. They're not going to be able to do much if you report a bug anonymously I would think? I mean in the case of people who find bugs by "accident" I mean I'm guilty of messing with a URL here or there to get the true HQ picture of a website.

loup-vaillant|8 years ago

Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:

"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."

Maybe they will panic strongly enough to actually do something about the issue.

PeterisP|8 years ago

That is quite straightforward and makes it clear from all perspectives.

From the hacker "hat classification" perspective, that's obviously black hat, nothing gray about it.

From the legal perspective it's not a debate anymore (like in the original article) if you do this, it's clearly a crime, if you get caught in whatever way (e.g. by bragging about it someplace later that leads to your person, or by testing a "discounted" pass in some place that has cameras), it's a straightforward conviction for extortion.

From the ethical perspective, that is an unethical action, doing that shows that the person is immoral.

But you are right, yes, it can be quite effective, and definitely makes it more likely that they will panic strongly enough to actually do something about the issue. It's just that if this happens, then it's not sufficient to just fix the hole, identifying and catching the perpetrator becomes a big part of what they should be doing.

pfisch|8 years ago

So you should just become a malicious actor and actually break the law? Good plan.

wlll|8 years ago

Better hope you've not left any evidence on their systems then, you know, like a discounted transport pass.

etatoby|8 years ago

Wrong. The latter half should read:

You have <this time> to fix the issue, or I <copy or trash> your database.

Asking for extortion does not push them to fix their systems, only to pay you and/or find you.

imhoguy|8 years ago

I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case. Does anybody have an experience with such way?

bondant|8 years ago

In France, you can report vulnerabilities to the ANSSI (National Cybersecurity Agency of France). The agency stays somewhat neutral between justice and the company with vulnerabilities since ANSSI must protect confidentiality of their informer. Informations can be sent by email or postal service.

http://www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-decla...

pyroinferno|8 years ago

I report all the vulnerabilities I find to the NSA. Very nice people.

rtpg|8 years ago

I understand that it's good to have cover for this sort of thing.

I think the line is pretty grey though.

One analogy is telling a company that their front door is unlocked.

Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.

IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.

EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this

loup-vaillant|8 years ago

Note: the nature of the reported vulnerability was such that the teenager didn't even have to access the servers to do it —only change a value that was sent by his own browser.

If that was tantamount to not-breaking & entering, it means the it is okay to legally forbid step by step debugging on your own computer. That it may not be legal to inspect code from another company, even if it runs on your computer. That whatever the code decides (here, the price of the ticket), must be observed by the rest of the system (here, the price sent in the HTTP request wasn't the price decided by the web page).

The consequences of such thinking are chilling. If this is the kind of cyberpunk we're heading to, I'll seriously consider becoming a Runner.

alanfranzoni|8 years ago

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

TomK32|8 years ago

Friends of mine have a small company (and a nice Ultimaker 2) and left their front door wide open, lights on and went home one evening. However one manages to do that. I called them, stayed a bit to secure it and since then it's free print and free beers for me :)

madaxe_again|8 years ago

I disagree. It's more akin to trying the handle on the door, and noticing it's unlocked, and then telling them, and being arrested for touching the door handle.

posterboy|8 years ago

report anonymously!?

warrenm|8 years ago

Why didn't you report it?

Seems somewhat negligent - at the very least from a Good Samaritan™ point of view

skinnymuch|8 years ago

You're replying to a comment about news of someone being arrested for a similar thing.

JohnGB|8 years ago

If he reported it, he runs the risk of the company turning on him (as was the case in the article above). If he doesn't report it, nothing happens.

It's a choice between the certainty of no loss vs the possibility of great loss.

grrowl|8 years ago

You're often opening up yourself to a LOT of bad exposure, where you'll be accused of hacking the software (along with the 20+ jail term this might eventually entail) and just generally putting the spotlight on yourself as a potentially dangerous person.

Better to report anonymously, or report directly to someone who might appreciate or is responsible (and hope they appreciate responsible disclosure).

Antrikshy|8 years ago

Did you not see the top post?

Cerium|8 years ago

Reporting these things can get you in trouble. Once burnt twice shy.

(no title)

discuss