SphericalTime:

This is what happens when executives lawyers deal with a problem that should have been handled by their IT staff.

/ FTFY
// [killallthelawyers.jpg]

Technically, he broke the law.

It's a sad reflection of the times we live in.

Fark_Guy_Rob: Technically, he broke the law.

Since he was already breaking the law, he'd might as well have transfered a bunch of money into his account, right?

Fark_Guy_Rob: Technically, he broke the law.

It's a sad reflection of the times we live in.

How so? Typing in a URL is how you access a webpage.

/he should counter sue for libel

also this is the same problem Citigroup had a few months ago iirc

MrEricSir: Fark_Guy_Rob: Technically, he broke the law.

Since he was already breaking the law, he'd might as well have transfered a bunch of money into his account, right?

Depends on the Aussie law's wording. If he had stuck with just changing the numbers in the URL manually, I think he'd have been safe.

But he wrote a script and I don't know if Aussie law has a requirement for malicious intention; if not, then the sheer act is illegal.

Maybe it's time for a good samaritan type shield for techie types who report such vulnerabilities.

Pillar (the security company) definitely comes off as douchenozzles of the highest caliber though ...

If he had simply published the information, the company would have said, "why didn't you tell us secretly so we could fix it!"

As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

Idiot. If you're good at something, never do it for free.

March your ass into an techno-stupid executives office, show him how you "hack their website", and then tell them for $100,000 you can fix it and add .... "because obviously your IT staff isn't up to date on current security protocols."

Pancoaifo: Depends on the Aussie law's wording. If he had stuck with just changing the numbers in the URL manually, I think he'd have been safe.

But he wrote a script and I don't know if Aussie law has a requirement for malicious intention; if not, then the sheer act is illegal.

Maybe it's time for a good samaritan type shield for techie types who report such vulnerabilities.

Pillar (the security company) definitely comes off as douchenozzles of the highest caliber though ...

Where does it say he wrote a script? I RTFA and one of the linked articles and they both mentioned only changing the URL.

HellRaisingHoosier: Idiot. If you're good at something, never do it for free.

March your ass into an techno-stupid executives office, show him how you "hack their website", and then tell them for $100,000 you can fix it and add .... "because obviously your IT staff isn't up to date on current security protocols."

Ask Wevley how that went with AT&T

Oh wait he's in federal jail for doing that since it's considered a FEDERAL CRIME.

But nice going, really.

OgreMagi: If he had simply published the information, the company would have said, "why didn't you tell us secretly so we could fix it!"

As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

Changing numbers in a URL is brute force?

According to the letter, he apparently viewed the account details of 568 other bank members. I'm sure he just wanted to be be 100% sure the security flaw was real.

OgreMagi: As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

This is more like noticing that your neighbor left his door open before he went on vacation, and calling the neighbor to let him know.

URLs are public, and designed to be modified by the end user. The URL bar on your browser is editable for a reason.

whither_apophis: Fark_Guy_Rob: Technically, he broke the law.

It's a sad reflection of the times we live in.

How so? Typing in a URL is how you access a webpage.

/he should counter sue for libel

At least in the US, anyone who "intentionally accesses a computer without authorization or exceeds authorized access" commits a crime. Since (in all likelihood) the "customer number" is tacked on to the URL after logging in (ie., you can't just go directly to a "customer number" page without having first provided credentials) then altering the customer number in the URL is "exceeding authorized access". In the US (again) that would be illegal.

Stupid, I know. But technically all those sites that ask for your age before you can log in, when you (and everyone else) enters January 1, 1969, a crime is being committed.

Vaguely Racist Lawn Ornament: OgreMagi: If he had simply published the information, the company would have said, "why didn't you tell us secretly so we could fix it!"

As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

Changing numbers in a URL is brute force?

It is if you're obsessive/compulsive.

OgreMagi: As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

This case is more like picking up your mail at the post office, noticing that the door on the mailbox next to yours looks loose, and nudging it with your finger to see if it opens.

Jobbers: According to the letter, he apparently viewed the account details of 568 other bank members. I'm sure he just wanted to be be 100% sure the security flaw was real.

I wonder if it was view or just to see if it hit. Either could generate a log entry and would likely look the same.

/Have a similar problems when some yahoo exec wants to know if someone 'read' their message they sent by mistake. When they have preview pane open, it sets the read flag, but who the fark knows if the really read it. Pick up the damn phone and ask. Or fire him. I don't farking care.

ArcadianRefugee: whither_apophis: Fark_Guy_Rob: Technically, he broke the law.

It's a sad reflection of the times we live in.

How so? Typing in a URL is how you access a webpage.

/he should counter sue for libel

At least in the US, anyone who "intentionally accesses a computer without authorization or exceeds authorized access" commits a crime. Since (in all likelihood) the "customer number" is tacked on to the URL after logging in (ie., you can't just go directly to a "customer number" page without having first provided credentials) then altering the customer number in the URL is "exceeding authorized access". In the US (again) that would be illegal.

Stupid, I know. But technically all those sites that ask for your age before you can log in, when you (and everyone else) enters January 1, 1969, a crime is being committed.

If their security is so bad that changing the url works than maybe you can direct access...?

/"That's my story and I'm sticking to it. That original email I sent you was all bunk"

Bleyo: Pancoaifo: Depends on the Aussie law's wording. If he had stuck with just changing the numbers in the URL manually, I think he'd have been safe.

But he wrote a script and I don't know if Aussie law has a requirement for malicious intention; if not, then the sheer act is illegal.

Maybe it's time for a good samaritan type shield for techie types who report such vulnerabilities.

Pillar (the security company) definitely comes off as douchenozzles of the highest caliber though ...

Where does it say he wrote a script? I RTFA and one of the linked articles and they both mentioned only changing the URL.

Crap, I read the linked comments and somehow combined it in my head with TFA. Check for "freak" in the comments for the script stuff.

But still, suppose the law defines hacking as "any attempt to circumvent computer or digital security measures". Sounds like something an ignorant politician might write. And would make jailbreaking your phone or changing the URL just as illegal as hacking NORAD to get nuclear codes.

I use the ol' "change the URL slightly" trick to gain access to all sorts of things online. Hidden pictures in photo galleries, pages that have broken or missing links, and so on. That's not hacking, it's goddamn common sense.

If you have something online you don't want others to access, make sure it actually requires a f*cking password. If not, it's fair game.

electronicmaji: HellRaisingHoosier: Idiot. If you're good at something, never do it for free.

March your ass into an techno-stupid executives office, show him how you "hack their website", and then tell them for $100,000 you can fix it and add .... "because obviously your IT staff isn't up to date on current security protocols."

Ask Wevley how that went with AT&T

Oh wait he's in federal jail for doing that since it's considered a FEDERAL CRIME.

But nice going, really.

Always look out for # 1, the moment he discovered the flaw he should've sued the bank for allowing ...no conspiring! to allow his account to be illegally accessed.

FuturePastNow: I use the ol' "change the URL slightly" trick to gain access to all sorts of things online. Hidden pictures in photo galleries, pages that have broken or missing links, and so on. That's not hacking, it's goddamn common sense.

If you have something online you don't want others to access, make sure it actually requires a f*cking password. If not, it's fair game.

Fair game is a bit much (politically speaking), but in the old days when geocities was the standard place to drop images in, to prevent some from messing around (and to have it handy) I had a few html scripts that would do bad things (repeated opens of browsers until the computer crashed, or looping pop-ups, bouncing redirects)... mild but effective as in those days, computers wouldn't be responsive enough to be able to open the task manager fast enough to close the process.

It was funny to cause some people in the chat rooms to disappear due to a private message sending them to these scripts. People, even the jackasses would laugh it off.

Today, I'd expect a hissy fit and lawyers.

FuturePastNow: If you have something online you don't want others to access, make sure it actually requires a f*cking password. If not, it's fair game.

I think (again, assuming a lot) that the case here is kind of like "you have a swipe card to access the gym, that doesn't mean you can grab someone else's stuff and walk out with it". Ie., it may be that their security was so bad yo only needed to log in to gain access to the site, but once in (apparently) you had no restrictions.

Which, I admit, is farking ridiculous.

the_sidewinder: Vaguely Racist Lawn Ornament: Changing numbers in a URL is brute force?

By definition, yes

But this is more akin to dialing random numbers on a phone and seeing who picks up

No, not by definition. Brute force requires repetitive checking against a comparatively large data domain to determine valid range elements. Repetitive checking and domain element classification are necessary characteristics. This was simple incrementing, next-step pattern verification. It's not even brute force where the number of repetitions is 0. It's simply the realization that account numbers are often serial and thinking, "Hey, what if I just try the next one up from mine?". If he'd started feeding in large numbers of possible account numbers in an effort to find which ones are valid (which would requiring being aware of the flaw in the first case to have a valid test), that would be brute force. For any given domain value, a brute force attack will result in a positive or negative classification. In this case, had his attempt failed, it would have been either negative or indeterminate, since he wouldn't yet have had the valid test a brute force attack relies on.

Maybe he got in on a whim to see if he could, looked at things, checked out accounts and then had the revelation; Holy shiat i could get in trouble for this! He then crafted up a way to present it to the company as if he was being some kind of samaritan and not a jagoff.

It's hard to tell really. On the internet there are as many nice, altruistic types who put their (limited) skills to work doing good for mankind as there are asshats trying to be malicious and snoop. Right? Right??

Vaguely Racist Lawn Ornament: OgreMagi: If he had simply published the information, the company would have said, "why didn't you tell us secretly so we could fix it!"

As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

Changing numbers in a URL is brute force?

When using a script to do it, yes. Do that kind of shiat on my servers, I will wield the ban hammer on you.

Fark_Guy_Rob: Technically, he broke the law.

It's a sad reflection of the times we live in.

How so?

could have been a simple keystroke error based on the article.

That'd be my defense. Happened to hit the wrong key and noticed that it gave me someone else's account info. Contacted bank. WTH are you suing me?

Play great in the news.

Good luck getting the $ from him. You can't blame someone for a vulnerability that already existed in your systems (every case I'm familiar with in the US where this happened was either lost by the defendant, dropped, or lost on appeal; NJ seems to be particulary stupid with them).

Thankfully this is in AU, which seems to take the concept of "spirit vs. letter of the law" more seriously than in other places.

/scary flaw, but more common than you think
//easily fixed more often than not, but it's the sign of lazy IT and developers

MrEricSir: OgreMagi: As for his techniques. Do you walk your neighborhood checking everyone's doors and windows without asking permission? No. You can get shot for doing that kind of shiat. So don't use brute-force security checks on servers you don't personally manage.

This is more like noticing that your neighbor left his door open before he went on vacation, and calling the neighbor to let him know.

URLs are public, and designed to be modified by the end user. The URL bar on your browser is editable for a reason.

No, what he did was jiggle the doorknob at a few thousand houses.

So if I have my wireless router set to hidden with no password and someone accesses it, are they committing a federal crime?

Honest curiosity

meathome: That'd be my defense. Happened to hit the wrong key and noticed that it gave me someone else's account info. Contacted bank. WTH are you suing me?

Clearly the browser developers are to blame, then! Why would anyone ever need to manually alter an address when there are perfectly good links available, unless it's for nefarious purposes? No, I think it's high time we get rid of that URL bar. That will stop hackers, since they'll then have no way automate their attacks-- "mechanize" them, if you will.

OgreMagi: No, what he did was jiggle the doorknob at a few thousand houses.

Nope -- the door was wide open. It's not an analogy so much as security-IT speak.

Coming back from analogy land completely, changing the URL in your browser is completely, unquestionably legal and ethical.

MrEricSir: OgreMagi: No, what he did was jiggle the doorknob at a few thousand houses.

Nope -- the door was wide open. It's not an analogy so much as security-IT speak.

Coming back from analogy land completely, changing the URL in your browser is completely, unquestionably legal and ethical.

If the security flaw is noticeable from the default website, then the door is wide open. It was not noticeable. You had to poke around and get lucky with a guessed user id to gain access.

Changing your browser URL is perfectly legal. Running a script that tries thousands of variations is entirely different. He ran a script. This is the very definition of cracking (aka hacking).

This story brought to you by,,,


That Anonymous Coward
I do a lot of business online. I would personally apologize on my knees to a customer rather than face the possibility of eJustice. These companies really don't get it. The internet can turn very, very nasty, very very quickly. We may be hearing a follow-up to this story. Something about "First State Superannuation" going off-line. Permanently

OgreMagi: Running a script that tries thousands of variations is entirely different.

Different in what way? He could have done it by hand, but he decided to automate the process.

Also, I'd like to point out that this guy probably wasn't the first to discover this issue. He was just the first to not exploit it for personal gain. Companies with security this lax NEVER notice when they've been hacked into.

OgreMagi: MrEricSir: OgreMagi: No, what he did was jiggle the doorknob at a few thousand houses.

Nope -- the door was wide open. It's not an analogy so much as security-IT speak.

Coming back from analogy land completely, changing the URL in your browser is completely, unquestionably legal and ethical.

If the security flaw is noticeable from the default website, then the door is wide open. It was not noticeable. You had to poke around and get lucky with a guessed user id to gain access.

Changing your browser URL is perfectly legal. Running a script that tries thousands of variations is entirely different. He ran a script. This is the very definition of cracking (aka hacking).

From the comments the police wisely decided not to charge him as "he was being civic minded."

/Surprised that the financial institute and security company wanted this to go so public.

justtray: So if I have my wireless router set to hidden with no password and someone accesses it, are they committing a federal crime?

Honest curiosity

If your router is not encrypted and is visible and someone logs onto it without your permission, they are currently breaking US law. I recall reading an article about just that in the last couple of months. You break federal law by sitting in McDonalds and signing onto the Starbucks wifi the next building over.

tinyarena: This story brought to you by,,,


That Anonymous Coward
I do a lot of business online. I would personally apologize on my knees to a customer rather than face the possibility of eJustice. These companies really don't get it. The internet can turn very, very nasty, very very quickly. We may be hearing a follow-up to this story. Something about "First State Superannuation" going off-line. Permanently

Since when has anonymous done anything worse the cyber-equivalent of egging someone's house?

I keep hearing this "ooh, those guys must now face the wrath of the internet, the poor bastards" and then I never hear anything again. Beyond some minor screwing around with somebody's webpage ...

tinyarena: This story brought to you by,,,

[www.techdirt.com image 100x118]
That Anonymous Coward
I do a lot of business online. I would personally apologize on my knees to a customer rather than face the possibility of eJustice. These companies really don't get it. The internet can turn very, very nasty, very very quickly. We may be hearing a follow-up to this story. Something about "First State Superannuation" going off-line. Permanently

This is the outcome I would prefer.

Pancoaifo: tinyarena: This story brought to you by,,,


That Anonymous Coward
I do a lot of business online. I would personally apologize on my knees to a customer rather than face the possibility of eJustice. These companies really don't get it. The internet can turn very, very nasty, very very quickly. We may be hearing a follow-up to this story. Something about "First State Superannuation" going off-line. Permanently

Since when has anonymous done anything worse the cyber-equivalent of egging someone's house?

I keep hearing this "ooh, those guys must now face the wrath of the internet, the poor bastards" and then I never hear anything again. Beyond some minor screwing around with somebody's webpage ...

Ask HBGary

Exploit early and exploit often.

Gobsmacked. Just gobsmacked.

Fark has really crappy security too.

http://www.fark.com/comments/6658396
http://www.fark.com/comments/6658397
http://www.fark.com/comments/6658398
http://www.fark.com/comments/6658399
http://www.fark.com/comments/6658400

Mike, how could a JAPH like you let something like this happen :^D

/JAPH