If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wired)   Little Bobby Tables under threat by Australian police   (wired.com) divider line 42
    More: Sad, Little Bobby Tables, Australian police, Australians, SIM card, security vulnerability, SQL, threats, Andrew Auernheimer  
•       •       •

8241 clicks; posted to Main » on 11 Jan 2014 at 12:03 PM (13 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



42 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-01-11 12:06:41 PM
Or....the police have not even contacted him.
 
2014-01-11 12:09:00 PM
The good news thus far being that they haven't taken any action against him. Let's hope for the moment that the Auzzie cops have better sense than their US counterparts on this matter.

/pipe dream, I know
//or is it tubes...
 
2014-01-11 12:09:22 PM
Hang on, someone's at the back door.
 
2014-01-11 12:13:32 PM
This is why I don't try to make money on the security side. Too much risk of idiot 'clients' and not enough payoff at the end of the day.
 
2014-01-11 12:15:08 PM
imgs.xkcd.com
 
2014-01-11 12:16:03 PM
No good deed goes unpunished and all that....
 
2014-01-11 12:22:16 PM
Unless you have the explicit consent of the one whose security you are testing, you can't really expect the law to be on your side if they decide to prosecute. If he intends to be a security researcher, he should be aware of his legal position.
 
2014-01-11 12:23:28 PM

vudukungfu: Hang on, someone's at the back door.


Isn't that usually what happens?
 
2014-01-11 12:24:27 PM

Mein Fuhrer I Can Walk: The good news thus far being that they haven't taken any action against him. Let's hope for the moment that the Auzzie cops have better sense than their US counterparts on this matter.

/pipe dream, I know
//or is it tubes...


Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective. If the question is raised down the line, they can honestly answer "yes, we did call the police immediately after we were informed that sensitive data may have been stolen, and yes we followed protocol to the letter, as mandated in out official company policy, and insurance requirements"

I'm almost 100% positive that this is the case.
 
2014-01-11 12:24:56 PM

Fluid: Unless you have the explicit consent of the one whose security you are testing, you can't really expect the law to be on your side if they decide to prosecute. If he intends to be a security researcher, he should be aware of his legal position.


Right.  I only test systems when I am paid to do so.  I hate working off the clock.
/QA
 
2014-01-11 12:27:47 PM
So commiting a cyber crime by illegally accessing a database that didn't belong to him got him in trouble with the police? huh...weird
 
2014-01-11 12:30:51 PM
The sane thing to do is not contact such potential bullies directly, but to contact a reputable organization involved in such things to do it for you, like EFF in the US.

The most important thing is that, when they ask for your identity, respond with the statement that "I wish to remain anonymous, so could you please provide me with a randomized 7-digit contact password, so that if we speak in the future, I can use it to identify myself."  This is a handle for them to grasp, so they will be far more comfortable.

This is a real handy trick and you should remember it, in case you need it.
 
2014-01-11 12:31:07 PM

uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.


The "company" is the state gov't.
 
2014-01-11 12:32:21 PM
I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.
 
2014-01-11 12:33:05 PM
oi43.tinypic.com

Courtroom sketch
 
2014-01-11 12:36:58 PM

ginkor: The sane thing to do is not contact such potential bullies directly, but to contact a reputable organization involved in such things to do it for you, like EFF in the US.

The most important thing is that, when they ask for your identity, respond with the statement that "I wish to remain anonymous, so could you please provide me with a randomized 7-digit contact password, so that if we speak in the future, I can use it to identify myself."  This is a handle for them to grasp, so they will be far more comfortable.

This is a real handy trick and you should remember it, in case you need it.


There is a local branch of the Aussie EFF and the people there would be glad to help.  The Aussie Federal Police are also very willing to help and they can be contacted and told about issues and they are happy to visit state agencies and say "you have a security problem."  It works much better for them since they don't get the run around from junior staff.

There were better ways to deal with this.  I expect that things have gone too far, there will be an invistigation of the hacker but if he is willing to talk (to the right people) early, it could go away quickly.  Meanwhile we have a department that doesn't have a great reputation for being sane and it's minister has the second to worst job in the cabinet and he is going to have to make statements.
 
2014-01-11 12:39:01 PM

DON.MAC: uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.

The "company" is the state gov't.


Yes, it's a company owned by the state government. Try not to get too excited, I see the foam starting to collect at the corners of your mouth.
 
2014-01-11 12:41:14 PM

AverageAmericanGuy: This is why I don't try to make money on the security side. Too much risk of idiot 'clients' and not enough payoff at the end of the day.


The payoff for "cybersecurity consultants" is handsome around here.  Easily a 6-figure job if you have a degree, a couple certs, and a few years experience.  Even if you're on the sales side and are good at spreading FUD, you'll be paid well.
 
2014-01-11 12:42:45 PM
Way to protect your sources local newspaper.
 
2014-01-11 12:43:29 PM
I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.

wtf?
 
2014-01-11 12:46:12 PM
The first rule of white hat hacking is that you get the permission of the owner of the system. If you don't you're already in the gray hat realm, which might as well be black hat from the perspective of your target. The most you should do is point out the existence of the security hole. Don't provide proof that you got in (or even get proof). It's kind of like telling a business owner there's a literal unlocked back door to his office. You can tell him you were walking around the building and noticed it, but don't go inside and take pictures of his office plant to prove it to him. If he decides to ignore you, it's his fault.
 
2014-01-11 12:49:39 PM
Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he'd been reported to the police from the journalist who wrote the story for The Age.

"Reported" may just mean the POS 'journalist' asked police if there were pressing any charges. If you walked up to someone's door and showed them how easy it was to pick their lock, and pointed out that nice 52" plasma TV, is it a crime that the DA should pursue, I don't know? I am pro hacker, but not pro cracker. I cannot ignore this is not 1986 and the virtual world is just as real as the physical world.

Bottom line, if you don't have a get out of jail free card and someone feels like they lost face, you could be labeled a 'hacker' in the law and lose access to that future line of employment.

I suppose you could send an email behind seven proxies to the admin, and likely have it ignored. Maybe the email from behind seven proxies to a journalist.
 
2014-01-11 12:52:06 PM
Has anyone stopped to wonder why he was looking for SQL injection vulnerabilities in the first place?  Perhaps, just maybe, he found out about the vulnerability online and thought he'd have a go, then realized how big of a farking deal it was - backtracked, and notified the company?

If this had been some small mom-and-pop organization, who can say what the kid might have done instead of reporting it?

"Lulz u pwnt!!!!"
 
2014-01-11 12:59:10 PM
EdNortonsTwin
I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.
wtf?


There was a great article from one of those normally pointless corporate IT magazines that get sent to corporations for free. The quick and dirty version that if you are at the helm of an IT division of a random corporation it is not good. If you fully use the budget, manage to stay ahead of the curve and have no fires pop up recently, you will be seen as expendable and outsourced to a company that does not do the job as well.

Gotta keep trimming those expenses for the next financial quarter.
 
2014-01-11 01:00:13 PM

gaslight: I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.


Pffft, no user is going to use an apostrophe in a normal operation. You just don't appreciate his genius.
/ know the kind
// know it very well
 
2014-01-11 01:08:09 PM

gaslight: I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.


Any "software developer" that doesn't believe in planning and project management isn't going to be a software developer for long.
 
2014-01-11 01:17:48 PM
He absolutely resisted the idea of creating a wireframe of what it might look like in the future after more VC money was spent on engineering. It seems obvious that building a discussion document before coding is cheaper than adding layers of functionality ad hoc so when I asked 'In ten words or fewer, what do you want me to do but give you suggestions on how to improve the product' there was a long pause and he said 'work on sections of a business plan.'

Great, work on portions of a business plan for a buggy product that won't be improved and has an unknown development future, no categorizable risks, competitors, or customers.

Staffing: between one and infinite.
Competition: Google, Apple, IBM and potentially everyone else.
Risks: None. It's perfect.
Investment return: Ummm.....
Marketing: We post stuff to social media. Might as well mark it done now.

I'm willing to bet he's never worked on discrete products before and his coding experience has been back end stuff for large systems.
 
2014-01-11 01:23:39 PM
Learned a little something about the police, didn't we?
 
2014-01-11 01:36:21 PM
fast-images.picyou.com
 
2014-01-11 01:39:39 PM

EdNortonsTwin: I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.

wtf?


When you get promoted into management you end up having to do things which are unpleasant, like firing the most qualified person on your staff for someone who asks for less salary.  "Shareholder Value" dogma has destroyed a lot of good teams.
 
2014-01-11 01:40:43 PM
Could be worse. At least he didn't have a congressman openly calling for his arrest, as Edward Markey (D) did of Christopher Soghoian.

Congressman Ed Markey Wants Security Researcher Arrested

Old story, but one of the worst.
 
2014-01-11 02:00:49 PM

DON.MAC: uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.

The "company" is the state gov't.


No. The company is a subcontractor, and thus not the government.

Even if it were, the government is still obliged by law, and probably by their insurers, to report to police any (even potential) theft of sensitive information on their system. It's called damage limitation, and failure to report immediatley, as the breach comes to light, could arouse suspicion at best, infer culpability at worst (laws and practices vary from country to country, I know, but it's pretty standard practice in the 1st world)
 
2014-01-11 02:45:18 PM
Duh. Security through obscurity only works if nobody ever looks at your product. And that's what they want.
 
2014-01-11 03:12:09 PM

gaslight: I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.


I hate working at places like that.  Error checking?  Who needs that.  I had a boss once actually see error checking in my code and he said "I hope that's just in there for testing."  Apparently their strategy was ignore any errors so if there are any the customer won't notice.  The scary part is they manage people's retirement funds.
 
2014-01-11 03:22:36 PM
DeathByGeekSquad
Has anyone stopped to wonder why he was looking for SQL injection vulnerabilities in the first place?


Sometimes you don't have to look because the sites shove them into your face.
Like, when you're old school and have your browser ask you for confirmation before accepting a cookie and then some webshop wants to set a cookie with value "update orders set foo=bar where..".

Or you're interested in how the big guys do some stuff and you take a look at the HTML and scripting of the pros:
img.fark.net
 
2014-01-11 03:58:34 PM
This is the most basic attack, we worried about this back in 1997 when I was developing a web front end to a database of atomic and molecular data.  We took an effort to limit the input even then, and even though the data was not sensitive in any way.  This is just lazy, lazy programming and shows incompetence on the part of the programmers, designers and especially senior management; the fact that any website has this vulnerability in this day and age is inexcusable.
 
2014-01-11 04:19:55 PM
Lesson learned: instead of reporting these issues, steal the credit card numbers and sell them online.
 
2014-01-11 04:46:33 PM

interstellar_tedium: This is the most basic attack, we worried about this back in 1997 when I was developing a web front end to a database of atomic and molecular data.  We took an effort to limit the input even then, and even though the data was not sensitive in any way.  This is just lazy, lazy programming and shows incompetence on the part of the programmers, designers and especially senior management; the fact that any website has this vulnerability in this day and age is inexcusable.


Still, it is one of the most common attack methods around. It seems that a lot of programmers simply do not account for it when designing a website.
 
2014-01-11 07:35:50 PM

BitwiseShift: [fast-images.picyou.com image 850x850]


Thugs get slugs.
 
2014-01-11 08:41:20 PM

The Voice of Doom: DeathByGeekSquad
Has anyone stopped to wonder why he was looking for SQL injection vulnerabilities in the first place?

Sometimes you don't have to look because the sites shove them into your face.
Like, when you're old school and have your browser ask you for confirmation before accepting a cookie and then some webshop wants to set a cookie with value "update orders set foo=bar where..".

Or you're interested in how the big guys do some stuff and you take a look at the HTML and scripting of the pros:
[img.fark.net image 850x354]


Does Yahoo count as 'pro'?

/I keed...
 
2014-01-11 10:59:41 PM
No. You never, ever do that. You want to highlight a problem? Find a computer that can't be traced to you and tell 4chan. They'll soon make merry hell and force whatever dickhead that couldn't sort out little bobby tables to do so.

Because I'm sorry - whoever allowed that code to go live should not be in this industry. Everyone knows the problem, everyone knows it has potentially catastrophic consequences, and everyone knows that if you use stored procedures with parameterised queries or a good ORM for your data access, you pretty much eradicate the problem. That's my simple message to anyone working for me - use the ORM and if necessary stored procs, and if there's something you think needs a strung together query I want to know about it and we will do all sorts of things to protect it.
 
2014-01-12 03:20:21 AM
WTF? finding a flaw, reporting it, aswell you should, and be placed under scrutiny for it? Seems like a rather Edwardian excuse, that their mistakes be treated as unwelcome.. well, if their excuse was that he could have done it, well, that sounds perfectly prosecutable to me.
 
Displayed 42 of 42 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report