If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wired)   Little Bobby Tables under threat by Australian police   (wired.com) divider line 19
    More: Sad, Little Bobby Tables, Australian police, Australians, SIM card, security vulnerability, SQL, threats, Andrew Auernheimer  
•       •       •

8241 clicks; posted to Main » on 11 Jan 2014 at 12:03 PM (14 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest

2014-01-11 12:30:51 PM
5 votes:
The sane thing to do is not contact such potential bullies directly, but to contact a reputable organization involved in such things to do it for you, like EFF in the US.

The most important thing is that, when they ask for your identity, respond with the statement that "I wish to remain anonymous, so could you please provide me with a randomized 7-digit contact password, so that if we speak in the future, I can use it to identify myself."  This is a handle for them to grasp, so they will be far more comfortable.

This is a real handy trick and you should remember it, in case you need it.
2014-01-11 12:46:12 PM
4 votes:
The first rule of white hat hacking is that you get the permission of the owner of the system. If you don't you're already in the gray hat realm, which might as well be black hat from the perspective of your target. The most you should do is point out the existence of the security hole. Don't provide proof that you got in (or even get proof). It's kind of like telling a business owner there's a literal unlocked back door to his office. You can tell him you were walking around the building and noticed it, but don't go inside and take pictures of his office plant to prove it to him. If he decides to ignore you, it's his fault.
2014-01-11 12:22:16 PM
4 votes:
Unless you have the explicit consent of the one whose security you are testing, you can't really expect the law to be on your side if they decide to prosecute. If he intends to be a security researcher, he should be aware of his legal position.
2014-01-11 01:08:09 PM
3 votes:

gaslight: I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.


Any "software developer" that doesn't believe in planning and project management isn't going to be a software developer for long.
2014-01-11 12:43:29 PM
3 votes:
I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.

wtf?
2014-01-11 12:24:27 PM
3 votes:

Mein Fuhrer I Can Walk: The good news thus far being that they haven't taken any action against him. Let's hope for the moment that the Auzzie cops have better sense than their US counterparts on this matter.

/pipe dream, I know
//or is it tubes...


Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective. If the question is raised down the line, they can honestly answer "yes, we did call the police immediately after we were informed that sensitive data may have been stolen, and yes we followed protocol to the letter, as mandated in out official company policy, and insurance requirements"

I'm almost 100% positive that this is the case.
2014-01-11 12:15:08 PM
3 votes:
imgs.xkcd.com
2014-01-11 12:32:21 PM
2 votes:
I actually just sent that comic to a software developer. He is trying to assemble a team to sell his product and thinks he's got the perfect thing. He's absolutely resistant to any creation of a product development plan, or even creating an issue tracker. Worse, he wants to sell the product at a consumer level and thinks tech support won't be an issue.

The very first time I entered something in a search field the apostrophe I included threw a hard SQL error with no error handling so I sent him the Johnny Droptables cartoon. Last night he sent me a Dear John letter thanking me for my input but my emphasis on planning is clearly indicative that I'm not a good fit.

Some people you can't help.
2014-01-11 12:16:03 PM
2 votes:
No good deed goes unpunished and all that....
2014-01-11 10:59:41 PM
1 votes:
No. You never, ever do that. You want to highlight a problem? Find a computer that can't be traced to you and tell 4chan. They'll soon make merry hell and force whatever dickhead that couldn't sort out little bobby tables to do so.

Because I'm sorry - whoever allowed that code to go live should not be in this industry. Everyone knows the problem, everyone knows it has potentially catastrophic consequences, and everyone knows that if you use stored procedures with parameterised queries or a good ORM for your data access, you pretty much eradicate the problem. That's my simple message to anyone working for me - use the ORM and if necessary stored procs, and if there's something you think needs a strung together query I want to know about it and we will do all sorts of things to protect it.
2014-01-11 02:45:18 PM
1 votes:
Duh. Security through obscurity only works if nobody ever looks at your product. And that's what they want.
2014-01-11 01:39:39 PM
1 votes:

EdNortonsTwin: I'm just an A/V guy but I notice a trend in IT, in general, for sidelining the smartest people and placing borderline incompetent / unethical folks at the helm. This seems true wether it be the NSA or good sized corporations.

wtf?


When you get promoted into management you end up having to do things which are unpleasant, like firing the most qualified person on your staff for someone who asks for less salary.  "Shareholder Value" dogma has destroyed a lot of good teams.
2014-01-11 01:36:21 PM
1 votes:
fast-images.picyou.com
2014-01-11 12:52:06 PM
1 votes:
Has anyone stopped to wonder why he was looking for SQL injection vulnerabilities in the first place?  Perhaps, just maybe, he found out about the vulnerability online and thought he'd have a go, then realized how big of a farking deal it was - backtracked, and notified the company?

If this had been some small mom-and-pop organization, who can say what the kid might have done instead of reporting it?

"Lulz u pwnt!!!!"
2014-01-11 12:42:45 PM
1 votes:
Way to protect your sources local newspaper.
2014-01-11 12:39:01 PM
1 votes:

DON.MAC: uttertosh: Actually the Company is, more than probably, just covering it's ass from a (perceived) legal perspective.

The "company" is the state gov't.


Yes, it's a company owned by the state government. Try not to get too excited, I see the foam starting to collect at the corners of your mouth.
2014-01-11 12:27:47 PM
1 votes:
So commiting a cyber crime by illegally accessing a database that didn't belong to him got him in trouble with the police? huh...weird
2014-01-11 12:13:32 PM
1 votes:
This is why I don't try to make money on the security side. Too much risk of idiot 'clients' and not enough payoff at the end of the day.
2014-01-11 12:09:00 PM
1 votes:
The good news thus far being that they haven't taken any action against him. Let's hope for the moment that the Auzzie cops have better sense than their US counterparts on this matter.

/pipe dream, I know
//or is it tubes...
 
Displayed 19 of 19 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking
Submit a Link »






Report