Ask Slashdot: To Hack Or Not To Hack?

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

Full disclosure is the most ethical path.

[pngwen]

The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.

Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!

Comment removed

[account_deleted]

Comment removed based on user account deletion

no you grow the fuck up

[unity100]

Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.

its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.

if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.

Re:Language matters

[msauve]

"Hacking is hacking into remote targets. Cracking is cracking software on your local computer by reverse engineering and debugging it."

Absolutely wrong. "Hacker" is defined, and differentiated from "cracker," in RFC 1392 [ietf.org]:

cracker
A cracker is an individual who attempts to access computer systems without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system...

hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term.

Re:For the love of Christ...

[jgrahn]

First off, QUIT FUCKING TRESSPASSING.

I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.

As he explained it, it sounds as if he's concerned about the outfit's customers. It's not unheard of -- that people care about the wellbeing of other people. (That Christ guy you mention in the subject line did, for example)

CERT

[Z00L00K]

Report it to CERT [us-cert.gov]. (Or other corresponding security organization if you are outside the US.)

Re:First thing first

[purpledinoz]

There's a 3rd option. Give out the info anonymously, and see how quickly it gets resolved.

Re:First thing first

[swillden]

He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records

Maybe. He didn't say he *had* accessed the secure user accounts, just that he had discovered how. Granted that it's usually hard to know if your attack works without testing it, but it is possible to recognize an easily-exploited weakness.

Building a proof of concept doesn't necessarily require accessing the data, either. He could build the proof of concept, test it against his own system, and then send it to them (or perhaps even publish it) without having broken any laws.

Re:First thing first

[Synerg1y]

He never got on the plane, get your facts straight, sounds like he almost did though, cause German kids are the #1 security threat to this country.

Source:
http://www.eurogamer.net/articles/2011-02-21-the-boy-who-stole-half-life-2-article [eurogamer.net]

It's a pretty good read.

I can't help thinking how a real criminal would have proxied, and sold the code rather than published it, but to the FBI it's all the same.

Re:First thing first

[Nethemas the Great]

I know what you meant. Believe me businesses will do anything and everything to protect their image with the shareholders. If someone were to leak this to the media, VISA, etc. and the company found out who it was, they'd have their lawyers, and the FBI pounding down that person's door. Go direct to jail, do not pass "go," do not collect $200.

The only way you could possibly approach this from a legal "high-ground" would be to have jurisdiction and sue for negligence.

Is your name Kevin?

[slapout]

Hack their system, go to jail for a few (many?) years. Then become a security consultant and go on a book tour.

Back Away; You Were Never Here

[Pooua]

I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.

Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.

Re:First thing first

[rtfa-troll]

Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.

The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.

What to do

• Get lawyered up. Lawyers are expensive; not lawyers are much more expensive. Make sure you have one who has actually succeeded in protecting people in your exact situation.
• See if the EFF will support you as a security researcher. Freedom of speech issues may help protect you. They may be able to recommend a lawyer. Unless you see martyrdom as your future, be careful not to become a public case until you know that that would be a benefit for you.
• Try to find out for sure if you have broken any laws and the consequences. When doing this ensure you only talk to a lawyer (no internet searches!!) so that all discussions remain legally privileged and can't be used against you to show you knew what you were doing / had done
• Find a CERT that would be interested in this. Do not communicate further with the company directly, only through the CERT. The EFF might do to. Any body which has real experience in doing disclosure and will isolate you from the risk of direct communication.
• Pretending you don't know about the hole would probably have been best, but assume it's too late for that. You need to now go through the notification; until this is fixed you are at risk of lawsuit or prison.
• Do not accept any offer of anything; no free travel; no free developer account; no "chance to help us clean up". This is likely an attempt to set you up for an extortion charge.
• Anything further you do with this case, you do on your own isolated computer.
• Do not do anything which could be interpreted as destruction of evidence. Your lawyer may be able to help you with advice about any data destruction you could do to minimise risk in a lawsuit.
• Without legal advice otherwise, do not use any services from the company and don't visit the web site of the company. Beware of anything which might bind you into a contract with the company.
• Prepare to be raided. All of your computers will be taken from you and any disks you have on site. Your close family and computer friends may also be raided. Make backups of everything and store them in a locked box somewhere which can't be related back to you. E.g. a trusted but distant friend from school times. Alternatively a vault in a private bank (e.g. in Switzerland).

Re:First thing first

[pla]

Hacking somebody's financial records isn't a just a concept

A few months ago, I, in the course of my job duties, discovered a massive, glaring, easily exploitable security flaw at a financial transaction processing company that a great many people (as in, somewhere around a third of Americans who pay their bills online) likely use without knowing it. And no, you probably haven't heard of them unless you work in the banking industry.

I didn't write an SQL injection. I didn't guess passwords. I didn't even probe for hidden options in a CGI... I merely mis-typed a path in a web-scraping script intended to retrieve information I legally had the right to get, and ended up with entirely someone else's information. Yes, literally as simple as "tweak the URL", and you could see anyone's info you want.

I informed them of this flaw, as an official "you have to fix this now or consider yourself in violation of our contract" communication, and they have made it a bit better - In that you would now at least need to intend to attack them, rather than just anyone having the ability to do so accidentally. Good to know that no more pesky whitehats will bother them about their insecurities.

But put bluntly, companies don't give two shakes of a rat's ass about us. The very fact that such a trivial weakness existed in the first place demonstrates that they don't pay attention to security in the least; and their fix demonstrates that they don't really care even when they have known flaws. They care about how much it will cost them to fix vs the cost and probability of someone malicious discovering the problem, end of story.