Forgot your password?
typodupeerror
Privacy Security The Almighty Buck

Ask Slashdot: To Hack Or Not To Hack? 517

Posted by Soulskill
from the ethics-and-responsibilities dept.
seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: To Hack Or Not To Hack?

Comments Filter:
  • First thing first (Score:5, Informative)

    by CmdrPony (2505686) on Friday December 02, 2011 @04:34PM (#38243638)
    Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?
    • Re: (Score:2, Insightful)

      Blow it up. People's privacy is at risk.

      • by Anonymous Coward on Friday December 02, 2011 @04:47PM (#38243880)

        Someone left their front door open, lets go torch the house before someone steals something of value.

        • by tripleevenfall (1990004) on Friday December 02, 2011 @05:25PM (#38244532)

          They are being reckless with people's personal information. Painfully reckless it sounds like, since they are ignoring clear warnings that they have vulnerabilities.

          Look at what happened to Sony re: Playstation Network - and they didn't even lose anyone's billing information.

          The negligence is already occurring, the damage is just waiting to happen.

      • by Nethemas the Great (909900) on Friday December 02, 2011 @05:38PM (#38244716)
        If you "blow it up" you WILL risk very SEVERE consequences. There's no room for the good Samaritan outsider esp. where it concerns security. I'm not sure if there's a reasonable answer that will put a stop to their negligence but I would most definitely tread lightly.
      • Re:First thing first (Score:4, Informative)

        by JMJimmy (2036122) on Friday December 02, 2011 @10:35PM (#38247146)

        Blow it up sounds fun but it'll get you sued or worse.

        http://seclists.org/fulldisclosure/ [seclists.org]

        I had to threaten to expose a security flaw which exposed hundreds of thousands of peoples info (luckily no financial info) - within an hour of threatening full disclosure they'd closed my "tech ticket" and an administrator was emailing me for more details and a timeline for a fix.

    • Re:First thing first (Score:5, Informative)

      by Zaphod The 42nd (1205578) on Friday December 02, 2011 @04:59PM (#38244080)
      He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

      He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
      Computer Fraud and Abuse Act [wikipedia.org] State laws on Computer Hacking and Unauthorized Access [ncsl.org]

      I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
      To go to jail, or not to go to jail?
      • by S73rM4n (2523312) on Friday December 02, 2011 @05:11PM (#38244296)
        I would second this opinion (also, as above, assuming USA as OP's location). Though your intentions are noble it is highly illegal to breach a computer system without permission/ownership, regardless of intent. Similar to other crimes - you would still be arrested for breaking and entering a property even if your intent was to show the owner that their security system was flawed, unless they asked you to test it out for them.

        My advice - do nothing further. You discovered the flaw and told them about it, the onus is on them to make sure that their systems are secure. Just make sure that you don't leave a trail for other, less scrupulous people to follow...you certainly wouldn't want a future breach and malicious use of this flaw to point to you as the one who discovered it!
        • Re:First thing first (Score:5, Informative)

          by chill (34294) on Friday December 02, 2011 @05:15PM (#38244382) Journal

          An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.

      • Re:First thing first (Score:4, Interesting)

        by swillden (191260) <shawn-ds@willden.org> on Friday December 02, 2011 @05:16PM (#38244416) Homepage Journal

        He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records

        Maybe. He didn't say he *had* accessed the secure user accounts, just that he had discovered how. Granted that it's usually hard to know if your attack works without testing it, but it is possible to recognize an easily-exploited weakness.

        Building a proof of concept doesn't necessarily require accessing the data, either. He could build the proof of concept, test it against his own system, and then send it to them (or perhaps even publish it) without having broken any laws.

        • by reiisi (1211052) on Friday December 02, 2011 @06:48PM (#38245618) Homepage

          If his own account is secure and he has noticed that he could have accessed it without credentials?

          Actually accessing his own account without credentials could also be breaking himself against the law.

          Building a proof of concept legally is probably not possible, even if he builds it on his own network, on his own machine.

          The laws are screwed until we can figure out how to get people to understand that computer memory is just fancy paper and CPUs are just fancy pens with fancy erasers.

          I need to change my sig. Apple is now only a co-conspirator.

      • EFF (Score:5, Insightful)

        by bmuon (1814306) on Friday December 02, 2011 @05:36PM (#38244684)

        Shouldn't he contact the Electronic Frontier Foundation? Isn't its purpose to provide advice in this cases?

  • NSA? (Score:4, Funny)

    by Toe, The (545098) on Friday December 02, 2011 @04:36PM (#38243664)

    Maybe you could get the NSA to hack them?
    Just brainstorming here...

  • PCI (Score:5, Insightful)

    by Anonymous Coward on Friday December 02, 2011 @04:36PM (#38243670)

    If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.

    • Re:PCI (Score:5, Insightful)

      by Dr_Barnowl (709838) on Friday December 02, 2011 @04:44PM (#38243840)

      If you hadn't already exposed yourself to the owner, I'd write a how-to and send it to them anonymously, and later send the credit cards an ANONYMOUS tip.

      Why anonymous? Hacking, even for white-hat reasons, is illegal in most jurisdictions. Even accidental hacking.

      Now that you've exposed yourself to them it would be too easy for them to piece it together who turned them in for a nice PCI audit. It would be all too easy of them to send your emails to a computer crime division and get you busted, especially if they have any friends with influence there. Just avoid using their product and quietly tell your friends not to do the same.

      The only time I have ever even considered informing a company of a security hole is on an occasion when I'd previously worked for them, personally knew the owner, and knew that the owner respected my ability.

      • Re:PCI (Score:5, Funny)

        by V!NCENT (1105021) on Friday December 02, 2011 @05:19PM (#38244456)

        "How can I help you?"
        -"Well, I noticed that your bank safe is wide open! You might want to cl-"
        "You asshole! I'm calling the FBI!"
        -"But people their money might get sto-"
        "Son, you are under arrest for looking at something and then notifying the owner about it"

        Why is the world ruled by morons?

        • Re: (Score:3, Insightful)

          Lets say you have a company. Lets say you have some servers. Lets say the world works the way YOU say it should.

          Now, every day, you're going to get every script kiddie in the internet trying to poke holes in your network. In fact, if they get in, thats fine. They're allowed to look at everything your'e doing (trade secrets) and they can copy user data, since this is legal. You're going to be in hot water with your customers, fast.

          Also, you're getting DDoS'd now because of all these people hitting your
          • by V!NCENT (1105021)

            If they poke holes in my network all day and report where the holes are then that's fine, because if a malicious hacker gets it first; I'm fscked.

            Is that so hard? I'd rather have friendlies poke my network before unfriendlies poke my network.

            And I shouldn't be doing bad things that I can get charged with in the first place. And when I say bad I do not necessarily mean against the law, because the law isn't always The Right Thing To Do.

      • For those who are truly interested in testing the boundaries of computer security there are dozens of legitimate companies that do nothing but this type of work. If you know your shit it is also very high paying. If you are truly exceptional any government security or military agency will search out your services under the strategy of "fighting fire with fire". They even accept people who have skirted ot flat out broken the boundaries of law in the past. And the best part is that these type of jobs do not f
    • Re:PCI (Score:5, Insightful)

      by hellkyng (1920978) on Friday December 02, 2011 @04:59PM (#38244084)

      While you make a good point that Visa and MC won't sit on their asses about data, that is only from a PCI perspective. And realistically its trivially easy to maintain PCI compliance and have an insecure product.

      What I would recommend however is work through a professional service like Secunia: https://secunia.com/company/blog_news/news/271 [secunia.com]. They can lend credibility to your claim and they provide what I personally would describe as an ethical approach to remediation. I would strongly not recommend any further testing on your part unless you are prepared to deal with legal consequences. Not that I agree with companies going after researchers, but it does happen.

      Good luck.

      • by Y.A.A.P. (1252040)

        I wish that it was possible to mod something up further than 5 in special cases, because the post from hellkyng really is giving the best advice for what you want to do, namely making sure that the people whose data is being stored insecurely becomes stored securely. None of the other 5's in the comments are doing that, they're just "Cover your ass" advice.

        Now I'm going to mod up the other post that I've seen which gives advice in line with your goals - contact some famous security professionals and see wh

  • You're just asking (Score:5, Insightful)

    by Vinegar Joe (998110) on Friday December 02, 2011 @04:36PM (#38243678)

    For a 5 year tour of the federal penitentiary system, aren't you?

  • by gTsiros (205624) on Friday December 02, 2011 @04:37PM (#38243698)

    translated:

    do you know how to steal? (implied yes as an answer)

    do you know how to *hide*?

  • by james_van (2241758) on Friday December 02, 2011 @04:37PM (#38243702)
    Maybe the company doesn't care, but the people with money on the line will. And when they start to care, the company will start to care. Don't go hacking to try and prove a point, that's just gonna cause you more trouble than it's worth. And if, at the end of the day, no one cares or does anything about it, no sweat off your back.
    • by Amouth (879122) on Friday December 02, 2011 @05:19PM (#38244448)

      If it was me - after the company doesn't bother to recognize it - i'd contact the Credit Card clearing house (Visa/MC/AMex) that they use.. Anyone who is processing and storing CC info has to comply with PCI DSS. If you can get access to card info then they are out of compliance, and are subject to have their merchant account deactivated, charges seized, and pay fines.

      The CC companies don't (Normally) play around with it. Contact them and inform them of the situation, IF (AND ONLY IF) they need it provide them a proof of concept CODE/Method only, DO NOT grab card numbers and send them to them as an example, let the CC company evaluate your proof of concept and see if they can access CC numbers.

      This method seems to work (has in the past) to get people to fix their holes.. As for them actually becoming a more responsible company after this, well hell never has been a cold place..

  • Oh boy... (Score:5, Insightful)

    by Anonymous Coward on Friday December 02, 2011 @04:38PM (#38243710)

    Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.

  • notify visa (Score:5, Informative)

    by banbeans (122547) on Friday December 02, 2011 @04:39PM (#38243738)

    U.S. – (650) 432-2978 or usfraudcontrol@visa.com

  • Report them to a newspaper and tech sites or something. Business papers, even.

  • How do I make my amazon wishlist available to you?

    Drop everything, wipe the files you have, reformat and reinstall your computer, create a plausible deniability claim to any account you used of this that can be tied to you.

    Then go to an internet cafe and post somewhere.

  • Retain a lawyer. (Score:5, Insightful)

    by chemicaldave (1776600) on Friday December 02, 2011 @04:42PM (#38243798)
    You should probably hire a lawyer. It doesn't matter how good you're trying to be. Anything you did to come to your conclusions that was illegal is going to be frowned upon... severely. And if you do go public, you'll likely be hit with a C&D letter.
  • by nedlohs (1335013) on Friday December 02, 2011 @04:42PM (#38243804)

    Now just forget about it and hope no one hacks them before they forget about you.

    • by Hentes (2461350)

      Exactly. By contacting them, presumably through a non-anonymous email account, you already made a wrong decision. Companies will never admit they were wrong, and if anyone would hack them in the future you will be the first one to blame. Even professional security researchers can be silenced by legal threats, you won't be an exception. Just leave it alone, it's far too risky to rely on a companies goodwill.
      And if you ever want to do something similar again, the most important part is to remain anonymous th

  • by pngwen (72492) on Friday December 02, 2011 @04:43PM (#38243820) Journal

    The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.

    Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!

    • by Vellmont (569020) on Friday December 02, 2011 @05:08PM (#38244254) Homepage

      It's not only the most ethical, it's the only way this company will actually do anything. I'd also suggest to do this anonymously. Corporations have a habit of striking back blindly in random directions whenever they feel threatened, and this will most certainly threaten them. It wouldn't surprise me in the least if they tried to smack you down with restraining orders, defamation suits, or whatever the lawyers think will hurt you the most. If you release the information anonymously (and be very careful how you go about this), then there's nobody to slap down with restraining orders.

  • by Anonymous Coward

    Send them a link to this website: http://ask.slashdot.org/story/11/12/02/2124215/ask-slashdot-to-hack-or-not-to-hack

  • by Zaphod The 42nd (1205578) on Friday December 02, 2011 @04:43PM (#38243832)
    This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM? People can't just go around doing things without permission like that. If your internet connection crosses a state line, (and due to packet routing it probably is and you might not even know) then you are committing a FEDERAL CRIME. That means that not just the police, but the FBI will come knock on your door. History is just FULL of people who though, hey, I'm pretty clever, I'll hack these people and get a job. NOBODY WILL HIRE A CRIMINAL I PROMISE YOU.

    Cannot stress this enough. Jeeze.

    Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).
    • Seriously, how did this get on the front page?!?
    • by syousef (465911)

      This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM?

      No, but I'm familiar with the concept of a LEGAL system. ;-)

    • by Hatta (162192) on Friday December 02, 2011 @06:32PM (#38245400) Journal

      No, the dumbest thing ever is the legal system which punishes whistleblowers. Wait, no, that's the 2nd dumbest thing ever. The absolute dumbest thing ever are the people who support a legal system that punishes whistleblowers.

  • Journalism works (Score:5, Insightful)

    by Anonymous Coward on Friday December 02, 2011 @04:45PM (#38243852)

    If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.

  • by Anonymous Coward on Friday December 02, 2011 @04:46PM (#38243868)

    Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.

    My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.

    It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.

    But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is

    1) legal
    2) professionally done
    3) likely to get taken seriously by the developers at the affected company.

    Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!

  • Probably good time for another session...

  • Well... (Score:4, Interesting)

    by MikeRT (947531) on Friday December 02, 2011 @04:48PM (#38243906) Homepage

    You could consider contacting one of the major credit card companies like Visa. That's assuming you haven't done anything which could be construed as actually testing or exploiting the hole. If you have, it's a pretty sure bet the FBI will be on you like white on rice. They might anyway, but that would be a one way ticket to Club Fed.

  • As can be concluded from earlier cases like this. Dont tell them anything, dont do anything, but let them have what's coming to them. However, you contacted them. When hacked, they may attempt to sue you. So, you may need to go to a notar or something to have it written that you warned these people, but they didnt take heed or something. You need to have solid documents to show blame may not be laid on you, in courts.
  • by StormReaver (59959) on Friday December 02, 2011 @04:54PM (#38244006)

    Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.

    Here's my advice:

    1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.

    2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.

    • by purpledinoz (573045) on Friday December 02, 2011 @05:09PM (#38244272)

      Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.

      At what point do you become a criminal? By looking at the URL bar and seeing an SQL statement, which can be used for SQL injection attacks? For changing a few characters in the URL bar and seeing that they're sending you other people's credit card numbers? I agree that he should just fuck em and ignore it.

  • by camperdave (969942) on Friday December 02, 2011 @05:00PM (#38244098) Journal
    You've sent the email, now send your concerns in writing - hard copy. Set up a meeting with those in charge and explain it in person, nicely. If they do not respond, then let them know that you have no choice but to report the lapse to the appropriate authorities. Under no circumstances, crack your employers service unless they ask for a demonstration.
  • CERT (Score:5, Interesting)

    by Z00L00K (682162) on Friday December 02, 2011 @05:02PM (#38244148) Homepage

    Report it to CERT [us-cert.gov]. (Or other corresponding security organization if you are outside the US.)

  • by camusflage (65105) on Friday December 02, 2011 @05:05PM (#38244200)

    "If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."

    • by sl3xd (111641)

      Source URL? I don't know about you, but I'd be reluctant to essentially send a confession (anonymous or not) to an email address that was posted on a non-official website.

  • by Whatsisname (891214) on Friday December 02, 2011 @05:07PM (#38244250) Homepage

    I would recommend stealing as much money as you can, because you are going to need it to hire your lawyers when the FBI comes looking for you, now that you've identified yourself to them.

  • by MarkvW (1037596) on Friday December 02, 2011 @05:16PM (#38244408)

    Would you mind if I broke into your house? Not to take anything, mind you, but just to check your security?

  • by TheCarp (96830) <sjc@cGINSBERGarpanet.net minus poet> on Friday December 02, 2011 @05:17PM (#38244422) Homepage

    Personally, I favor the Full Public Diclosure route. You have them a chance, you even told them how to fix it. The shareholders, yes they should know, but its the customers whose accounts are exposed, and the public who may become customers. Don't they really deserve to know what they are signing up for or trusting?

    So, you can do a full disclosure.... but they know who you are...its a risk.

    Another possibility.... wait a week or a month or so, and then anonymously release it to the public, swear up and down it wasn't you (use tor, etc etc)

    Or, you could just leak it into some IRC channels where you can be sure it will be abused.... then come out later with a public disclosure after its found that they had a major breech, include your conversations with them.

    Sure you could just walk away but.... don't the customers really deserve to know? They are paying for the service afterall.

  • by bryan1945 (301828) on Friday December 02, 2011 @05:53PM (#38244950) Journal

    And not just in the tech world. You can be sued if you do CPR and crack someone's ribs if you're not certified. You can be prosecuted for going on someone's property if you hear screaming coming from the house. You can be prosecuted if you shoot an invader in your house (at least in the UK).

    There's no use in being a "good guy" anymore. Just trying to help someone will get you in trouble anymore. If you're a guy and talk to a kid you don't know, everyone gives you strange looks. A while back a kid was trying to put books into one of those big metal boxes libraries have for returns, but couldn't quite reach the handle to open it. I opened it for him, and his mom, who was sitting in the car at the curb gets out and starts trotting at us. Books go in, he starts walking back, and she is giving me the evil eye while she grabs the kid and nearly drags him back to the car. All the while I'm holding my own books.

    So why the fuck would I try and help anyone I don't know?

  • by Nethead (1563) <joe@nethead.com> on Friday December 02, 2011 @06:00PM (#38245050) Homepage Journal

    Give me the info and I'll take care of it.

  • Is your name Kevin? (Score:4, Interesting)

    by slapout (93640) on Friday December 02, 2011 @06:04PM (#38245090)

    Hack their system, go to jail for a few (many?) years. Then become a security consultant and go on a book tour.

  • by Pooua (265915) on Friday December 02, 2011 @07:32PM (#38246046) Homepage

    I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.

    Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.

Parkinson's Law: Work expands to fill the time alloted it.

Working...