Ask Slashdot: To Hack Or Not To Hack? 517
seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
First thing first (Score:5, Informative)
Re: (Score:2, Insightful)
Blow it up. People's privacy is at risk.
Re:First thing first (Score:4, Insightful)
Someone left their front door open, lets go torch the house before someone steals something of value.
Re:First thing first (Score:4, Insightful)
They are being reckless with people's personal information. Painfully reckless it sounds like, since they are ignoring clear warnings that they have vulnerabilities.
Look at what happened to Sony re: Playstation Network - and they didn't even lose anyone's billing information.
The negligence is already occurring, the damage is just waiting to happen.
Re: (Score:3)
Your personal information could have been used to open fraudulent accounts, as with any other data breach, but they did not lose billing information. In this case, TFQ says billing information is right there for the taking.
I hope that legislatively we will one day regard damaging someone's privacy closer up the chain to damaging their person.
Re:First thing first (Score:5, Insightful)
Re:First thing first (Score:5, Insightful)
Right - I didn't mean "do something nefarious". I meant, go to the media or some authority agency under a white flag, anonymously, whatever, and get some exposure for it.
By "blow it up" I was thinking, if this company has had a few chances to act and has chosen to ignore the problem, take the next step in generating publicity.
Re:First thing first (Score:4, Interesting)
I know what you meant. Believe me businesses will do anything and everything to protect their image with the shareholders. If someone were to leak this to the media, VISA, etc. and the company found out who it was, they'd have their lawyers, and the FBI pounding down that person's door. Go direct to jail, do not pass "go," do not collect $200.
The only way you could possibly approach this from a legal "high-ground" would be to have jurisdiction and sue for negligence.
Re:First thing first (Score:5, Informative)
http://krebsonsecurity.com/ [krebsonsecurity.com]
Re: (Score:3)
Re:First thing first (Score:4, Informative)
Blow it up sounds fun but it'll get you sued or worse.
http://seclists.org/fulldisclosure/ [seclists.org]
I had to threaten to expose a security flaw which exposed hundreds of thousands of peoples info (luckily no financial info) - within an hour of threatening full disclosure they'd closed my "tech ticket" and an administrator was emailing me for more details and a timeline for a fix.
Re:First thing first (Score:5, Informative)
He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
Computer Fraud and Abuse Act [wikipedia.org] State laws on Computer Hacking and Unauthorized Access [ncsl.org]
I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
To go to jail, or not to go to jail?
Re:First thing first (Score:5, Insightful)
My advice - do nothing further. You discovered the flaw and told them about it, the onus is on them to make sure that their systems are secure. Just make sure that you don't leave a trail for other, less scrupulous people to follow...you certainly wouldn't want a future breach and malicious use of this flaw to point to you as the one who discovered it!
Re:First thing first (Score:5, Informative)
An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.
Re:First thing first (Score:5, Interesting)
Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.
The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.
What to do
Re:First thing first (Score:4, Interesting)
He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
Maybe. He didn't say he *had* accessed the secure user accounts, just that he had discovered how. Granted that it's usually hard to know if your attack works without testing it, but it is possible to recognize an easily-exploited weakness.
Building a proof of concept doesn't necessarily require accessing the data, either. He could build the proof of concept, test it against his own system, and then send it to them (or perhaps even publish it) without having broken any laws.
Re:First thing first (Score:4, Insightful)
If his own account is secure and he has noticed that he could have accessed it without credentials?
Actually accessing his own account without credentials could also be breaking himself against the law.
Building a proof of concept legally is probably not possible, even if he builds it on his own network, on his own machine.
The laws are screwed until we can figure out how to get people to understand that computer memory is just fancy paper and CPUs are just fancy pens with fancy erasers.
I need to change my sig. Apple is now only a co-conspirator.
Re: (Score:3)
So now you're looking at someones account on, let's guess here, Square*... and you KNOW this has to be fixed, it's way too dangerous, but pushing the issue with the company (or elsewhere) could land you in prison.
Agreed. That is a real problem with the way our legal system approaches these issues. Malicious intent really should be a required component of the crime.
Re:First thing first (Score:5, Interesting)
A few months ago, I, in the course of my job duties, discovered a massive, glaring, easily exploitable security flaw at a financial transaction processing company that a great many people (as in, somewhere around a third of Americans who pay their bills online) likely use without knowing it. And no, you probably haven't heard of them unless you work in the banking industry.
I didn't write an SQL injection. I didn't guess passwords. I didn't even probe for hidden options in a CGI... I merely mis-typed a path in a web-scraping script intended to retrieve information I legally had the right to get, and ended up with entirely someone else's information. Yes, literally as simple as "tweak the URL", and you could see anyone's info you want.
I informed them of this flaw, as an official "you have to fix this now or consider yourself in violation of our contract" communication, and they have made it a bit better - In that you would now at least need to intend to attack them, rather than just anyone having the ability to do so accidentally. Good to know that no more pesky whitehats will bother them about their insecurities.
But put bluntly, companies don't give two shakes of a rat's ass about us. The very fact that such a trivial weakness existed in the first place demonstrates that they don't pay attention to security in the least; and their fix demonstrates that they don't really care even when they have known flaws. They care about how much it will cost them to fix vs the cost and probability of someone malicious discovering the problem, end of story.
EFF (Score:5, Insightful)
Shouldn't he contact the Electronic Frontier Foundation? Isn't its purpose to provide advice in this cases?
Re: (Score:3)
there are plenty of insecure servers out there, we don't need heroes to come along and save us from them.
Seriously.
So if I build a computer at home, and I install an old, unpatched OS for fun, somebody is legally allowed to hack me? The implications of this would be devastating. Even if they aren't vulnerable, businesses could be DDoS'd without recourse on the grounds "we're testing you for vulnerabilities". People simply do not think things through fully.
Re: (Score:3)
If that was the case there'd be no need for a specific offense of conspiracy, since you'd be committing the main offense.
The Supreme Court appear to agree - see United States v. Shabani.
Re:First thing first (Score:4, Interesting)
Re:First thing first (Score:4, Interesting)
He never got on the plane, get your facts straight, sounds like he almost did though, cause German kids are the #1 security threat to this country.
Source:
http://www.eurogamer.net/articles/2011-02-21-the-boy-who-stole-half-life-2-article [eurogamer.net]
It's a pretty good read.
I can't help thinking how a real criminal would have proxied, and sold the code rather than published it, but to the FBI it's all the same.
NSA? (Score:4, Funny)
Maybe you could get the NSA to hack them?
Just brainstorming here...
PCI (Score:5, Insightful)
If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.
Re:PCI (Score:5, Insightful)
If you hadn't already exposed yourself to the owner, I'd write a how-to and send it to them anonymously, and later send the credit cards an ANONYMOUS tip.
Why anonymous? Hacking, even for white-hat reasons, is illegal in most jurisdictions. Even accidental hacking.
Now that you've exposed yourself to them it would be too easy for them to piece it together who turned them in for a nice PCI audit. It would be all too easy of them to send your emails to a computer crime division and get you busted, especially if they have any friends with influence there. Just avoid using their product and quietly tell your friends not to do the same.
The only time I have ever even considered informing a company of a security hole is on an occasion when I'd previously worked for them, personally knew the owner, and knew that the owner respected my ability.
Re:PCI (Score:5, Funny)
"How can I help you?"
-"Well, I noticed that your bank safe is wide open! You might want to cl-"
"You asshole! I'm calling the FBI!"
-"But people their money might get sto-"
"Son, you are under arrest for looking at something and then notifying the owner about it"
Why is the world ruled by morons?
Re: (Score:3, Insightful)
Now, every day, you're going to get every script kiddie in the internet trying to poke holes in your network. In fact, if they get in, thats fine. They're allowed to look at everything your'e doing (trade secrets) and they can copy user data, since this is legal. You're going to be in hot water with your customers, fast.
Also, you're getting DDoS'd now because of all these people hitting your
Re: (Score:3)
If they poke holes in my network all day and report where the holes are then that's fine, because if a malicious hacker gets it first; I'm fscked.
Is that so hard? I'd rather have friendlies poke my network before unfriendlies poke my network.
And I shouldn't be doing bad things that I can get charged with in the first place. And when I say bad I do not necessarily mean against the law, because the law isn't always The Right Thing To Do.
Re: (Score:3)
I thought about it, and while neither situation is pleasant or nice, I think the GPs idea is still an improvement, and yes should be required by law.
The world you are arguing for is that a company can choose to spend X on security, and when it turns out X=0 and so the chances of them being hacked are 100%, that company then does not have to deal with the consequences of their choice, but instead get to sue the person warning them that X=0 is a bad idea.
V!NCENT's idea of forcing a company to suffer the conse
Re: (Score:3)
Re:PCI (Score:5, Insightful)
While you make a good point that Visa and MC won't sit on their asses about data, that is only from a PCI perspective. And realistically its trivially easy to maintain PCI compliance and have an insecure product.
What I would recommend however is work through a professional service like Secunia: https://secunia.com/company/blog_news/news/271 [secunia.com]. They can lend credibility to your claim and they provide what I personally would describe as an ethical approach to remediation. I would strongly not recommend any further testing on your part unless you are prepared to deal with legal consequences. Not that I agree with companies going after researchers, but it does happen.
Good luck.
Re: (Score:3)
I wish that it was possible to mod something up further than 5 in special cases, because the post from hellkyng really is giving the best advice for what you want to do, namely making sure that the people whose data is being stored insecurely becomes stored securely. None of the other 5's in the comments are doing that, they're just "Cover your ass" advice.
Now I'm going to mod up the other post that I've seen which gives advice in line with your goals - contact some famous security professionals and see wh
Re:PCI (Score:5, Insightful)
That will be considered a threat no matter how you word it. Expect to go to jail.
Re:PCI (Score:4, Informative)
The difference is that Ford doesn't head up a cabal of auto makers that hand out outragious fines to those who handle said cars insecurely.
Here, since you obviously don't realize what PCI means in this context. [pcisecuritystandards.org]
You're just asking (Score:5, Insightful)
For a 5 year tour of the federal penitentiary system, aren't you?
Re:You're just asking (Score:5, Funny)
there is a saying, in my language (Score:4, Insightful)
translated:
do you know how to steal? (implied yes as an answer)
do you know how to *hide*?
Go to the investors (Score:5, Insightful)
Re:Go to the investors (Score:5, Informative)
If it was me - after the company doesn't bother to recognize it - i'd contact the Credit Card clearing house (Visa/MC/AMex) that they use.. Anyone who is processing and storing CC info has to comply with PCI DSS. If you can get access to card info then they are out of compliance, and are subject to have their merchant account deactivated, charges seized, and pay fines.
The CC companies don't (Normally) play around with it. Contact them and inform them of the situation, IF (AND ONLY IF) they need it provide them a proof of concept CODE/Method only, DO NOT grab card numbers and send them to them as an example, let the CC company evaluate your proof of concept and see if they can access CC numbers.
This method seems to work (has in the past) to get people to fix their holes.. As for them actually becoming a more responsible company after this, well hell never has been a cold place..
Oh boy... (Score:5, Insightful)
Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.
Re:Oh boy... (Score:5, Informative)
This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.
notify visa (Score:5, Informative)
U.S. – (650) 432-2978 or usfraudcontrol@visa.com
Re:notify visa (Score:5, Informative)
This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.
Re:notify visa (Score:5, Informative)
should be -> are :)
(spoken as someone in the industry)
Re: (Score:3)
Visa? Quite possibly. From what I've dealt with that side of things they seem fairly clued in on things, and always interested in not losing money. Imagine that :P
Report Them (Score:2)
Report them to a newspaper and tech sites or something. Business papers, even.
More important (Score:2)
How do I make my amazon wishlist available to you?
Drop everything, wipe the files you have, reformat and reinstall your computer, create a plausible deniability claim to any account you used of this that can be tied to you.
Then go to an internet cafe and post somewhere.
Retain a lawyer. (Score:5, Insightful)
You already made the wrong first step (Score:4, Insightful)
Now just forget about it and hope no one hacks them before they forget about you.
Re: (Score:3)
Exactly. By contacting them, presumably through a non-anonymous email account, you already made a wrong decision. Companies will never admit they were wrong, and if anyone would hack them in the future you will be the first one to blame. Even professional security researchers can be silenced by legal threats, you won't be an exception. Just leave it alone, it's far too risky to rely on a companies goodwill.
And if you ever want to do something similar again, the most important part is to remain anonymous th
Full disclosure is the most ethical path. (Score:3, Interesting)
The most ethical thing you can do is fully disclose the hack to the media, and to as many websites as possible. This will force the developers to either fix the problem or let the company go down in flames. If you keep it secret, innocent pepole will be harmed when their information is leaked by the faulty code. If you could hack it, others can too. They may be less altruistic about what they find.
Write to 2600, call your local media, write to your newspaper, post the info here, go to the forums, and take the word to the street!
Re:Full disclosure is the most ethical path. (Score:5, Insightful)
It's not only the most ethical, it's the only way this company will actually do anything. I'd also suggest to do this anonymously. Corporations have a habit of striking back blindly in random directions whenever they feel threatened, and this will most certainly threaten them. It wouldn't surprise me in the least if they tried to smack you down with restraining orders, defamation suits, or whatever the lawyers think will hurt you the most. If you release the information anonymously (and be very careful how you go about this), then there's nobody to slap down with restraining orders.
Send them here (Score:2, Funny)
Send them a link to this website: http://ask.slashdot.org/story/11/12/02/2124215/ask-slashdot-to-hack-or-not-to-hack
NONONO RED FLAGS!!! (Score:5, Insightful)
Cannot stress this enough. Jeeze.
Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).
Re: (Score:2)
Re: (Score:3)
If he just shuts up hundreds/thousands of people can be victimized, and I know that in his shoes I would feel bad if that happened. Wouldn't you?
For all he knows, the system he was looking at wasn't as important as he thought, maybe its a testing sever.
Or maybe the company is in the middle of a security audit, and they are paying someone right now to fix things, it just takes time.
We don't know. But the point is, you're not the watchdog of the internet. It isn't your place to go snooping around everybody else's computers. If everybody is allowed to freely trespass on anything, if we abandon the idea of ownership, then there are going to be LOTS o
Re: (Score:3)
Re: (Score:2)
This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM?
No, but I'm familiar with the concept of a LEGAL system. ;-)
Re:NONONO RED FLAGS!!! (Score:5, Insightful)
No, the dumbest thing ever is the legal system which punishes whistleblowers. Wait, no, that's the 2nd dumbest thing ever. The absolute dumbest thing ever are the people who support a legal system that punishes whistleblowers.
Journalism works (Score:5, Insightful)
If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.
Don't ask Slashdot, Ask Ed Felten (Score:5, Insightful)
Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.
My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.
It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.
But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is
1) legal
2) professionally done
3) likely to get taken seriously by the developers at the affected company.
Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!
Haven't played nethack in years... (Score:2)
Probably good time for another session...
Comment removed (Score:4, Interesting)
Morons will sue you. (Score:2)
Walk Away and Forget About It (Score:5, Insightful)
Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.
Here's my advice:
1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.
2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.
Re:Walk Away and Forget About It (Score:4, Insightful)
Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.
At what point do you become a criminal? By looking at the URL bar and seeing an SQL statement, which can be used for SQL injection attacks? For changing a few characters in the URL bar and seeing that they're sending you other people's credit card numbers? I agree that he should just fuck em and ignore it.
You've sent the email (Score:3)
CERT (Score:5, Interesting)
Report it to CERT [us-cert.gov]. (Or other corresponding security organization if you are outside the US.)
let the card companies know (Score:5, Insightful)
"If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."
Re: (Score:3)
Source URL? I don't know about you, but I'd be reluctant to essentially send a confession (anonymous or not) to an email address that was posted on a non-official website.
Steal the customers money, obviously (Score:3)
I would recommend stealing as much money as you can, because you are going to need it to hire your lawyers when the FBI comes looking for you, now that you've identified yourself to them.
How about your house? (Score:4, Insightful)
Would you mind if I broke into your house? Not to take anything, mind you, but just to check your security?
A few options. (Score:3)
Personally, I favor the Full Public Diclosure route. You have them a chance, you even told them how to fix it. The shareholders, yes they should know, but its the customers whose accounts are exposed, and the public who may become customers. Don't they really deserve to know what they are signing up for or trusting?
So, you can do a full disclosure.... but they know who you are...its a risk.
Another possibility.... wait a week or a month or so, and then anonymously release it to the public, swear up and down it wasn't you (use tor, etc etc)
Or, you could just leak it into some IRC channels where you can be sure it will be abused.... then come out later with a public disclosure after its found that they had a major breech, include your conversations with them.
Sure you could just walk away but.... don't the customers really deserve to know? They are paying for the service afterall.
No such thing as being a "good guy" anymore (Score:4, Insightful)
And not just in the tech world. You can be sued if you do CPR and crack someone's ribs if you're not certified. You can be prosecuted for going on someone's property if you hear screaming coming from the house. You can be prosecuted if you shoot an invader in your house (at least in the UK).
There's no use in being a "good guy" anymore. Just trying to help someone will get you in trouble anymore. If you're a guy and talk to a kid you don't know, everyone gives you strange looks. A while back a kid was trying to put books into one of those big metal boxes libraries have for returns, but couldn't quite reach the handle to open it. I opened it for him, and his mom, who was sitting in the car at the curb gets out and starts trotting at us. Books go in, he starts walking back, and she is giving me the evil eye while she grabs the kid and nearly drags him back to the car. All the while I'm holding my own books.
So why the fuck would I try and help anyone I don't know?
Here. (Score:3)
Give me the info and I'll take care of it.
Is your name Kevin? (Score:4, Interesting)
Hack their system, go to jail for a few (many?) years. Then become a security consultant and go on a book tour.
Back Away; You Were Never Here (Score:5, Interesting)
I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.
Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.
Re:Language matters (Score:5, Insightful)
Re: (Score:3)
You're such a geek [merriam-webster.com] no I mean nerd [merriam-webster.com] no wait.... what where we talking about?
Re: (Score:2)
Hacking is hacking into remote targets. Cracking is cracking software on your local computer by reverse engineering and debugging it.
You're probably right about cracking, but hacking has many different meanings. I tend to use it as "to do a quick-and-dirty bit of programming" and in context people seem to understand what I mean.
Re:Language matters (Score:4, Interesting)
Absolutely wrong. "Hacker" is defined, and differentiated from "cracker," in RFC 1392 [ietf.org]:
Oh shut up... (Score:5, Insightful)
Language evolves. You can fight the tide or swim with it. I know which way gets you drowned first.
Re:Language matters (Score:4, Insightful)
Reading Aaron Barr from HBGary talk to anonymous and then talk to his "programmer" about all his sweet "hacks" nearly killed me.
The 95 Hackers film has become reality. I can't shake em, he's right behind me! Crash overdrive! Acid Burn!
Ooh, plus there's Swordfish "dropped a logic bomb through the trapdoor" and the wonderful CSI "programmed a GUI interface in Visual Basic to track the IP".
We really need to start educating the non-technical public on some technical things. Treating computers and technology as a whole as a black box ends up in all KINDS of misunderstandings and misinterpretations.
Re: (Score:2)
Complain!
Re:Language matters (Score:5, Funny)
Please use the appropriate term. It's "GNU cracking".
Re: (Score:3)
Re: (Score:2)
I hear it used all the time. In phrases like 'password cracking' or 'WEP cracking'. It doesn't sound right to say hacking WEP or password hacking. For something like a website the term 'hacking' just sounds better than cracking. Maybe its an association of the word cracking with safe cracking. So it sounds more natural when referring to some kind of code that is being broken.
no you grow the fuck up (Score:5, Interesting)
Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.
its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.
if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.
Re: (Score:3)
As a user of this business, you're allowed to hack into their systems and make all the changes you want, you can inspect everything they do, because you paid for their service! EXCEPT THAT ISN'T HOW IT WORKS ANYWHERE, OR HOW IT HAS EVER WORKED. WHAT ARE YOU THINKING?
Re: (Score:3)
I completely agree with you that in an ideal world, filled with unicorns and rainbows and ponies and warm, happy, fuzzy thoughts that the right, ethical thing to do would be to do whatever you can to alert people to security holes so that users' don't get screwed over by the real black hats (of course,
Re: (Score:3)
IF the poster actually used the discovered methods of intrusion (which is likely) then you are absolutely right.
If on the other hand the poster simply noticed a problem but did not test it actively, then notifying the company is the decent thing to do.
In either case, it's now time to walk away.
Re:For the love of Christ... (Score:5, Insightful)
You're being a bit harsh on the guy. A lot of people started their IT careers in the computer underground, myself included. If it were not for LA 2600 meetings and the first few Defcons, I would not have developed the skills and background that landed me my first job as a sysadmin fifteen years ago. More recently (within the last year), the head auditor for my company told me that my background reassured him because he knew that I had a better perspective on computer security and the threat landscape than most "professionals" who picked up all of their knowledge in a classroom.
WRT the OP, it was dumb for him to go to the company. As everyone else stated, he exposed himself to some liability. Any information that he provides to the company could be used to build a case against him for computer trespass, unauthorized access, etc.
To call the OP morally and ethically criminal is overboard. He did not do any damage to them and did not profit from his activities. It was a real world learning exercise. It was not the brightest move in the world, but doing a security audit on a random computer system does not make someone morally bankrupt. If he had taken the data and sold it for profit, or even just posted it for fame and notoriety, that would be a different story. Instead he naively did "the right thing" without fully understanding the liability it exposed him to.
Re:Nope, this isn't the Wild West anymore... (Score:4, Insightful)
I think you're just getting old. ;)
What the OP did is no different than what you or I did. The environment is different due to the criminal statues on the books and the willingness of the authorities to prosecute them. Other than that, it is just a kid / young adult pushing the boundries and seeing what they can get away with.
Given that the OP had the good sense to post here and ask for guidance shows that they have their head on mostly straight. The phone phreaking that you did was more objectionable than what the OP did. You stole services. The OP just found a flaw, reported it and then realized that the vendor had no interest in taking the problem seriously. By doing that, they are exposing their customers to fraud.
I agree with you about needing to emphasize ethics. I think the OP has shown ethics and a conscious awareness of responsible disclosure. Back in the day, the exploit would have been all over various underground forums, and everyone and their mom would be poking around the site.
Re:For the love of Christ... (Score:5, Interesting)
First off, QUIT FUCKING TRESSPASSING.
I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.
As he explained it, it sounds as if he's concerned about the outfit's customers. It's not unheard of -- that people care about the wellbeing of other people. (That Christ guy you mention in the subject line did, for example)
Re: (Score:3)
Jesus Christ got crucified too, and that's a serious risk for this guy as well. In the metaphorical sense, true, but it could still get pretty unpleasant. He really should quit tresspassing because it does not improve the disclosure, is no longer needed and finally, provides anyone who knows about it with a pretty big lever against him to shut him up. Don't give them more ammo than they already have.
Re:this is not news (Score:5, Insightful)
This is some idiot asking for advice on an absolutely terrible scheme which has been explained before
Isn't that what Ask Slashdot is all about?
The site is www.thelevelup.com (Score:5, Insightful)
How long do you think it will be now before the blackhats start looking at the payment handling processes of 'a rising mobile payment start-up' with 'big-name financial backing' ?
I don't think there are too many companies that match your description..
No need to search to hard for the company. Our illustrious OP, aka Mr. Christopher Reed (http://seeread.info/) was naive enough to post this on twitter (http://twitter.com/#!/seereadnow).
"@TheLevelUp I think I found a trivial way to hack user accounts. Please get in touch to resolve."
At least he can point to the twitter feed as evidence that he was trying to contact them. This /. article where he considers "blowing them out of the water" would undoubtedly work against him though.
Re: (Score:3)
I can't believe this question wasn't posed AC. Someone thinks their cleverness is going to equal fame. Instead it might equal jail.