Security Researcher Threatened With Vulnerability Repair Bill 231
mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
Lesson learned (Score:5, Insightful)
If you find a vulnerability, don't tell the people at risk, sell it or use it.
Either that or move to a less stupid country.
Re: (Score:2, Insightful)
More like you need to extend whistleblower protection for security researchers disclosing vulnerabilities. However, the guy basically admitted to unlawful access of their system in order to prove the vulnerability existed, which in ethical circles is a big no-no.
so a typo is now unlawful access? (Score:3)
He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.
but any ways that is just like having a open door and all you need to do is to go though the door next to the that is your door.
Re: (Score:3)
Accidentally walking into a neighbor's apartment is an accident.
Doing it repeatedly because now you know they leave the door unlocked is a crime.
Suppose you live in an appartment. (Score:2)
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
Re: (Score:2)
well the landlord can sue you to cover the costs so it's blame the person who found the broken locks.
Re: (Score:3)
Why would I check my neighbor's lock because mine is broken?
Let's make it a closer analogy:
I walk up to my door, open it, and discover it's not my apartment. Oops. It's my neighbor's and it should have been locked.
Then I think, what about the others? So I start jiggling knobs, and a cop walks around the corner and catches me at it.
You think he'll believe me when I say I was just checking locks? And was I right to try to find all the unlocked doors on the floor just because my neighbor's is unlocked?
Re:Suppose you live in an appartment. (Score:5, Insightful)
That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.
Let's make an honestly closer analogy:
When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.
I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?
The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?
Later on, the apartment manager sends a notice [risky.biz] to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:
And now they've sent me a letter [haymarket.net.au] telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.
Your darn tootin'! If this is the thanks I get! Some people!
Re: (Score:3)
You discover that the lock on your apartment door is broken, so you check your neighbour and his is broken too, then you check everyone on the hallway and find out that they're all unlocked because the locks are broken, so you report it to the landlord.
Would you expect to be sued for trespassing on all of your neighbours?
If you just turned the knob and didn't open the door, then no. If you entered the apartment and wrote down descriptions of their furnishing to prove you'd been there, they'd probably charge you with trespassing. No different here. He should have just reported the vulnerability instead of writing a script to download personal information from other accounts.
Under many US laws, he committed a crime. If the info he downloaded was subject to HIPPA or other regulatory laws, the company has the right to subpe
Re: (Score:2)
Add in the reality that Australian lawyers are well trained, the old trespass like laws did not really hold up well in court.
So federal law is now very clear- don't play with other peoples computer, data, url ect.
Re: (Score:2)
It's not even that it's more like if a hotel had a view a bill system and my miss keying it you where able to see others bills.
Re: (Score:2)
Re: (Score:2)
What I'd like to know is who he told that wasn't entitled to know about it.
If the guy told the same network as the one he found the breach in, how is that a violation of privacy?
We need to know more about whose network he discovered to have an exploit, and who exactly he told about it.
Re: (Score:3, Insightful)
He used the appropriate amount of force, we all know these companies would not rush to fix it unless there was a known exploit ripping them to bits.
If he didn't show an exploit the company would most likely have claimed it was only "theoretically possible". Especially when all that was required was:
He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.
Complete lack of authentication seems the culprit here, does that make google, yahoo, bing, etc potentially guilty as well? They could have come across it as well (hopefully this company knows about robots.txt),
Re:Lesson learned (Score:5, Insightful)
1. Is the neighbor guilty of Trespassing?
2. Is the neighbor guilty of causing the fence to be broken?
3. Is the neighbor guilty of being the cause of the broken fence?
4. Is the neighbor guilty of Negligence because the fence is broken?
5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
6. Is the neighbor guilty of not maintaining the fence?
7. Is the neighbor guilty of any damage because the fence is broken?
Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!
Re:Lesson learned (Score:4, Insightful)
The problem was that your neighbor, in order to discover whether your fence was broken, tried 600 entry points.
No, I'm not defending the Australian company and its lawyers, but pen-testing without permission is black hat even if done under responsible disclosure.
It's one thing to pen-test a device you own, it's a whole different kettle of fish to do the same to a random company.
If I were Judge Dredd in this case, I'd award the company a 1 cent restitution along with a hefty fine for wasting the court's time, then put the researcher in jail for three months for the crime of stupidity.
Re: (Score:3)
The problem was that your neighbor, in order to discover whether your fence was broken, tried 600 entry points.
NO, the neighbor went in through the hole in the fence and then took 500 pictures of your property. Hey then gave you the pictures and said he was able to walk through a hole in your fence.
Re: (Score:3, Insightful)
What you mean is, if the neighbor stops by to tell you your fence is broken and hands you your TV set as proof he was able to access your stuff.
I'd say that's a bit different than all the things you suggested.
How would you feel about it?
Re:Lesson learned (Score:4)
That metaphor breaks down here because there's no way to "see the hole" until you've stumbled through it. In this case, we're talking about changing a value somewhere in an URL or something similar, and getting access to something that isn't yours. You can look at the structure of the URL and make the intuitive leap that there might be an issue and test it out, but there's no way you can know without testing and no point in reporting if you don't know.
Re: (Score:2)
Re:Lesson learned (Score:4, Insightful)
Either that or move to a less stupid country.
"Shoot the messenger" transcends national boundaries. You really want to find a less stupid PLANET to live on.
Re: (Score:3)
If you find a vulnerability, don't tell the people at risk, sell it or use it.
Either that or move to a less stupid country.
I'd almost say: "Name the country and I'll be packing."
It can't be the land my mother and I left. It also can't be the country I found my SO. It surely isn't the state I'm living now.
Take it from me that the country should be improved and not simply discarded as if it were a modern day employee.
Re: (Score:3)
Or publish it on 4chan or as an AC on Slashdot.
Then you will find enough hackers to really get an interesting result.
Re: (Score:3)
Re: (Score:2)
The PDF mentions accessing "approximately" 568 accounts.
Re: (Score:2)
large numbers != big evil (Score:4, Insightful)
Hm. The URL has my account number in it... I wonder if all accounts are accessible by that param alone? Nah. Well, let's see... I'll just increment the number.
ACCOUNT=1234
while true; do
ACCOUNT=$((ACCOUNT+1))
wget -nv url://site.with.FAIL.security/showstatement?acct=$i > log.$i 2>&1
done
By the time I press Ctrl-c I've hacked over 500 accounts!
Obviously (Score:3)
If you are going to access 500 accounts you don't then report the problem with your name attached. Even if said access is just changing a number in a url because they have a retarded system.
Re: (Score:2)
The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.
1. It's the companies systems and they are responsible not you
2. Hacking is illegal
3. This is what happens when you try to reason with sheep who just don't get it
If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.
Also, at least in the states there are no circumstances a private entity can look at any of my informat
Re: (Score:2)
The "right" thing to do as per the old internet standard is to publish it as a 0 day hack and then let the company fix it themselves.
1. It's the companies systems and they are responsible not you 2. Hacking is illegal 3. This is what happens when you try to reason with sheep who just don't get it
If this was a 0 day currently, it would have probably been patched already and no legal action threat would occur.
Also, at least in the states there are no circumstances a private entity can look at any of my information, it can contact law enforcement, and they can seize the computer, but otherwise SOL and that's the way it should be.
Just goes to show, no good dead goes unpunished.
Re: (Score:3)
Just goes to show, no good dead goes unpunished.
Zombie joke?
Re: (Score:3, Interesting)
> said access is just changing a number in a url because they have a retarded system
I wonder just how many of us have come across such idiocies. I know I have, and yes, I didn't report it because the probability that I would get into trouble by doing so was greater than the damage of email addresses being leaked or having a few people getting their bulk email subscriptions erroneously canceled (it was a company which took care of mass emailing for quite a few clients, including a prestigious scientific j
Re:Obviously (Score:5, Interesting)
I wonder just how many of us have come across such idiocies.
I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.
He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.
Re: (Score:2)
I still run into Unix and Linux admins who don't understand how NFS (non-)authentication works. It's a retarded system that blindly trusts the user to state their identity and group membership (uid/gid) and there are no credentials involved at all. These guys usually have norootsquash enabled which makes it even worse.
Re: (Score:3)
There is NFSv4 with RPCSEC_GSS support. I never actually got it to work, nor have I read of anyone successfully getting it to work with a Windows client. Personally, the unix user-group-world permissions are very limited and pale in comparison to the fine grained permissions and inheritance that you can do under Windows. Sure you have the extended attributes under ext3, but linux doesn't expose them very well (need to set via command line) and there still is no means of changing them via file sharing. P
Re: (Score:2)
I wonder just how many of us have come across such idiocies. I know I have,
I took a look at my cookie hive one day. Not just who set what cookies, but what they actually contained. There were several that "authorized" (if you can call it that) by a simple and relatively low number. No hash, no corresponding key, nope. Just a number in a cookie to bypass a login. Change it, and Bob's your uncle.
Re: (Score:3)
Unfortunately statutes trump contracts.
Re: (Score:3)
Ask the EFF to write up an internationally-binding contract, in which a company would make a legal commitment not to harass [etc] any security researcher who provides them information in good faith. [..] Any company who signs this is likely to get security assistance. Those who do not sign, could not expect such assistance.
With respect, this is naive and assumes that such companies *want* your assistance. I'm sure that a significant proportion would rather that you STFU about any inconvenient vulnerabilities which would cause them a lot of hassle to fix, probably make them look bad (people do *not* like being made to look incompetent, even when they are) and I suspect, from a legal point-of-view, be all-round more convenient to not (officially) know about.
If you persist in trying to get them to do something about this (rega
Re: (Score:2)
And if the company breaches this contract, who is going to sue them? The researcher who isn't a party to the contract, and thus has no standing to sue for breach of contract?
The idea is a nice thought, but not really enforceable.
As the old idiom goes: (Score:5, Insightful)
Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.
Re: (Score:2)
You don't understand it from their position. If nobody notices, no issues. Since its brought up, they actually have to do something about it. If it is used for badness, its the EVIL HACKERS and not our incompetence. Since he sent in the evidence, they have to do something about it, and can't blame anybody.
~ He could even be charged with performing a scapegoat-otomy without a medical license! Oh, the humanity! /~ :-)
Strat
Re: (Score:2)
Exactly. If some hacker or something abuses the exploit and harms the company (and perhaps all of its customers), then too bad for them. If they're going to act like this, just let it happen to them (the customers will love it).
Full-Disclosure (Score:2)
If you find a vulnerability, disclose it. Publicly.
And yes, I work in Information Security. Vulnerability Management even. Go figure.
Re:Full-Disclosure (Score:4, Insightful)
If you find a vulnerability, disclose it. Publicly.
and anonymously.
Re: (Score:2)
If you find a vulnerability, disclose it. Publicly.
And yes, I work in Information Security. Vulnerability Management even. Go figure.
At least be ethical and anonymously tell the company first and give them a chance to fix it themselves. If they ignore it, then consider a public announcement. Otherwise you're no better than the criminals, legally or ethically.
Re: (Score:3)
Re-posting because I forgot to login:
In a perfect World that would work, and Companies would notify their customers of the threat and come up with a game plan to mitigate the vulnerability.
In the real World Companies aren't going to do Jack Schitt unless their hand is forced.
And for me, as the Customer, I'd much rather know that a threat exists so *I* can be proactive and try to mitigate the threat than rely on some Company sitting on a vulnerability for months and years while they devise a patch or hotfix
Yes. (Score:2)
they deserve it. really.
Re: (Score:2)
Re: (Score:2)
Good Samaritan Laws (Score:4, Insightful)
In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.
We need this for e-space.
If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.
The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.
--
BMO
Re: (Score:2)
The problem is legislation written by idiots, abused by lawyers (but I repeat myself), and then the dance of arbitrary abuse performed by the judiciary. There is nothing so dangerous as poorly written law, and in my experience, almost all law is poorly written.
Re: (Score:2)
They're not idiots.
They just don't work for the voters that supposedly are supposed to decide whether or not they get into office.
It's an issue of loyalty, not competence.
Re: (Score:2)
How about you take your "HURR GUBMINT CAN'T POSSIBLY DO ANYTHING GOOD WHATSOEVER" and shove it squarely up your ass, you psychopath.
I've heard assholes like you my entire life and I prefer civilization instead of warlords.
Go fuck yourself with a glass shard.
--
BMO
Re: (Score:2)
Re: (Score:3)
>No one would looked bad if they didn't sue the guy,
You misunderstand what I meant about who is looking bad. This is the result of someone within the organization attempting to cover his ass by blaming the messenger and convincing the lawyers that it's not his fault.
Because if he didn't, he'd look bad to his bosses.
That's why all this is happening, and since shit rolls downhill and there is no protection for people like the researcher, guess who gets squashed like a bug by the corp?
>Flaw
>Researche
Re: (Score:2)
Sometimes, it really seems like no good deed goes unpunished.
If one of the good guys gives you information to help you fix your systems when they're obviously broken, and you bite their hand... the consequence is that fewer good guys will be willing to do it. So, if you follow this slippery slope argument to it's conclusion; you're pretty much left with the bad guys being the only people who are willing to break into your obviously broken server. And, then there are no warnings. There are no second chances.
Re: (Score:2)
Translating to e-space, a security consultant could be liable to malpractice. However, this consultant still did the right thing, so there are no grounds for causing him trouble.
Wrong.. sheeesh (Score:2)
it's the age of the internet. There is no reason to be wrong about facts.
http://www.ohiobar.org/Pages/LawYouCanUseDetail.aspx?itemID=477 [ohiobar.org]
Re: (Score:2)
Re: (Score:2)
where? hmmm? where? cite?
Welcome to Wonderland (Score:3)
What the hell kind of logic is that? If this stands then every independent security researcher ought to leave Down Under at once and leave them to find out that White Hats != Black Hats through direct and painful experience. What a bunch of jokers.
Re: (Score:2)
Critical information missing in TFA (Score:2)
So which is it? This is a pretty critical part of the story that seems to be missing. The linked article seems to indicate that the researcher simply found the one issue and quickly
Re: (Score:2)
And how would the company have found out about that anyway?
Theoretically, if he had, his requests would be in their access logs...
Re: (Score:2)
"run a batch file" and simply modifying a URL likely means something like a simple script around wget or something equally trivial
for (i=0;i500;i++)
wget -O dump${i} http:///url/long/user=${i}
end
Re: (Score:2)
Re: (Score:2)
568 accounts to be exact.
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]
Try clicking a few of the links in TFA next time. Or were you surprised that the summary actually included more than just a paraphrasing of the original article?
plausible deniability (Score:2)
Companies don't want to know. Literally. If they know, it increases their liability for doing nothing in the event of a problem.
Re: (Score:2)
After the first letter, kindly explain that you're going to take out a full page advertisement explaining how company doesn't care about user data. Make sure to mention identity theft.
Re: (Score:2)
Make sure you're ready for some time in jail for blackmail, too, if you follow that route. The only thing worse than reporting this sort of data the nice way is to report it in a way that's threatening.
Re: (Score:2)
Make sure you're ready for some time in jail for blackmail, too, if you follow that route.
Last time I checked, blackmail involves money. 'I'll tell lots of people about your horrible security record if you threaten to sue me' is not blackmail.
Re: (Score:3)
As they always say.. (Score:2)
Service Guarantees Citizenship (Score:4, Interesting)
The rule should be: Disclosure Guarantees Immunity
This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.
Re: (Score:2)
I agree in part, but it is a problem.
If as a delivery dude, I find your key under the front door mat, can I make a 1000 copies and drop them off all over the city with your address to teach you to be safer ?
I am genuinely asking, I don't have the answer.
If I simply return your key, and you keep putting it under the mat, then what do I do.
Re: (Score:2)
Bad analogy. If I choose to leave my key under my door mat, that is none of your god damn business.
Now, if I am a locksmith and I leave copies of all my client's keys just lying around unsecured, that's a different story.
Re: (Score:2)
No, it should be this:
"Unauthorised access, with full disclosure, and without intent to illegally make use of accessed data, should not be illegal."
Say for instance, somebody pen tested sony before the PSN hack-a-thon, pulled some demonstration data to prove the exploit was live, and forwarded it to sony's IT staff, asking them to inform the impacted users of the breach and to please fix the exploit.
That should be legal.
If they did the above, but neglected to mention that they vacuumed up 10,000 credit card
My letter to Maged (Score:2)
It took a lot of work to delete all references to "ass" and "douchebag".
Ehud
Dear Maged,
I read with interest your letter to Patrick Webster copied at
http://i.haymarket.net.au/News/20111014034645_FSS-Solicitors_Redacted.pdf [haymarket.net.au]
Mr. Webster informed your client of a security flaw in their software that allows
access to members' confidential and financial information. He did so in accordance
with accepted business principles of Full and Open Disclosure.
Your response shows that your law firm clearly lacks an understan
Re: (Score:2)
You might also want to read the law before you accuse them of being ignorant of it. They are absolutely correct that his actions violate the law. I doubt the police will pursue it unless there is some malicious intent shown.
http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/s308h.html [austlii.edu.au]
Re: (Score:2)
Wouldn't a ludite be someone who takes Quaaludes? That might apply.
Re: (Score:2)
You make a very good point, as does the PP. My thinking is "he made a database query" and got back 568 results, and shared the availability of that data with the Fund (the lawyer's client). I don't suspect he automated a system to do "568 queries" as that number is not only overbroad, but not a rational number to choose.
All analogies are flawed. They analogize the real part to a false part. They all break down somewhere :) I recognize mine is not perfect. The point I was making, which the analogy was
Virtue has no reward, only punishment. (Score:2)
If I were a "security researcher" I wouldn't offer anything to anyone unsolicited. Fuck 'em. Fuck ALL of 'em.
The only way to punish these cocksuckers is to NOT look for any credit, expose their vulns, then laugh quietly as they are exploited.
Utter lack of understanding the real problem here (Score:3)
The problem is, the guy admits to accessing their system and obtaining documents that he should not have been able to get. He says "Here are 500 samples".
What is the first thing that should occur to someone? Well, how about if he accessed 1000 and is planning on ransoming off the information of the 500 he didn't tell anyone about? Why do you think they want to see his computer? Unfortunately, anyone clever enough to do this would have moved the other 500 somewhere isolated that they would have to tear his house apart to get. Like on a microSD card sewn into a stuffed animal.
See, he has zero credibility here. He can say "But I only took 500! I swear it!" and it does no good. Even searching his house doesn't generate any credibility, it only says they didn't find what they were looking for. Checking his computer only proves that if he has criminal intent that he isn't stupid about it. Since many (most?) criminals are stupid, not finding something on the computer actually does say something ... just not much.
The real question is how much would other records be worth to the subject of those records and how much would it be worth on the open market? If you could take a record and turn it into some cash - presumably by drawing on the assets of the subject of the record - then you have a pretty clear idea of the worth. Even if the value was only privacy there might be some monetary value that you could get from the records. Then you have to either make the records irrelevant or you have to watch this guy for the rest of his life to see if he suddenly comes into a lot of money.
Re: (Score:3)
They can't simply look at their server logs and see what pages were served up to his IP address?
Re: (Score:3)
I can clearly see a need for the researcher to collect "unauthorized data".
Say for instance, white hats had to pen test only their own systems. A whitehat determines that XYZ corp's client accounts package exhibits a vulnerability when $Foo conditions are true. He sends this finding to XYZ, and also to $MultinationalCorp who uses XYZ.
$MultinationalCorp responds to the private disclosure, thanking them for the effort, and "affirming" that their implementation of XYZ client portal is not configured $Foo, an
Public disclosure (Score:3)
Making one rethink their good deeds. (Score:4, Informative)
Better do a cavity search, for good measure. (Score:4, Insightful)
"Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."
And this (Score:2)
ladies and gentlemen is why you put the vulnerability on the internet, anonymously.
At least the fear of being exploited will put proper security in peoples mind...then eventually maybe we can get people who actually understand security in charge of security.
Superannuation lawyer talking trash (Score:5, Interesting)
It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).
Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!
I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.
Send them an email to tell them to stop the sillyn (Score:3)
http://www.firststatesuper.com.au/EmailEnquiries [firststatesuper.com.au]
He had a vested Interest in advising them. (Score:2)
Strange how most people seem to be forgetting this very simple yet very pertinent fact.
This fund had been making his personal and financial details publicly available!
Proper Security Disclosure Protocol (Score:4, Insightful)
You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.
Patrick Webster email to IT staff (Score:5, Informative)
Relevant case law on s308H (Score:3)
http://www.austlii.edu.au/au/cases/nsw/NSWSC/2008/1325.html [austlii.edu.au]
13 Counsel appearing for the defendant drew attention to a number of prior decisions, albeit on different statutory provisions, those cases including Gilmour v Director of Public Prosecutions (Cth) (1995) 43 NSWLR 243, The Director of Public Prosecutions v Murdoch [1993] 1 VR 406 at 409,410. In that last mentioned case Hayne J said:-
“... Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual express or implied limitation which excluded the actual entry made, then the entry will be “without lawful authority to do so.”
In my view the section requires attention to whether the particular entry in question was an entry that was made without lawful authority. In the case of a hacker it will be clear that he has no authority to enter the system. In the case of an employee the question will be whether that employee had authority to affect the entry with which he stands charged. If he has a general and unlimited permission to enter the system then no offence is proved. If however there are limits upon the permission given to him to enter that system it will be necessary to ask was the entry within the scope of that permission? If it was, then no offence was committed; if it was not, then he has entered the system without lawful authority to do so.”
14 The passage has direct application to the situation here.
15 Authorisation to use a computer or authorisation in an entirely different field of law may be general or it may be limited or it may be subject to conditions, and I do not believe that s 308B should be given an operation so as to set at nought that aspect of the general law. As Hayne J said in the passage to which I have referred:-
“If there are limits upon the permission given, it will be necessary to ask was the entry within the scope of that permission?"
------- So, much will depend on the terms that governed the access to the website. Can these be posted ?
Re: (Score:2)
Re: (Score:2)
"I thought Australians were no nonsense people that didn't put up with (or use) bullshit like this."
Everybody thinks they are "no nonsense people that didn't put up with (or use) bullshit like this". Many are mistaken.
Re: (Score:2)
That's probably why they want the actual physical computer, to make the evidence go away.
--
BMO
Re: (Score:2)
Confirmation bias.
There are millions of good deeds that go one every day; however since nothing is newsworthy about it you don't hear about it.
Re: (Score:2)
or, simply:
Go to a library computer, create a new hotmail account, and send all the information to the IT staff, CIO, CEO. of the company.