First State set police on man who showed them how accounts could be ripped off

Unfortunately this happens more than you might think and other Australian companies seem to have a similar approach to dealing with security findings. Many years ago I found a huge hole in a large company's Australian website that allowed me to download their entire database of customer records including addresses and plain text passwords, by a similar method of just changing url parameters. This was millions of consumer records from a -big- international brand.<p>Instead of warning the public, that their records may have been compromised, they focused on me. I was immediately slapped with legal threats via phone, email and mail. They took my original email apart, saying that by modifying the url and downloading the database I had illegally obtained this data, I could be prosecuted under xyz law etc... They ended it by saying that if I ever spoke about it publicly I would be taken to court.<p>Needless to say I attempted to take my issue directly to several Australian newspapers. I talked to a couple, but none wrote a story. I don't understand why - this was 7 years ago, perhaps they didn't understand the issue. I spoke to a lawyer who told me that there was nothing I could do. They'd given me a way out so I should just take it and try to forget what happened. In the end I convinced myself that perhaps I was in the wrong. No one would listen to me. At the time I was a lot younger and had less resources. I would of course not deal with it the same way now. However, I'm not interesting in digging up the past - the proof is long gone, but the lesson stays the same.<p>There should be a government body to whom security breaches like these can be reported. Companies can not be trusted to police themselves when it comes to private data.

A reasonably happy note of sanity is sounded at the end of the article:<p>'NSW Police said it was not taking any further action on this matter. "There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach."'

This is why I stand by anonymous public disclosure. Companies will not budget for security unless you make them.

I learned early on in my career not to mess around with account information, especially at a bank.<p>My first job out of university was in corporate IT for a big bank around the time that l0phtcrack came out. I used it to crack hundreds of user passwords, and then showed my boss the vulnerability.<p>He promptly told the director, the director sent out an email saying that people's NT passwords had been breached, and I got in a little bit of trouble for cracking people's passwords without authorization, even though people were using passwords like "password", "apple", etc.<p>I realize it's dumb to to blame me (or the guy in the original story), but I've come to learn that when you're dealing with big corporations like banks, they are eager to cover their own asses and to throw the blame wherever they can. So it's best to never mess with them.<p>The fact that the guy downloaded actually customer information is what opened him up to potential problems, that's the one step I probably would have avoided.<p>Of course, this ridiculous behavior by the banks will only make it more likely that any security breaches won't be reported, which means if you're a customer, you should change banks immediately to a bank that actually cares about the security of your information.

The exact same thing (except in the USA) is happening to my friend: <a href="https://freeweev.info" rel="nofollow">https://freeweev.info</a><p>He's looking at ten years in federal prison for what basically amounts to whistleblowing. They've charged him with identity theft and conspiracy to commit unauthorized access for scraping email addresses (and nothing else) that AT&#38;T had published unauthenticated on the web.<p>The world is a crazy place, these days.

From the article:<p><i>He said Webster's actions were more serious because he did not just access his own or a mate's account, but hundreds of other customer accounts, to prove the security flaw was real. "While we were appreciative of him showing us a weakness in our security systems the size of the downloads concerned us greatly and the fact that it was a major breach of the privacy provisions of our members," Dwyer said in a phone interview.</i><p>The guy didn't just find and report on a vulnerability. He also scraped a whole heap of private customer details ('to prove the problem was real'). If his intentions were pure, he shouldn't have downloaded &#38; saved the private information of hundreds of customers. First State Super overreacted, but I can understand why they're nervous that he might keep the data.

A good deed never goes unpunished. I don't know if I would ever report a security problem like this for fear of needing to deal with this kind of head ache (at least with a non-Google-type company).<p>Anybody have any idea whether my feelings are being unduly influenced by familiarity with these kinds of stories? I doubt there is any real data to make a decision with, but I like to try to stay at least a little rational.

&#62; he may be liable for any costs in fixing the breach.<p>How is this even remotely logical? If someone walks by my house and yells "hey, your window is broken!" can I force them to pay to repair it?

"I'm confident that when we meet and discuss the matter we can resolve it to our satisfaction that he is actually not holding those files any longer."<p>How the fuck are you going to do that, Mr CEO?

Looks related to this:<p><a href="http://risky.biz/fss_idiots" rel="nofollow">http://risky.biz/fss_idiots</a><p><a href="http://risky.biz/minter" rel="nofollow">http://risky.biz/minter</a><p>There's also a case where Police can arrest you and unarrest you at will (At Queensland at least). In the process, taking all your equipment (his iPad): <a href="http://www.news.com.au/technology/facebook-story-arrest-disputed-on-twitter/story-e6frfro0-1226057758607" rel="nofollow">http://www.news.com.au/technology/facebook-story-arrest-disp...</a><p>The young journalist decided to go quiet so as to not upset police(?): <a href="http://www.reddit.com/r/australia/comments/hn74v/what_happened_with_userbengrubbs_interaction_with/" rel="nofollow">http://www.reddit.com/r/australia/comments/hn74v/what_happen...</a><p>Even [NSW] politicians think accessing a private URL can be 'hacking': <a href="http://www.smh.com.au/nsw/minister-a--monkey-could-have-hacked--secret-transport-site-20100223-p085.html" rel="nofollow">http://www.smh.com.au/nsw/minister-a--monkey-could-have-hack...</a><p>Quite frankly, I'm disappointed that companies in Australia can wave the police wand whenever there's an IT security issue. I want Aussie police to step up their game and charge the companies with making false police reports. Especially with demands to seize equipment of individuals as a form of extortion with malicious intent to silence them.

I found this fascinating:<p><i>"But then three and a half weeks later the police just knocked on the door and said we're here to speak to you about downloading files about First State Super," said Webster, adding police discussed the matter with him and told him to stay away from First State's website."</i><p>The implication there is that a website is property so strongly as to use the police to compel whether someone might choose to point their web browser at it.

So First State try and get revenge on and blame the poor guy who reports the problem. I can't understand how this is a cheaper or a better solution for them than fixing the hole. It would be interesting to know if there was a thought process behind this, because it reads like there wasn't.

"To demonstrate the flaw to First State's IT staff, he wrote a script that cycled through each ID number and pulled down the relevant report to his computer. He confirmed that the vulnerability affected the firm's full customer database."<p>Seriously? That sounds a little more than just "Checking the vulnerability exists", that sounds like exploiting it. Tweaking the url, is all he needed to do to workout that there was a problem... then he writes a script and downloads all the data?<p>I'm actually not that shocked by the reaction. Equivelant:<p>"I noticed your door was unlocked, so I stole all your stuff, and put it in that truck parked just there. Just thought you might like to know". &#60;--- Would you take legal action in that case?

Oh my gosh man. That's so bad. You simply replace the account ID parameter in the request URL? That's so bad. So so stupid on the bank's part. They should be showering this guy with gifts for pointing out such a stupid mistake to them and they should be going after whoever set up their system like that.

Notwithstanding the right and wrong of this case, if Patrick Webster had done all his investigation anonymously, e.g. through Tor, and expressed his findings to First State Super in a way that does not imply that he actually downloaded anything, I wonder whether it would have put him in a better position.<p>Even without investigating anonymously, if he had just described the security vulnerability without saying what he actually did, would he be legally vulnerable?<p>I find it ironic that in helping this company with their IT vulnerability, he possibly took on himself a legal vulnerability.

That was nice of him to do. And I doubt, after the reaction he got, that he'd do it again any time soon.

After reporting how easily the Manhatten Project military safes could be opened, the higher ups sent round an urgent memo addressing the issue. It said "Don't leave Feynman alone in your offices".<p>:-/

Unbelievable. Am not aware of US law, but I hope he can sue First State back for the mental harassment they caused him. This isn't plain ungratefulness - it is dangerous. It can dissuade well meaning, civic minded members of the public from helping an company, which by the way is great for the bad guys.

Whenever I see the phrase "First State", I think of Delaware, not Australia.

The other lesson is that incompetence of this magnitude on one issue is always a symptom of incompetence generally.<p>I have seen this over and over again with multiple companies. It's not like everything else is first-rate and somehow just <i>one</i> glaring thing slipped by them. That's what we'd like to believe.<p>Instead, there is a systemic problem with horrible decision-making that will infect every level of operations, until the organization finally collapses into a black hole of infinite stupidity.<p>Well, that may be a little extreme. Some of them putter along as White Dwarfs.