Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."
He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.
It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.
But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.
The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.
The Age doesn’t say whether the police took any action against Rogers. But in 2011, Patrick Webster suffered a similar consequence after reporting a website vulnerability to First State Super, an Australian investment firm that managed his pension fund. The flaw allowed any account holder to access the online statements of other customers, thus exposing some 770,000 pension accounts — including those of police officers and politicians. Webster didn’t stop at simply uncovering the vulnerability, however. He wrote a script to download about 500 account statements to prove to First State that its account holders were at risk. First State responded by reporting him to police and demanding access to his computer to make sure he’d deleted all of the statements he had downloaded.
In the U.S., hacker Andrew Auernheimer, aka “weev”, is serving a three-and-a-half-year sentence for identity theft and hacking after he and a friend discovered a hole in AT&T’s website that allowed anyone to obtain the email addresses and ICC-IDs of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.
Auernheimer and his friend discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of about 120,000 iPad users. They were charged with hacking and identity theft after reporting the information to a journalist at Gawker. Auernheimer is currently appealing his conviction.
Teen Reported to Police After Finding Security Hole in Website [Kim Zetter/Wired]