A visit from the Police!

Discussion in 'Networking, Telephony & Internet' started by Mred32, Apr 13, 2012.

  1. Mred32

    Mred32 Old and Decrepit

    Joined:
    Jul 4, 2001
    Messages:
    4,821
    Location:
    Perth, South of the River
    I had a phone call from my son at Uni today asking me to come and get him. Officers from the W.A Police "Technology Crime Investigation Unit" would like speak to my son, and since he is under 18 they require a parent/guardian to be there.

    It appears that a few weeks ago my son was looking at one of the "Office of Crime Prevention" websites which also hosts the W.A "School Leavers Info" website and while browsing he noticed some SQL errors on the page. After a little fiddling with basic injection techniques he easily managed to get admin access to the site with full access to the logs, usernames and passwords for the site admin account and he suspects he could have gained root access, but he didn't try. He didn't do anything to the site itself but he just had a look around. He then decided he should let them know about the security issue so he put all the details into an email including copies of the server logs and his personal contact details and sent them to the site admin, attempting to do the right thing.

    Come today, the Police come around and inform him that he went to far and that by accessing the logs and passwords he has committed an offence under section 445 of the act!
    Now, I had made a point of hiding all my external hard drives and extra laptops before the cops arrived as we knew they were coming since I had been contacted and had to be present, thinking that they might decide to take the lot. Fortunately this was not needed as they proceeded to explain to him how he should have done this without crossing the line and causing a problem. They also thanked him for actually pointing out the problem and they acknowledged that they know he didn't have any criminal intent but since he had gone further than simply discovering the problem he went in and had a poke around ... he went to far. When they came they had full Facebook logs from him, myself and my wife as well as full recent I.P logs from our ISP including Email, Torrents and just about everything we have accessed on port 80 over the past month. They said "We are not interested in anything other than what relates to this matter." I'm a big movie downloader. In the end, they decided to write up a Juvenile Caution Note and let the matter go at that.

    The good side of this is that they then went on to explain to my son that they are opening up positions for un-sworn officers in the I.C.T department and would he be interested in doing some work experience with a view to a position after he finishes his Uni degree?

    I was shitting myself when they first came in the door, thinking I was going to have to go and bail out my son ... but by the time they left I was ready to offer them a beer and some snags on the BBQ. These guys seem to think my son has the skillz and ability to work for them. COOL! Even if it's just unpaid work experience, having the Police Department "Technology Crime Investigation Unit" on your CV can't be a bad thing.

    I think I better go have a beer now because my heart rate is a little unsteady ... ... ...

    Mred32
     
  2. ck_psy

    ck_psy Member

    Joined:
    Jan 11, 2006
    Messages:
    4,228
    Location:
    Sydney, NSW
    cool story bro.
    sounds like decent cops exercising their discretion
     
  3. cmasseyau

    cmasseyau Member

    Joined:
    Oct 4, 2003
    Messages:
    229
    Location:
    Tassie
    Sounds like it was handled well, and your son may have learnt a thing or two at the same time :thumbup:

    Would be good to get into security, will always be a useful skill and not something that is the first to be moved off shore.
     
  4. Rezin

    Rezin Member

    Joined:
    Oct 27, 2002
    Messages:
    9,488
    Read a few times about similar situations like this getting out of hand for the person informing the site/owners/etc.

    What did they say he should have done?

    Nice! Is he considering it?
     
  5. Pugs

    Pugs Member

    Joined:
    Jan 20, 2008
    Messages:
    9,158
    Location:
    Redwood Park, SA
    this pretty much... :thumbup:
     
  6. HUMMER

    HUMMER Member

    Joined:
    Dec 1, 2002
    Messages:
    8,786
    Location:
    sydney
    seems like your son had a win today then. :thumbup: to him.
     
  7. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    137,122
    Location:
    Omicron Persei 8
    Caution seems like a fair enough outcome.
     
  8. IMtech

    IMtech (Banned or Deleted)

    Joined:
    Jul 1, 2011
    Messages:
    1,430
    Location:
    Cheeseland, France
    Nice one. :thumbup:

    Lucky your son only had a poke around and didn't attempt to get root access... This would have definitely changed the situation to way worse than just a caution... ;)
     
  9. ex4n

    ex4n Member

    Joined:
    Oct 5, 2011
    Messages:
    2,126
    Location:
    Perth
    Thats a surprise, very interesting story though, were these cops from the ICT or just regular police?

    I had heaps of cautions as a youth, will not have any negative impact on him at all. :) Gets erased at 18 AFAIK.
     
  10. OP
    OP
    Mred32

    Mred32 Old and Decrepit

    Joined:
    Jul 4, 2001
    Messages:
    4,821
    Location:
    Perth, South of the River
    My son is seriously considering taking up the offer. Cuber-Security is the area he seems interested in. The Police gave some information about what the Act describes as an offence. What they described was that if he has simply discovered the flaw and not actually entered the admin area he would have been within the law. Once he entered the areas of the site which one would normally expect users to not have access to, he broke the law.

    Now ... he would not have known he had access to these areas without trying it out but trying to access these areas is not an offence. Actually getting into these areas is an offence. So if you try to break the law and fail you are ok. If you succeed then you are breaking the law. The Police acknowledged this legal problem but went on to say that since he had committed an offence then they must take action, regardless of whether his intentions were innocent or not. He committed an offence so they are required to take action against the person involved, in this case I feel the action was appropriate.

    They mentioned that there are (in very simple terms) three levels of this type of offence. Access, Actions, and Intent. If you force access you break a law. If your actions are harmful you break another law. If your intent was malicious then another law is broken and the level of your crime becomes more serious.

    Mred32
     
  11. TERRA Operative

    TERRA Operative Member

    Joined:
    Jul 8, 2005
    Messages:
    6,925
    Location:
    Niraikanai
    Yeah, I got a caution from the bomb squad when I was 13, got the scars to show for it. Didn't show up a few years back when I got a secret military check done, and preliminary checks for a top secret pass came up clear too.

    I say he should take the chance, if he's into that sort of thing, it's the perfect chance to use 1337 hax0r ski11z and be backed by teh law at the same time.
     
  12. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    137,122
    Location:
    Omicron Persei 8
    My suggestion would be not to try in the first place, regardless of the innocent intention. If someone attempts to gain access then they have intent to do something, even if it's to gain entry to a secure system, or have a snoop, or whatever. And whatever it is it is wrong because they have attempted to gain access to an authorised system.

    The laws of "Access, Actions, and Intent" seem entirely reasonable to me.
     
  13. zach

    zach (Banned or Deleted)

    Joined:
    May 1, 2009
    Messages:
    3,614
    Location:
    chermside.bris.qld.au:80
    script kiddie goes whitehat.

    I would have shit my pants also!
     
  14. OP
    OP
    Mred32

    Mred32 Old and Decrepit

    Joined:
    Jul 4, 2001
    Messages:
    4,821
    Location:
    Perth, South of the River
    They mentioned the whole "Black/Grey/White Hat thing ... and my pants are in the wash as we speak ...
    ;)
    I've tried to point my son in the White Hat direction since he was very young. Maybe It worked?

    Mred32

    These were ICT guys.
    I have their business cards.
     
    Last edited by a moderator: Apr 17, 2012
  15. IzzehO

    IzzehO Member

    Joined:
    Mar 9, 2011
    Messages:
    936
    Location:
    4152
    Interesting.

    I'm curious... have they fixed the loophole?

    Otherwise I know some people, that know some people that'd probably be interested in the info (that's if he concludeds black hat suits him more) :p

    Problem with doing the right thing... you end up arrested... while doing the wrong thing nets you a pretty nice income.
     
  16. OP
    OP
    Mred32

    Mred32 Old and Decrepit

    Joined:
    Jul 4, 2001
    Messages:
    4,821
    Location:
    Perth, South of the River
    If the BlackHat is his thing then I guess he'll find his own way there ... doing the wrong thing is usually the easy way out. Doing the right thing is often difficult and requires integrity and self worth.

    I can only educate him, I cannot force him. I can only guide his decisions not control them. He is my son, not my property.

    Mred32
     
  17. Vladdo

    Vladdo Member

    Joined:
    Apr 12, 2005
    Messages:
    8,501
    Location:
    Laverton, Melbourne
    I find it rather surprising that the cops can have access to pretty much anything they want from your ISP... Not that they seem to care anyway..

    I also guess that you've stressed how much of a bullet, both you and he have dodged.. and that if he does that again, you might end up in hospital ...
     
  18. Madengineer

    Madengineer Member

    Joined:
    May 27, 2011
    Messages:
    12,878
    Hope they dont look at my history then......


    Anyway, OP sounds like his son got it real easy....
     
  19. Zardoz

    Zardoz Member

    Joined:
    Jun 28, 2001
    Messages:
    2,167
    Location:
    Melbourne
    Hi,

    Buy a lottery ticket.

    Interesting that they had a lot of information about you so obviously they did a bit of background work to find out exactly what he did and how far he took it i.e. did he go and tell all his 1337 friends about the hole. These sorts like to brag; it's an achievement and an active member of the underground will usually blab to his mates about how much cooler he is after the accomplishment.

    Unauthorised access to a computer system can land you in the slammer for up to two years (unless this has changed recently). Of course this is rather embarrassing for the Police so if they made a big deal of it, things could turn into a fun PR exercise for all. It's good that they saw this for what it was and nothing more. With that warning, hopefully he'll think twice about this sort of thing and realise that this is pretty serious stuff.

    I know a few penetration testers - they all seem to be pretty happy with their job. Infosec is a great industry to get involved in.

    If he wants to come down to Melbourne, there's a really awesome "affordable" security conference called Ruxcon that's aimed right at people like him. Disclaimer: I'm involved with them as a volunteer but I don't actually get anything out of the conference personally other than meeting some awesome people.
     
  20. Annihilator69

    Annihilator69 Member

    Joined:
    Feb 17, 2003
    Messages:
    6,030
    Location:
    Perth
    My friend for a visit from the AFP once and they confiscated ALL the tech devices in the house. Laptops, desktops USB drives/dvds the lot.
    Basically he was teching his mum about web security and spoofing so he copied like the .index.html (file --> Save As in browser) of NAB or something and upped it on his website.

    Then was like see I'm not the bank but I can have the banks website, make sure you check SSL cert when logging in etc. Basically his host noticed and dobbed him in and he got raided the next day.
    Ended up getting a caution as well but no further action. Forensics they ended up breaking his mac fascia getting the HDD out and he complained and they were like "already like that" was so pissed lol.

    Ended up working for an ISP and passed a Police clearance so I guess it's not the end of the world.
     

Share This Page