1. 157

A light story as far as technical exploitation goes, but I felt it illustrated well the challenges of responsibly disclosing security issues across people, companies, and governments.

  1.  

  2. 34

    That was the most fun vulnerability disclosure I’ve ever read.

    1. 28

      Wow, that was an adventure. I’m glad people responded well.

      1. 10

        I truly enjoyed this. And would recommend bookmarking the author’s https://verylegit.link/ for your next april fools CSO trolling.

        1. 1

          Wow, I love this.

            1. 1

              Your link actually leads to a 404 but if I copy/paste it on desktop it works.

              1. 1

                Maybe I’ve screwed my markdown, will try to fix, thanks.

          1. 1

            http://www.shadyurl.com/ is shadier because the links use a shadier domain name.

          2. 4

            This was such a fun read, props to the writer.

            1. 4

              I have never gotten emotionally attached to a blog post before. But when Tony Abbot got on the phone I felt that.

              1. 3

                So did the author get arrested or not? Does anyone have any information?

                1. 13

                  The author was not arrested, and in fact got to have a civil and informal phone chat with our ex-Prime Minister.

                  Sometimes I’m proud to be Australian. Really should finish my citizenship application and make it official :)

                  1. 5

                    I know, that but there is this one line in the article:

                    Update: I have been arrested.

                    This implies to me that there was some further development of the story.

                    1. 23

                      If the rest of the article is anything to go on, this is a joke.

                      1. 3

                        I missed that when I first read it! No-one else is reporting that he’s been arrested, though, so I assume it’s an example of the humour found throughout.

                        E.g.:

                        https://www.theguardian.com/australia-news/2020/sep/16/former-australian-pm-tony-abbotts-passport-details-and-phone-number-obtained-by-hacker

                        1. 4

                          Oh, well… I sure hope that it was a joke, and now I’m also embarrassed that it went over my head.

                      2. 2

                        Sometimes I’m proud to be Australian.

                        Even with this?

                        1. 2

                          Yeah, it’s a mixed bag.

                          1. 1

                            Of the actions my government has taken that I’m ashamed of, that wouldn’t break the top 20, and it’s still one of the better governments around.

                      3. 2

                        Passport number is hardly secret information.

                        1. 27

                          Can I have yours?

                          1. 2

                            I am not giving you the photo of my face.

                            Is the likeness of my face also secret information? Do you cover your head when you go out in public?

                            1. 3

                              A number is easier to copy than a face in practice.

                              1. 2

                                Do you print your personal ID number at the back of your jacket when you go out in public? It’s not about photo, it’s about a number. If you read the post, you’d see that with the number, we could then

                                Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)

                                and then do some real damage in your name. That’s the point.

                                1. 4

                                  It’s not about photo, it’s about a number.

                                  It’s actually about information, which photos do qualify as.

                                  If you read the post, you’d see that with the number, we could then Activate a SIM card

                                  Just because you can activate a sim card with a non-secret, does not in anyway make the non-secret a secret, or justify that the non-secret should be a secret.

                                  and then do some real damage in your name. That’s the point.

                                  And my point is non-secrets are not secrets. And that if an authentication system was built on a shaky foundation, that also does not justify or make non-secrets into secrets.

                                  1. 2

                                    And my point is non-secrets are not secrets. And that if an authentication system was built on a shaky foundation, that also does not justify or make non-secrets into secrets.

                                    Okay, with this addition, your point makes sense now. But your original comment, “Passport number is hardly secret information” doesn’t state that explicitly. It seemed to me (and I suspect to the guy asking for your pass #) as if you don’t think sharing it should be a problem because it’s not secret information.

                                    Just a bunch of nerds being a bit literal, I guess.

                                    1. 1

                                      I’m afraid that if a “non-secret” piece of information is considered secret by others then in fact it is secret. If someone can use your passport number to affect your life by entering into phone contracts in your name then you need to stop giving it out. To that extent, what you need to keep secret is decided by others which is admittedly a huge pain in the bum.

                                      Very common with government issued numbers of any kind sadly.

                                      1. 1

                                        Another thing with this is that you can’t even avoid it in a lot of places. There’s this number, OIB, in Croatia, which is kind of like your government-issued, personal ID number that you shouldn’t give to anyone because it’s used to verify you are you. Except you have to give it to your bank (okay, they need to watch my secrets anyway), my phone company (they sell my info for ads?) or like anywhere you want to get a loyalty card at.

                                        1. 1

                                          We have that here in Sweden too (“personnummer”). It is not seen as a secret at all. It’s simply a numerical representation of identity.

                                          1. 1

                                            Yep, here too. But when you call e.g. your telecom, “hi, I’m X and I need to change my contract.” - “sure, what’s your totally-not-secret #”?

                                            Edit: well, not here, but back there. I’m not in Croatia any more.

                                            1. 1

                                              My real name is not a secret to the government or my bank, but it is to you. No information is either all secret or all non-secret. Secrecy has domains.

                              2. 12

                                I wish we were totally clear as a society about which pieces of info are just identifiers and which represent some kind of authentication or authorization, so we could focus on protecting the right info. And if instead of repurposing IDs as passwords we designed something for authentication from the start, it could be a lot better: we wouldn’t have to handle and store everything in the clear and rotating secrets could be routine instead of a huge deal.

                                (The current mess is also self-perpetuating: the standard approach to authenticating people is pretty weak, but because it’s the standard approach no company using it to book tickets for you, etc. is likely to face much liability!)

                                However, we aren’t in the universe where identifiers and secrets are cleanly separated, so practically speaking I more-or-less understand the qualms about disclosing passport numbers, US Social Security numbers, etc.

                                1. 4

                                  whenever I see a wish for X to be designed differently, I love to bring up Chesterton’s Fence:

                                  There exists in such a case a certain institution or law; let us say, for the sake of simplicity, a fence or gate erected across a road. The more modern type of reformer goes gaily up to it and says, “I don’t see the use of this; let us clear it away.” To which the more intelligent type of reformer will do well to answer: “If you don’t see the use of it, I certainly won’t let you clear it away. Go away and think. Then, when you can come back and tell me that you do see the use of it, I may allow you to destroy it.”

                                  here’s a source regarding why the US Social Security number-as-identifier is the way it is, which really emphasizes how the problem was never about designing good authentication systems, but about developing national authentication in a society that opposes the very idea of national authentication.

                                  1. 3

                                    That SSA link seems to describe part of what I’m saying (a government record identifier got widely adopted by private DBs), and notes “it lacks…the means to authenticate a person’s identity”, which, yes. It’s not the SSA making a record identifier for themselves that bugs me, or even others using it as a DB key, it’s when folks use it as if it were proof of identity.

                                    Spelled-out theory of how we got here: large private entities (airlines, CC issuers, etc., etc.) are capable of better auth than passing around not-all-that-secured numbers in the clear (see chip and PIN, login systems with 2FA or USB keys, etc.). They have been slow to do it (e.g. late introduction of chip and PIN for card-present transactions in the US), and sometimes just have left things a mess (CC card-not-present transactions, and everything using SSN as proof of identity), for a bunch of reasons, including (like I mentioned in the other comment) that they’re not liable for most of the cost/annoyance when the auth system is janky–with credit cards, for instance, the merchants pay the monetary costs and cardholders deal with the fuss of card reissues and false alarms from fraud filters. Competition hasn’t solved it (“use my non-janky payment system/airline/…”) because the network effects protecting incumbents are strong.

                                    FWIW, very different to say “it can be informative to look at history” versus assuming historical decisions are wise or ideas are bad unless presented with reams of historical analysis. To me, analogous to “that weird behavior sounds intentional, peek at the history before you change it” vs. a posture that just makes touching your old code nearly impossible.

                                    (‘Nother fun thing: the Chesterton quote comes from an essay arguing that proper domesticity was being undermined in the 1920s as indicated by “a multitude of modern manifestations, from the largest to the smallest, ranging from a divorce to a picnic party”. Which is a position that, uh, hasn’t aged well to my eyes and makes you think about the principle used to justify it.)

                                    1. 1

                                      that’s a really fair point regarding making past mistakes untouchable because of a less-than-useful need for “reams of evidence”. feels like red tape against changing old ideas. thanks for the view

                                      I retract what I wrote, I’m not one to advocate for fallacious red tape