Company Gets 45,000 Bad Facebook Reviews After Teenaged Hacker's Unjust Arrest

An anonymous reader quotes BleepingComputer: Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug. The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ, Budapest's public transportation authority. The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price. Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

The teenager -- who didn't want his name revealed -- reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems... BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter. As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner.

Lesson learned for him

[Anonymous Coward]

Never try to help souless corporation.

Re:Lesson learned for him

[ma1wrbu5tr]

Seems like they just CNNed themselves. Bwahahaha!

Re:Lesson learned for him

[AmiMoJo]

This is much worse. CNN didn't go through with its threat.

Re:Lesson learned for him

[Anonymous Coward]

Precisely. They received valuable help for free, but since it embarrassed them they struck the altruist.

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

A change in law is necessary; only after appropriate protections for white-hate hackers (that report using proper channels) are in place will honest disclosure be morally appropriate.

Re:

[e r]

People think that reporting this sort of thing is the morally correct thing to do. It is not. It exposes you to life-destroying legal action. Putting yourself at that kind of risk is recklessly negligent, not morally lofty.

Ayn Rand, is that you!? We all thought you were dead! How did you--? I mean, seriously, we thought you were dead!

Re:

[Atrox Canis]

Either you forgot your /s at the end or you didn't recognize that "white-hate" was a typo for "white-hat".

Re:

[Gondola]

Something similar happened to me in college 20 years ago. I reported that they had an insecure network mount, and they gave me a written warning that went on my record, and almost banned me from the computer services entirely -- which would have made writing papers and doing research impossible since I didn't have them at home.

This is why people aren't nice to each other.

That's embarrassing

[bjdevil66]

That press conference was the equivalent of doing a presentation in front of your class on dressing modestly with your fly open.

The manager(s) who authorized that embarrassment should be fired first thing tomorrow morning because they're clearly clueless bureaucrats that don't even understand their own department's responsibilities.

Re:

[Sique]

The manager who authorized that embarrassment was the owner of the shop himself. So he has to fire himself.

Re:

[Ed Tice]

This could just as well be a US government agency so maybe it's just how all government tends to work. It's stories like this that make me more sympathetic to the anti-government crowd.

Don't rock the boat

[OrangeTide]

Powerful people don't like to be embarrassed nor have the world discover their incompetence. If you expose a powerful moron his position is at risk, and he'll take it as an attack. It's irrelevant for him that you were only trying to help.

"Unjust arrent"

[Anonymous Coward]

While I agree with this sentiment, proper journalism presents the facts and lets the reader decide if it's just or not.

Re:

[thsths]

Proper journalism is less profitable than click bait, and therefore not well represented on Slashdot.

Devil's advocate

[FeelGood314]

This company has no clue how eCommerce works. They actually are double handy capped in that they don't even know what they don't know so they likely had a false sense of thinking they actually did understand things. If you use the website as intended you can't change the price. I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Kálmán Dabóczi, BKK, the police and the judge who issued the warrant all owe this kid a big apology. However, not everyone can understand everything and it is reasonable to expect that sometimes you will get unlucky and get a company and a few members of the police who have almost zero understanding of a subject and make a stupid mistake. The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib. Hopefully they were professional about the entire thing. Kálmán Dabóczi has likely learned a very hard lesson so let him apologize and get to work. He now has a pile of free penetration results to deal with and possible the job of selecting a new supplier for the website.

Re:

[Luthair]

Actually, you need permission of the site to test their security. Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Re: Devil's advocate

[Anonymous Coward]

No, this was more like someone leaving a note for me that my door was wide open.

Re:

[Anonymous Coward]

Actually, you need permission of the site to test their security.

I got permission from the site. I asked it for access, and it gave me access. It's not my fault that the human operators of the site never intended for me to have that access, all I know is what the site is letting me have access to.

Consider if you came home tomorrow and found someone in your living room who told you that you should get better locks.

Except the guy in my living room didn't pick my locks, my crazy ex let him in. It's not that guy's fault for not knowing that my crazy ex did not have the authority to give him access to my living room. All he knew was that this person is standing in the doorway inviting him

Re:Devil's advocate

[TheReaperD]

Except, he did not hack their site. He did not penetrate any servers, exploit any passwords or do anything to their systems. What he did do was make a change to his web browser that altered the price of the ticket and because their systems are designed so badly that it changed the price of the actual ticket so he could set his own price for tickets. All without having to hack their servers. This was allowed to happen because the company disregarded one of the first rules of IT security: Never trust the client to enforce security. In reality, this statement can probably be shortened to "Never trust the client."

Re:

[Dog-Cow]

And "never trust the client" can be shortened to "never trust". When it comes to security, anyway.

Re:Devil's advocate

[DontBeAMoran]

Or you could expand that to "Trust no one".

Mulder was right.

Re:

[nephilimsd]

Have you learned nothing from your literature classes? Trusting No One is exactly what got the cyclops blinded!

Re:

[Luthair]

You could make the same argument about any network request you craft.

Re:

[SimonTheSoundMan]

Car analogies only at /. please!

This is like a car dealership putting the price of the car on the outside of the windscreen, you go up to the car and changed the ticketed price by changing the price form £9,000 to £8,000 by joining the 9 up. You then go tot he salesman and purchase the car at the price you changed it to, salesman sell it to you at that price. You later tell the dealership they should put their pricing behind the glass in the locked car so the price cannot be manipulated.

Re:Devil's advocate

[stephanruby]

I have no doubt that Kálmán Dabóczi believed this kid was hacking their system and I also think it is likely that everyone he asked also though the same thing.

Even if that's true, that thinking doesn't explain why the kid would report it as a bug.

No, the only possible reason to call the police is if the books didn't reconcile at the end of the night and no one had read the bug report submitted by the kid yet (or may be someone read it, but had not told Kalman yet). That's the only possible justification.

And yet, that doesn't seem like this is what happened (at least, the article makes no mention of that possibility). So if Kalman Daoczi really did call the police after having read the bug report, he should be arrested himself for filing a false police report and wasting the police's time. Calling the police after someone has immediately turned them self in is a vindictive action and a complete waste of police resources.

Re:

[fafalone]

The police didn't kick in his door, shoot his dogs or throw stun grenades in a crib.

They would have, had this taken place in the US (or, tellingly, a 3rd world totalitarian state) instead of Hungary. If little Bou Bou gets a flashbang in his crib because they're looking for someone with petty non-violent drug charges, and shooting dogs is the police's favorite sport (one cop has shot 60 himself now)... imagine an evil computer hacker interfering with an American company and their God-given right to earn profit, a far more serious offense.

Re:Devil's advocate

[FeelGood314]

I control the client. It does what ever I want. The Server should have no expectation of my behavior, it just expects a string of 0s and 1s. The server is asking how many tickets I want and how much I should pay for them. This kid pointed out that the server is trusting the client to tell it what the correct price is. The client is being dishonest if it lies about the price but this isn't like changing the price stickers, here the server is actually asking the client for the price and this 18 year old pointed it out. He bought a ticket that he never intended to use to demo the bug. True, his demo might have caused an error in the backend accounting that could have brought down the entire BKK system. That is generally why you ask permission before hacking something, but this seems so trivial that I would give the kid a break and I would expect him to get a thanks.

Re: Devil's advocate

[KGIII]

Instead of a thanks, they could have offered him a job, money, or help to further his education.

1994 Called

[PatientZero]

They'd like their client-side shopping cart software back.

How does even the most novice developer not know that you can't trust anything from the client?

Re:Devil's advocate

[Midnight Thunder]

To use the restaurant analogy, it would be cool if the waitress accepted any price I give her for the meal, but it would probably be shoddy business. Oh, it wasn't normal operating procedure? The waitress accepted it, but now I am being accused of hacking the waitress. How about training her properly to not accept everything the client talks her?

Re:

[Ed Tice]

It's a good analogy, but don't try this at home. It's possible that one or both of you could get prosecuted. No, I'm not a lawyer. If for no other reason, the waitress could lie and say you left without paying and she never agreed to the alternate price. Unless you have it in writing, I wouldn't want to face a judge saying that the waitress agreed to give me a discount.

Re:

[Ed Tice]

And what purpose would it be for the client to present a price? If you have to calculate it anyway? And what do you do if the two don't match? All you're adding here is complexity. I can see having the client *calculate* a price for experience reasons. i.e. a page where I indicate 2 adults and 1 child and JavaScript updates an estimated total. But there should *always* be an order confirmation screen with a price calculated by the server and presented back. You don't need to submit the result of the

Re:

[Ed Tice]

More interesting, what happens if I use a browser that doesn't respect the read-only field or if I show a trivial amount of sophistication and just submit my own POST request. Does the server accept the changes? If this is just a cosmetic issue, that's no so bad. If the data can actually be altered with minimal effort, you should ask for your money back!

Re:

[FeelGood314]

Kálmán Dabóczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him.

Re:

[turbidostato]

"KÃlmÃn DabÃczi was the manager of BKK. You are correct though that he might not have personal been apart of this. It could have just been employees of BKK and this never filtered up to him."

Sure. The employees call the police over a non-urgent company issue without before rising it to management.

In Hungary.

Well then

[Anonymous Coward]

I guess security researchers and hackers now learned a lesson.

Find a bug? Exploit the f**k out of it. Don't bother reporting it.

Re:Well then

[Solandri]

No, the current response is the correct one. There are lots of companies out there which will take a bug report, fix the bug, and thank you. Some will even pay you a bounty.

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see because a black guy robbed the local convenience store. The correct response is to single out the responsible criminal / stupid company for reprisal. Like is currently happening to this company.

Re:

[Uberbah]

Exploiting the f**k out of any bug you find is the equivalent of lynching the first black person you see

Wow. Where any shrooms involved in the formation of this analogy? Why don't you go pay a visit to Eric Garner's family and tell them that taking advantage of a web site's shitty security to get cheap tickets is just like their dad being strangled to death on the street. You might wanna bring a cup and a mouth guard.

Re:

[AmiMoJo]

My policy is to report the bug if the company has a reasonable looking bug bounty programme. Such a programme demonstrates that they probably have the right attitude, and even if it's just a trap you can point to it in court as evidence of your good faith.

If there is no bug bounty programme I'll either ignore it or report it anonymously to a relevant mailing list. If the company has a contact email address (not a web form) then I'll CC them in.

Anything else is too risky. If you want responsible disclosure,

Re:

[apoc.famine]

Make an infographic of how to do it, and post it to 4chan. The company will find out they have an issue in no time if you do that!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Ed Tice]

I could never recommend exploiting a found defect. Its unethical and really the reason that we have to have laws. Obtaining free tickets this way isn't really much different than shaking them out of a vending machine (assuming you don't damage the machine). But if a company doesn't have an established bug bounty program, I would *never* contact them with a defect report. I would definitely sell it on one of the markets for these. It's just less risky. Until there are laws protecting people who report

Client-side validation?

[whoever57]

Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price...

Surely no e-commerce site should rely on client-side validation? That seems like asking for trouble.

Re:

[DivineKnight]

But JavaScript can do anything!

Re:Client-side validation?

[Greyfox]

None should, that's not to say they don't. I worked for a company a while back that was dipping its toes into the google web toolkit, which allows you to write your web page's UI in Java and then converts it to Javascript. They ended up doing all their authentication on the client side, so you could just make a web request to the backend and create arbitrary users in any organization in the billing system. That included administrative users. When I reported it, the team writing the code said something to the effect of "You're just making calls to the backend! No one would ever do that!" That attitude is surprisingly prevalent in the industry.

Re:

[AmiMoJo]

Last week another company set up an FTP server for one of our older products to send data to. I know, FTP, but this thing predates my joining the company and it does actually work quite well. Anyway, they were having trouble so we logged in and found ourselves dumped into the root of their Linux server. We could see everything and seemed to be running at root.

I emailed them about it and they said it was fine because the machine was "isolated".

Re:

[gravewax]

You should not rely on it but you definitely should use it. Client side validation is something you use to help pre filter information that is going to be rejected by your server and can be very handy, e.g. users setting a username or password or even an address, if the format is invalid and will be rejected server side then you may as well save the server the processing time.. You don't use it as a security mechanism though!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Client-side validation?

[guruevi]

No it doesn't. It handles error correction/detection and even then, very weakly which is why most systems have more error detection both in higher and lower layers. You cannot assure data integrity in TCP (or IP), that's handled very much above those layers, typically in application.

Re:

[gravewax]

TCP/IP provides some very basic integrity, sequence, error control and delivery checks. Though their are many holes in the protocol that mean you cannot rely upon it for integrity, data validation must be done at other layers or in the application itself as the TCP/IP layer does NOT handle anything but the very basics of packet integrity, it is extremely easy to change a packet in ways that it will pass all its TCP integrity checks.

Re:

[gl4ss]

If you were a professional developer working in this area you would know, just because you a foul mouthed whiny little kid in your mothers basement isn't a reason to spoon feed you. Go do some basic research if you are interested and learn about the limitations inherent in the TCP checksums, this isn't some mythical hidden or difficult to find information, stop being lazy and educate yourself rather than bitching about others.

maybe you dumb fucks don't understand that even this site probably used https and how many layers of crc checking do you really need?

I mean the issue at hand was trusting information that comes from the client side. integrity checking that information does not help at all when what was missing was SANITY CHECKS. integrity of the data was JUST FINE.

seriously.

you guys sound like the kind of dumb fucks who think that adding a signature that is done at the client end into a http post adds ANY SECURITY WHATSOEVE

Re:

[gl4ss]

.. not really.

no amount of client side checking fixes the problem that the customer can alter anything that happens client side.

what you're describing is some sort of crc/data integrity check which doesn't really help you with if the data is on purpose wrong.

Re:

[Ed Tice]

This is not a function for client-side validation. This is what a confirmation page is for. The server repeats the data back and the client then hits accept. Now there is no risk of communication issue even with corrupt data. Listen to air traffic control sometime. The pilots always repeat back instructions. Same principle. The pilots don't make their own ATC decisions. And this is a very apt analogy because humans communicating over radio frequency do get a lot of corrupted data.

This is cute and all

[rsilvergun]

I'd be more impressed if the facebook hive mind did something about this [youtube.com].

...and here's their FB page...

[mpoulton]

...for your own reviewing and commenting enjoyment: https://www.facebook.com/bkkbu... [facebook.com]

He should have _increased_ the price

[gweihir]

That way, no accusation of getting financial gain from the "hack" would have been possible.

As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.

Re:

[gweihir]

That test he should have done in a fashion they could not have traced back to him. What he should have given them in evidence (clearly attributable to him) should have had him paying more. The problem is that making a hacking charge stick is a lot easier if the hacker gained something, however small.

Re:

[jabuzz]

Buy a dated ticket don't use it and keep it, then report the bug *AFTER* the dated ticket has expired.

Don't report bugs

[Andy Smith]

I found a similar flaw in a supermarket's self-service tills. Didn't report it for this very reason. I don't purposefully look for bugs/exploits, but if I did spot any more in future then I wouldn't report those either. My heart tells me to report them, but my head tells me no.

Re:Don't report bugs

[martyros]

I found a bug in the website of a company I wanted to order tiles from; but because of the vagaries of the website, I wasn't actually sure it was a bug until I'd placed the order and had it delivered at a 90+% discount.

Normally their prices were placed in £ per square meter, but they sold individual "sample" tiles for a reduced price. In this case I'd ordered a number of sample tiles and then decided the one I wanted. Rather than go through the website and search for the name again, I went to the "My orders" section of the page and clicked the tile I had decided to order. Conveniently, they had a "Order more" button on that page, so I clicked it.

Now, the price per square meter was £30, and the price of a single sample tile was £2.50. When I clicked "Order more", my basket showed a single number ("1") with a unit price of £2.50 -- but no description of what the unit was. I changed the count to 18 (the number of square meters I wanted) and clicked "Update price", and it was set to £45. But was I ordering 18 individual sample tiles for £45 (which would also have been a bug -- you're only supposed to be able to order one at a time), or 18 square meters of tiles? And anyway, surely some check at the other end would stop it if it really were a mistake, right?

Nope. Three days later a palate containing 18 square meters of tiles showed up -- £720 of goods for £45 + shipping.

I was at that point genuinely torn between wanting to DTRT and being afraid of this sort of reaction described in this article. I did write them an email, spinning the whole thing as an accident, and they simply asked me to pay the difference up to the actual price of the tiles, with a 15% discount.

Being well into adulthood rather than a teenager probably helped; as well (probably) as being an actual customer who was purchasing their product, rather than someone clearly identifying themselves as trying to break in to their systems.

Hope they got their website fixed -- the company overall is a good company, and I'd be sad to see them lose money because they were good at tiles and bad at javascript.

Re:

[account_deleted]

Comment removed based on user account deletion

Legislation needed?

[seoras]

I'm not one for advocating laws but looking at this and seeing the obvious effect it's going to have on white hat security vigilantes (saying nothing or being turned grey/black hat by corporate, egotistical, twats covering their own arse) the only solution seems to be to create laws to protect the white hats.
Laws like those which protect freedom of press and speech.
If you haven't benefited from your discovery and research then you can't be prosecuted.
Instead of reporting to the corporation report to a gover

I don't report bugs

[buss_error]

I don't report bugs to the company. I may report it to their ISP, but usually I don't bother in the sense I don't go looking for bugs.

I don't know, but isn't there a bug reporting system that will allow anonymous communication? If not, maybe that's something CERT could look into sponsoring.
Sort of like the old abuse.net system, where you could register "Hey, this is where we take spam reports seriously." That way the clued in sites will let the whitehats know their reports are taken seriously, and the white

Re:

[Dread_ed]

No, there's still just the two. Though they are owned by the same family...

Security Researcher?

[GodfatherofSoul]

I haven't been on Slashdot much lately, but is that the new euphemism for hacking?

The simple rule is don't poke around someone else's defenses and then get mad when they treat you as a threat. How would you feel if someone told you "Hey, I've been trying to break into your house lately and just realized your bedroom window is unlocked!" ?

Re:

[Sabriel]

A lot less appreciative than if they'd told me "Hey, sorry, I have an obsessive-compulsive disorder about checking locks and yours aren't working."

One is a burglar in search of a Darwin Award, the other is a good samaritan in need of therapy; having the police arrest the latter is the act of an asshole.

Re:

[LoneTech]

No, it's not new, and this isn't poking around in defenses, simply because there was a complete absence of defenses. The programming terms for the missing class of checks are input validation and sanitation.

This was the equivalent of someone handing you an order form where you fill in both price and quantity, you filling in the wrong price and handing it back, then them reading your price and going with that, no comments. And after you instead of using the incorrectly priced service told them they should pe

Re:

[Dread_ed]

Not a good analogy at all. He wasn't in someone else's house. Nor on their porch, nor their property.

Everything he modified was on his computer. They dropped a bunch of stuff into his browser, he modified it on his end, and they loaded the info from his computer back into theirs and took it as true.

That is not at all similar to breaking and entering. In your analogy he never left his own house.

Can I get that on Credit?

[Nabeel_co]

Since they are so insistent on their system being secure when it clearly isn't, wouldn't it be funny if someone sold themselves a ticket with a negative value attached, thereby crediting themselves a large sum of money?

Some deeper background info concerning incident.

[Anonymous Coward]

The online ticket selling system in question was developed by the hungarian branch of Germany-based global giant T-Systems group. Although "developed" seems a bit of an exaggeration, since it looks like about half of the system was merely "painted on the wall" in very rough draft code and at an early stage of perparadness, but the whole infrastructure was duressed into live operation prematurely.

The reason for such a hurry was the ongoing FINA 2017 would championship for aquatic sports, which Budapest and Hungary adopted only 2 years ago when the originally chosen host country (Mexico I think?) suddenly balked out. Pool swimming, water polo, sprint kayak are really big in Hungary, so the country was eager to take over, despite the little time left.

Ever since, a huge amount of money was wasted on hurried preparations (including widespread and extremely costly corruption between politicians-bureucrats and construction company owners) and the event's budget skyrocketed to 4x times of the planned, tehreby taking away a lot of money earmarked for public education and the country's single-payer health system.

While Budapest has a dense and well-developed surface mass transport system called BKK (formely BKV), the international airport at Ferihegy (BUD) is not yet served by an underground railway or a light rail link, there is only a stop-at-every-bush articulated bus line for it, which doesn't even reach the city centre.

Considering the FINA 2017 event, another direct-to-city-center bus line was hastily introduced and politics wanted an online tickets / passes selling system for that, so the airport kiosks wouldn't be overwhelmed and look bad on TV news. (The leadership un-realistically expected hundreds of thousands, if not millions of foreign sports fans to visit Budapest for just the event.) Thus the "bright" idea of pressing into service a quarter-to-half ready online merchant system was born...

BTW, the hacker who discovered the price fixing trick lived 300km (190mi) from Budapest and hasn't been to the capital for months, thus his pennys purchase of a name-assinged pass wasn't made maliciously. In fact it was the T-Systems branch, not BKK, which received his bug report and counter-reported him to police, climing their corporate legal policies require such step. Hungarian netizens have been smear-comment flooding the global T-group Facebook page ever since.

Re:Some deeper background info concerning incident

[Anonymous Coward]

Since I'm a local, let me also add this for the human resources aspect of the story:
Another reason for the hurried introduction of the inscure, unfinished BKK online ticket sales system was that the Mr. Kalman Daboczy, whom the referenced article mentioned by name, is not the original leader of BKK.

Before him there was David Vitezy, an admittedly weird, but very bright, internationally educated jewish boy, who got to form and lead the BKK at a young age, solely due to his family's high political connections yet turned out to be highly motivated. In a few years Vitezy introduced a computerized schedule-control system called FUTAR for over 1500 buses which revolutionized on-timeliness in circulation, a quantum leap from the paper-based BKV era and welcomed by all pax.

He also introduced private sub-contracting for bus line operations with run-time based financing, which brought in hundreds of brand new low floor, low pollution Merc and Volvo vehicles to Budapest, where previously only Cold War era (!) left-over smoking wreckages circulated. He managed to extend the lenght of the city's most important tram line and furnish it with modern rolling stock by successfully claiming EU funds for development, which was considered impossible to get by all parties. He created a public bicycle-sharing system called BUBI from zero and integrated it with BKK. Genius, I'd say.

Eventually Vitezy was sacked from BKK as he tried to reform traffic light patterns and lane use rights to prioritize bus and tram circulation versus private cars, which limousine-riding politicians vetoed. Mr. Daboczy, who replaced him is a "mameluk" i.e. a person whose only skill is loyalty to political superiors in executing orders without questions, including hurtful or stupid ones, and he is without creative talent. Ever since BKK has been stagnating and the city's population eventually questioned why no public transit development happens since Vitezy left? Thus the online ticket selling system was kind of an attempt to show off the new leadership's competence but it backfired spectacularly. The opposition is now demanding Daboczy's removal from BKK due to the scandal.

BTW, when David Vitezy was sacked from BKK, the Port Authority of New York reportedly tried to woo him over to advise on future plans for public transport development in the skyscraper city. He declined to emigrate, probably the mistake of his life, as ever since he has been given mere "desk by the window" roles in Hungary. I'd say if he'd left for USA, maybe in 15 years he could have been properly groomed in America and come back as a potential future PM of Hungary. That, provided the russians don't conquer our country again in the meanwhile...

Fuck whitehat

[volodymyrbiryuk]

Go full blackhat or get fucked. I bet their server where customer information resides has gaping security loopholes too. Instead of punishing the company the try to kill the messenger.

Ludicrously simple?

[computational super]

You say "ludicrously simple" but in today's 8-week-bootcamp to "Javascript ninja rockstar" culture, I've all but given up on trying to explain to front-end developers why client-side validation alone isn't sufficiently secure. I explain it to them once, shrug off their uncomprehending stares and wait for them to implement what I just told them not to, demonstrate the "hack" in front of them, wait for them to protest that "well, anybody who is competent enough to think of THAT is surely unstoppable anyway!"

I recall an analogy from an old European folk tale

[TheHawke]

"The King Has No Clothes on!"

I think in the original version the person that made that proclamation was promptly beheaded.

If not, it should at least be mentioned.

Use your brain

[dhaen]

Idly browsing one night, I discovered that all access controlled had been switched off our corporate network. Yes I could even open the CEO's home folder. It didn't take much brain power to realise that if I looked any further there would be time stamps on files that matched my shift time, so I didn't go any further (despite being curious).

I waited until the morning and phoned a relatively junior IT team member and explained the security lapse to him (on the basis of anonymity), who then escalated the prob

Re:what would of a negative number done?

[Anonymous Coward]

"would of" How do people still make this mistake? Do you just never read?

Re:

[DontBeAMoran]

Nobody here says "WA LA". It's spelled "voilà" for a reason.

Re:

[parkinglot777]

It's colloquial. Some people view their forum responses as literal "speech", rather than a formal written argument.

Get over it.

Then they shouldn't be writing and also stop assuming that everyone else knows it. Speaking language is often time ambiguous. If you want to write, do it properly.

Re: what would of a negative number done?

[KGIII]

Oh, the irony.

Re:

[CodeHog]

From my CS days in college, unit test for the following conditions. Value = N, value = N -1, value = N + 1, value = -N, wash, rinse, repeat until time is up or bugs are fixed.

Re:

[drinkypoo]

Studies show that grammar nazis are dicks.

Re: what would of a negative number done?

[KGIII]

"should of"

Subtle. I like it.

Re: what would of a negative number done?

[KGIII]

At least twice, because I know I'm not his father.

I couldn't resist.

Re:I know this will be an unpopular opinion, but..

[Stormwatch]

No, a better analogy is: the store forgot a price sticker printer in the shelf, so any client could just get it and print new prices freely. This kid found the printer and took it to the cashier, and rather than getting thanked, he got accused of stealing the printer.

Re:

[Dutch Gun]

We don't need a bad analogy or two to understand this. The kid saw an exploitable flaw, let the company know in a responsible manner, and was punished for it. Other companies would thank him, and perhaps even pay him a bug bounty for his trouble, because he just did them a huge favor. This is not anything unprecedented in the modern world. Only the backwards and punitive reaction is.

This reaction represents the mindset of companies from decades ago, where they thought that security through obscurity was

Re: Only apps can app apps!

[KGIII]

Off topic, I know, but I like apps guy. I miss the cows guy.

I know, some don't like them. However, they are a part of what makes this site what it is.

Re:

[Highdude702]

apps guy is the best so far IMO, unfortunately he misses a lot of golden opportunities lately. Maybe he himself is getting tired of the same ol dribble on slashdot.

Re:

[RavenLrD20k]

All your base are belong to me.

Re:

[RavenLrD20k]

I know what the real phrase is. I just don't like sharing.

Re:

[TechyImmigrant]

And while too inarticulate to make his point well, I would agree with apps guy's hate for a couch that can only be adjusted by smartphone.

There's an app for that.

Re: Impersonating me? Please... apk

[KGIII]

Can confirm that APK predates the Android packages.

Re:

[omnichad]

But never got asked out on a second date.

Re:

[omnichad]

Wait...did you just link to a post where I proved you wrong? Why? DNS amplification attacks use DNS servers to attack YOU - whether you use DNS resolution or not.

Re:

[omnichad]

how can a DNS amplification affect me?

Maybe you should look up what a DNS amplification attack does. Hint - it doesn't matter if you use HOSTS for all of your lookups.

A DNS amplification attack does not stop you from looking up web sites. It's a DDoS that overloads your router. HOSTS will not help you with that whatsoever. Not DOS, DoS.

P.S. It's not a "big blunder" to not remember which order to put HOSTS in. The Windows default hosts file has examples in it. You never have to learn or remember the syntax, because it's right there in th

Re:

[omnichad]

how can you overload my router? You don't know my IP address!

It doesn't have to be a targeted attack - you still have an IP address and you're still not any more protected. Besides, you claimed that the HOSTS file engine protects against a DNS amplification attack. Still not true.

Since EXAMPLES ARE THERE, your BLUNDER SHOWS YOU DIDN'T CHECK 1st & STUPIDLY PUT THEM OUT IN THE WRONG ORDER

Or, it's pseudocode and exact syntax doesn't matter in the slightest. You're the only person on Slashdot who would care. The meaning of my post didn't change based on the order of my syntax, because the intent was unambiguous.

Re:

[omnichad]

Do you change your actual ISP IP or your endpoint/VPN IP? Only the former prevents being affected by a DDoS. You're assuming someone found your IP from forum/server logs rather than just attacking a random IP.

It's WHY I change IP address every time I post in ANY forums

No, you do that because otherwise you can't post as AC every couple minutes all day.

Either way, HOSTS does not protect against a DNS amplification attack. Why not concede that point already?

Re:

[omnichad]

And your HOSTS tool still does nothing to protect against DNS amplification attacks. Seems that you can't just address the main point of my post.

Re:

[omnichad]

I don't care if the DNS amplification attack affects you - that wasn't the issue. You claimed that your HOSTS file engine itself protects against that. That's not true.

Re:

[omnichad]

Because you're advertising your software as something that can stop DNS amplification attacks. https://science.slashdot.org/c... [slashdot.org]

And when someone calls you out on it, you stick out your tongue and say that you can change your IP address. Only a politician would think that's an answer.

Re:

[omnichad]

I'm not attacking you with DNS amplification attacks. I'm talking about the end-users you advertise to. Stop conflating these two things.

Hosts file engine does nothing against DNS amplification attacks.

Re:

[SharpFang]

How fucking corrupt (or clueless) must one have been to have cast a vote for Hillary Clinton?

We had a similar situation in Poland recently. A party of ass clowns was voted in, in place of one of very competent *thieves* that kept robbing the country blind with impunity over previous 8 years. And while the ass clowns aren't a good government, they certainly cause far less harm than the thieves did.