Victorian agency reports schoolboy to police for informing it of IT security hole



in brief Public Transport Victoria has reportedly reported a 16-year-old Melbourne schoolboy to Victoria Police for merely informing it of substantial security holes in its IT infrastructure. The Age newspaper reports (we recommend you click here for the full article):

“Joshua Rogers, 16, discovered an extensive database containing the personal details of public transport users in Victoria, using what cybersecurity experts described as a common hacking technique … Public Transport Victoria said the Metlink database had been ‘‘illegally accessed’’ and that it was ‘‘the only known attack on its website’’.

It appears that Rogers’ actions in disclosing the IT security hole directly to Public Transport Victoria were in line with what is termed in IT security circles as “white hat” hacking behaviour. Wikipedia describes white hat hacking as follows: “The term “white hat” in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems.”

So-called “white hat” hacking is generally considered ethical within the IT security industry, as it is aimed at testing IT systems to ensure security, rather than to breach security. In contrast, the ‘hackers’ popularly portrayed in mainstream media are often what the IT security industry would label “black hat” hackers — those who attempt to breach computer systems for malicious reasons or for their own personal gain.

Public Transport Victoria’s apparent overstep is not the first time a major Australian organisation has had an overreaction when confronted with an IT security problem. In October 2011, local superannuation fund First State Super reported a similar attempt at assistance to the NSW Police.

Image credit: @CJNewsAu, used with permission


  1. Complete joke of a response from PTV. Obviously the people with a brain where on leave over the Christmas period. Looking forward to when someone else discloses a vulnerability to them….. oh wait they’ll just sell the information to someone nefarious instead.

  2. Slow clap. What PTV have just taught this kid is next time to just steal or destroy the information and not to inform those who failed to do their job.

    • Or to do so through anonymous means. It’s a bit brain-dead of the police to jump all over this with large shoes, but by the same token the data was discovered after hacking in..

      • Actually a “White Hat” hack doesn’t necessarily need to be done anonymously.

        IIRC a group of Uni students also managed to break the security on CityRail’s ticketing system basically allowing them to give themselves free fares to anywhere. They reported the loop hole to CityRail and the response?

        The group was hired to do some consultency to fix up the loop hole. In fact a majority of White Hat’s are seen as a service because there is normally no malicious intent when it’s done.

  3. Wouldn’t have this still been a ‘black hat’ situation? It wasn’t authorised (or even part of penetration testing).

    A young guy managed to gain unauthorised access; even for ‘good’ reasons, that doesn’t typically get rewarded. Ever.

    • He’s just a kid, and kids play up and push boundaries. I know when i was that age if i found out some hacking technique, i would try it to see if it worked. He may not have been really aware exactly what his actions meant. I bet he was surprised as we are to find that there was a vulnerability (although maybe not…). IMO, the kid should be educated on why hacking like he did was bad, but praised for reporting it.

      It begs the question, how long has this been and issue, and who else found out about it and stole information instead of reporting it?

    • *cough*

      I beg to differ. A group of Uni students did the same thing for Sydney ages back ––algorithm-20121112-2984x.html

      City Rail actually went on to consult the group to fix up the security hole.

      There is a huge difference between a White Hat and a Black Hat hack. Some White Hat hacks are actually done w/o permission.

      Standard MO’s of a White Hat is to test the system because their usually interested in security and whatnot and then report the vulnerability if any should be found. The act of breaking the security is their aim not to access what’s being protected.

      This is a far cry from a Black Hat which probes for these vulnerabilities w/ the express intent to exploit the vulnerability for their own purposes. The act of breaking security is just a tool for their aim to either disrupt or take advantage of whats being protected.

      • Sure. Great.

        My point, is you can’t just assume because security was breached, any data you find exposed will somehow redeem your effort and make the initial (potentially illegal) act irrelevant.

        The whole notion that you can break into stuff, discover a vulnerability and ‘save’ a business in the process, presumes a positive reaction. There is ample, ample example to show that’s almost never the case.

        Probably because for the most part the act of gaining entry tends to overshadow any possible good that might come out of it. :)

        • I get the feeling this conversation will be going around in a circle here… =P

          But breaching security and reporting on how the breach was done has been standard op for all White Hat hacks. There is a reason why there’s an annual security conference between these “hackers”, security experts and companies.

          Again just as there’s an over reaction to people reporting breaches/flaws like this you’ll also get the same instance from the article I mentioned where the company will at the very least check up on the breaches instead of opting for the heavy handed way.

        • Its a moral judgement, nothing more. Black hat or white hat, they are both grey areas as to whether they are legal or not. As they usually exploit flaws in the system rather than create new ones, the act itself can be taken either way. Thats your moral choice.

          Where they differ is what you do with the result. Do you tell them they have a problem, or take what you’ve found out and steal the information? And thats the key part – do they do the right thing or wrong thing once they have access.

          You pass a house in your street with an open door, which is unusual for the house. You go inside. Is that illegal? What if you find the occupant unconcious on the ground? If you leave them there and take stuff, its theft. If you call an ambulance, you’re a good samaritan.

          And its that difference thats being judged. Kid finds a flaw, which is a problem of the system, and does the right thing. Instead of being thanked, he’s accused of theft. That only discourages people from doing the right thing, making it that little more likely that next time it will be someone with bad intentions.

  4. It’s the fact he reported the vulnerability that really matters in my opinion. People like that should be encouraged and are potentially misunderstood.

    To me a good analogy for this is when you see brake lights not working on a car in front of you and you notify the driver at the next set of lights.

    The problem is that there is no reprecussion or penalty for this and similar companies. If they agree to hold private third party information they should have a legal obligation to provide a level of security that is acceptable. Instead, they have been caught with pants down and decided to bully a teenager for their own shortcomings.

    To take my analogy further, imagine if the driver of the car with no brake lights reports you to police for pointing out the problem. Right?

    • Sorry?

      It’s the equivalent of breaking into someone’s car then phoning them to say you are in their car, but it’s okay because you’ve found the brake peddle doesn’t work and that might be very unsafe!

      Sure, it’s great to have the warning. It may also have saved lives. But you did break in, first, and then had to have tried to use the brakes, to find that out. :)

      Now, if the door was unlocked.. then one might argue the owner should have been more careful.

      • Not quite…

        It’s the equivalent of walking around the person’s wall in a home and noticing that while the wall as a whole is a sound structure you notice a build up of cracks that can form a hole you can use to gain entry. At which point you poke a small hole to look in to test your theory.

        At which point you go to the homeowner and let them know there’s a huge hole waiting to happen.

        Or in the case of your example the White Hat isn’t breaking into the car to check the breaks so to speak. The White Hat is just canvassing the car and checking for broken/faulty windows or handles… and gives them a shake to see if he can get in.

        Again.. it’s the intent and perspective that’s different. For a white hat what your doing is looking if that “wall” can be broken. Your not after whats behind the wall it’s the wall *itself* that is your target. A secure wall is a good wall as far as a White Hat is concerned.

        The White Hat *doesn’t* need to go in and access the information or go in. He just wants to see what cracks are on the wall that *will* let him in.

  5. Ok so to weigh into this the first analogy of the white hat hacker is far more correct than the second of breaking into a car. If the cats Window was down or door open then yes good analogy.

    Also when the Internet and security was new to the world’s back in the 80’s and early 90’s amd guys did hack the ethical ones would leave a bit saying you doors amd Windows are open and more often where employed as a security expert. As more and more things are on the computer and accessed via networks of all sorts including the Internet The original white hay amd black hat have gone ams now you are either a security expert whether your good or not as long as you have the work experience and piece of paper that says your qualified today’s socially accepted white hat and all others are black hat.

    This kid deserves to be mentored amd encouraged to Hey into this high demand of IT and skills fostered and grown not charged amd treated like this

  6. My dealings with the queensland. You dont goto the media

    When you goto the media your advertising government vulnerabilities to general public and anyone else wanting to attack state government. The governments embarrassed and everyone wanting to attack the government has a cheat sheet.

    If you find something wrong. WRITE TO THE RELEVANT Gov DEPARTMENT with your FULL contact details

    • It was said in the article he went to the media and Fairfax held off publication until PTV had time to react

  7. This KID, has previously DOX’d people, and it’s alleged was also involved with similar, less ‘white hat’ dealings in the past, might be best to not put him up as a shining light of happy kid hacker just trying to learn and be good…

    Having said that, PVT’s response is wrong, they will probably find themselves the target some of some rather successful attacks in the not too distant future.

  8. PTV’s incompetence in IT matters is nothing new. Several years ago, I wrote to PTV informing them that their website momentarily displayed a SQL statement when users submitted a search for timetables. I made no attempt to specially craft a form submission to see whether or not this could be exploited this and I have no idea whether they sanitized user input. At the time they seemed to be using PHP and it was probably a lazy programmer echo()-ing the query string during development. If I recall correctly, it took them two weeks to respond to my letter and a month to fix it.

  9. Whilst I agree the company should ask the police to go easy, I can understand them being called.

    If someone phoned in saying they had hacked in to X and could access all personal details you had on people, would you say thanks, pat him on the back, and ignore it?

    The person STILL has access to all that data potentially and it doesn’t guarantee that nothing bad will happen with it, he could be expecting more than a pat on the back and then sell the data to reward himself etc…

  10. Lets get real here. There is no channel for users to report a vulnerability. This is what all governments are missing – a system to report vulnerabilities. @Malcolm Turnbull – can we all work together?

Comments are closed.