Just Another Security Blog: PTV; The police, and the aftermath.

Saturday, 5 July 2014

PTV; The police, and the aftermath.

For backstory regarding the PTV story, the following articles should be read:

(Sydney Morning Herald) Schoolboy hacks Public Transport Victoria website - PTV #1
(Wired) Teen Reported to Police After Finding Security Hole in Website - PTV #2
(ABC) Melbourne schoolboy exposes security flaw in Public Transport Victoria's website - PTV #3


This blog entry is more a "diary" of what happened after the story broke.

Originally, I found the bug on the 26th of December, 2013, and around 2AM.
I reported the bug at around 3AM to around 30 company emails.

On the 6th of January, 2014, the original reporter(Adam Carey) was contacted by PTV, and was told that PTV had contacted the police(this was assumed that, if he didn't publish the story, they wouldn't contact the police; but this is unknown)

On the 7th of January, 2014, the story was run in The Age(Fairfax) newspaper.




On Thursday, the 8th of May, 2014, at 8:15AM, 6-8 fully armed police officers showed up at my place of residence(my house). Three of them were e-crime. 

A warrant was served to me, and two e-crime officers went into my room and started to catalogue my electronic belongings, and then seal them for evidence.

Two of the other(non e-crime) officers sat me down, and started asking me general questions, such as how I was, etc. I commented to them how I had been warned around a week earlier that a search warrant may have been approved by the court, and would subsequently executed(I have a contact). They were definitely stunned, but we didn't speak of it other than that.

Interestingly, the day before, I was given information by somebody else in regard to somebody that was going to team-kill me at the end of a game. i.e; contacts are good.




Whilst talking about general stuff(and filling out forms w/ information like my age, my name, etc.), the third e-crime officer was asking me questions regarding security, such as "How many websites do you think are susceptible to SQL Injection?", and "What sort of encryption do you use?".

I suspect the reason for 3-4 armed police officers being there, was incase there were any "incidents", such as either 1. destroying of property(my harddrive), or 2. if I were to try to run away(lolwut); nothing happened, though.




Halfway through this, I decided the best thing I could do was 'give up' my encryption keys. I let the third e-crime officer (/that was talking to me) know that he could just ask for the encryption code, because he could have it. 

If I had "anything to hide(it hurts me to type this), I would have securely deleted it after I had the heads-up, no? That being said, I didn't.

They could have just gotten a court order for it, anyway.

(Also, my laptop, which uses DDR2 ram, was on at the time, so they could have used a Cold Boot Attack, or some other side-channel attack.)

After they had finished taking my stuff, a total of 10 items were taken.

1. My Laptop
2. My Home-Server
3. 1 USB Stick
4. 1 USB Stick

5. 1 USB Stick

6. An SD-Card
7. My Samsung Phone
8. A "Phablet"(which had only been used once.)
9. An Old Laptop(that didn't have a harddrive in it)
10. A Harddrive(From that old laptop)



Interestingly, they missed a few things. I later found another SD card, another USB, and an old-old-old phone(from 2006), all on my desk. Luckily I found that USB, because it meant that I could continue to watch movies on my television.


The thing I'm most 'annoyed' at, is the fact they took my phone. How else am I going to talk to hot girls(such as Lara(non-aus body #1) & Danae)?






After the search warrant was conducted, I was "officially" arrested. I wasn't charged with anything, though.

Due to the circumstances, I wasn't taken in the back of a police car. I was told just to make my own way to the police station within the next 15 minutes through my own means(driving).




When I made it to the police station, I was put in an interview room, and was read the charge that they suspected I had broken.

The charge was "Unauthorised Access, Modification, or Impairment with Intent to Commit a Serious Offence", which apparently features a minimum of 5 years imprisonment? (What?)


They ran through the normal questions as to what happened, my side of the story etc., in a recorded interview, with 2 police officers. Interestingly(and unsurprisingly, I guess), they did the good-cop bad-cop routine.


The interview took around 2 hours in total, and after it was done, I was free to go.




On the 2nd of July an "offer" was made, where I could sign a document that I acknowledged that I had broken the law, and get an official police caution.
I ended up taking it.

It doesn't get added to my record, but if I break the law in the same way, in the future, it will be re-added on(For 5 years, then it's completely deleted).


So, I guess the moral of the story is: Don't exploit any vulnerabilities you find without permission; whether you're doing the "right thing" or not?

No comments:

Post a Comment