Australian teen accepts police caution to avoid hacking charge

Jeremy Kirk
8 July, 2014
View more articles fromthe author
AAA
News

australia, hacking, teen, charged, macworld australiaAn Australian teenager has accepted a caution from police rather than face hacking charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.

Joshua Rogers of Melbourne accepted the caution, he told IDG News Service via email yesterday. He will not face charges, and the caution – an acknowledgement that he broke the law – will be expunged from his record in five years if he does not commit the same offense in that period.

Rogers’ hacking case illustrates the fine line that computer security researchers tread when hunting for software vulnerabilities on public websites.

Large technology companies such as Google and Facebook encourage security researchers to probe their sites and pay rewards for supplying security information. The rewards are paid on the condition that researchers do not share the information publicly until the problem has been fixed.

But without that kind of blessing, hacking activities that may be research could easily be considered malicious and violate computer crime laws.

Joshua Rogers, hacking, charge

Joshua Rogers

Rogers found a SQL injection vulnerability on the website of Public Transport Victoria (PTV), which runs the state’s transport system. The type of vulnerability affects databases that do not filter certain kinds of input correctly.

Rogers found he gained access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. He maintained he downloaded two or three records from the database as part of his research, then deleted the data.

He notified PTV of his findings via email on 26 December, a public holiday in Australia, copying 13 employees of the agency on the correspondence. After not receiving a response, he contacted Fairfax Media. Its Melbourne paper, The Age, covered the story.

At the time, PTV decline to comment and said the incident was under investigation. Then in May, between six and eight police officers came to Rogers’ residence and seized various electronic equipment, including USB sticks, his Samsung phone, a laptop and a server, Rogers wrote on his blog.

Rogers was interviewed at a police station the same day and told he may have violated a computer crime law that prohibits “unauthorized access, modification or impairment with intent to commit a serious offense.”

According to Australia’s Cybercrime Act of 2001, the offense is punishable by between five years and life in prison. On 2 July, police gave Rogers the option of admitting he broke the law by signing the caution.

“The other option was to go through the whole process of being charged, and then going to court,” he wrote via email. “It’s not like I could have said ‘I didn’t do it!’, after all.”

3 Comments

3 people were compelled to have their say. We encourage you to do the same..

  1. Tony says:

    I would have thought that it would be difficult to prove in a law court, beyond reasonable doubt, that he did any of those things “with intent to commit a serious offence” as that appears to be what the law prohibits. But then I am not a lawyer.

  2. Tom Cable says:

    We’ll, this type of response by the PTV or Victorian Government helps,to explain why the state and federal governments of Australia have such woeful, insecure IT systems. Let’s see, how are out stage governments doing with IT?

    - Queenslamd Payroll System debacle
    - Myki (how I hate thee let me count the ways)
    - Ultranet (dead on arrival)
    - VIC Police LEAP and attempted successor LINK
    - NT’s megafail AMP project
    - NSW ServiceFirst and BusinessLink systems

    And we could go on and on. Essentially, what we have found is that every IT project undertaken by the government is going to go either completely off the rails and fail outright – or we will all wish that it had.

    So, of course finding a very basic security flaw such as a SQL injection vulnerability results in a law intended for actions with an criminal intent (that’s the “…with intent to commit a serious offence” clause of the law, which should not apply in this case) – rather than a “thank you for letting us know so we can apply basic security measures on our website so our customers don’t end up the victims of identity theft and have their financial lives ruined.”

    Australia will always have third world government IT systems unless this additive changes and people who know what they are doing are put in charge of IT projects and systems.

  3. Ken says:

    He should be getting a reward for giving them the sqli info to fix.

    He could have sold that and kept quiet.

    Stupid laws for security researchers trying to help the public.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us