[AusNOG] Hacked site reports boy to police | theage.com.au

Peter Tiggerdine ptiggerdine at gmail.com
Thu Jan 9 13:29:46 EST 2014


Isn't this the role of govCERT for .gov.au and AusCERT for the private
sector in .au?

Ideally domain owner should keep their whois details correct and up to date
so abuse@ actually goes to someone with a clue.
On 09/01/2014 12:25 PM, "Patrick Webster" <patrick at aushack.com> wrote:

> I like the idea in principle.
>
> I didn't attend the 2011 Ruxcon but I was told the AFP's Alex Tilley
> suggested to the room, that in situations such as the FSS incident, the
> discoverer contact and disclose the bug to them and they will notify the
> vendor.
>
> While nice in theory, I have a few issues with this. I won't go into their
> lack of resources or why they shouldn't be told about 3rd party remote
> exploits etc, but I will say this one thing:
>
> Police are a paramilitary force with the primary function of arresting,
> charging and bringing people before the Court.
>
> So with that in mind, my advice is to only speak to police when you want
> somebody arrested and charged.
>
> I certainly wouldn't touch them with a 6 foot pole about an SQL injection
> in a VIC transport website (unless it was their own afp.gov.au site which
> is a different story).
>  On 9 Jan 2014 10:41, "Jake Anderson" <yahoo at vapourforge.com> wrote:
>
>>  Given that one of the jobs of the police is prevent crime could AFP
>> perhaps set up a vuln reporting doohickey?
>> crimestoppers for the interweb?
>>
>> heh I wonder how that would go, reporting a vuln to crimestoppers, much
>> as you would report an open door to a closed bank to the police why should
>> you not do the same thing when online?
>>
>> It might be less work for them than trying to prosecute 15 year olds who
>> have access to hacking tools like google.
>> That and getting a call/letter from the AFP or visit from a uniformed
>> officer reporting a vuln may well light a fire under the party in terms of
>> getting something done about it.
>>
>> On 09/01/14 06:01, thelionroars wrote:
>>
>>
>>  On 8 January 2014 23:30, Patrick Webster <patrick at aushack.com> wrote:
>>
>>> It is time law enforcement caught up with the Australian community
>>> acceptable standards.
>>>
>>
>>  Agreed. Actually, maybe the Federal Government should be looking at
>> legislating to ensure protection of people who try to inform organisations
>> of these vulnerabilities. They should consider legislating mandatory
>> disclosure of information security breaches while they are it.
>>
>>
>> _______________________________________________
>> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140109/6c2deefa/attachment.html>


More information about the AusNOG mailing list