my sincere apology to Mr Rohit Srivastavaa

[4g3n7 1337]

well guys i am 4g3n71337 i found xss bug in >> www.chmag.in website  date 3.3.2012  and mr rohit srivastwa register case against me   after 6 months  pune cyber police  knocked my door they caught me  and i am really sorry i will not repeat this again with ur company + any one..  i got call from cyber cell 

i am again sorry mr rohit srivastwa i will not repeat this again for sure.. 

this is my 1st and last mistake i will not do this type of activity in my life 

please give me a last chance and dear rohit sir please  save my career  

and message to all teenagers please use ur hacking skillz for batter purpose 

dont miss use it because today or may be tommorow ur door will knocked by police 

"every day pune cyber cell call me ppl call me  " 

doing this type of hacking activity may destroy ur career so please guys  take it seriously 

again dear rohit sir please give me a last chance 

please withdraw case against me 

thank you for ur support 

[prince sameer]

You found XSS and you reported to Rohit ? or just exploited it? #justasking
-----------------------------------------------------------
Regards,

Syed Sameer Ahmed
9986007826 

--
Get ready for the Dilli Shakedown!
nullcon security conference Delhi Sept 26-29th 2012
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

[prajwal panchmahalkar]

If this was supposedly an apology to Mr. Rohit Srivastwa, why does it come to null mailing list? could have been a personal mail to him.

--
==================
Prajwal Panchmahalkar
==================

       C|EH, AFCEH  

     

--------------------------------------

Research Assistant - Cyber Security Critical Infrastructure,

Graduate Student, Texas Tech University

[Anant Shrivastava]

If i can remember correctly.. the disclosure was also a mail to nulll group could be that reason why this mail came here.

-Anant

for everyone's reference initial mail from march here .

---------- Forwarded message ----------
From: 4g3n7 1337 <4g3n...@gmail.com>
Date: Sat, Mar 3, 2012 at 1:53 AM
Subject: [null] CHMAG xss vulnerability "club_hack_magazine"
To: null-co-in <null-...@googlegroups.com>


hello ppl

MSG to club hack team


Guys you people are security guys.
Why you leave such bugs in your sites.
 Its really embarrassing.

xss ? really bad



http://chmag.in/search/node/%22%20onload%3Dalert%28%22%E0%A4%95%E0%A4%BF%E0%A4%B8_%E0%A4%AC%E0%A4%BE%E0%A4%A4_%E0%A4%95%E0%A5%87_%E0%A4%B9%E0%A5%88%E0%A4%95%E0%A4%B0_%E0%A4%B9%E0%A5%8B_%E0%A4%B9%E0%A4%AE_%E0%A4%86%E0%A4%AA_%E0%A4%95%E0%A5%8B_%E0%A4%9C%E0%A4%B2%E0%A5%8D%E0%A4%A6%E0%A5%80_%E0%A4%B9%E0%A5%88%E0%A4%95_%E0%A4%95%E0%A4%B0%E0%A5%87%E0%A4%82%E0%A4%97%E0%A5%87_4g3n71337_was_here%22%29%20bad%3D%22

And that message which popup its just for fun :)

Rohit Srivastava official website

 www.rohit11.com 

website is also vulnerable we are pen-testing it... :)

usr/local/lib/php:/usr/local/php5/lib/pear')

 server path >>> /home/rohit11/rohit11.com/

 www.rohit11.com

As i said work going on that site :)

 
WE ARE TIGERS-OF-INDIAN-CYBER (TIC-GROUP)
WE WORK UNDERGROUND
WE ARE MAD ABOUT HACKING AND PEN-TESTING

credit goes to my team members


4g3n...@gmail.com

 


--
Get ready to Goa - nullcon Security Conference

http://nullcon.net
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

[Rohit Srivastwa]

Kunal, its not about finding a bug, its all about irresponsible behavior.
It's not about chmag site, its about the other automated tools you ran on my other sites too
Technically which falls under category "attempt to attack" under section 66A Indian IT act.

People of your age/maturity level take things very lightly and do not understand the seriousness of the matter.
I don't have any intention to spoil your career but this is an indication to everyone that your silly mistakes can actually land you in jail for nothing less than 3 years. You are just a first year graduation student and have the whole life in front of you.

Today I may go ahead and take back the police case but I'm very sure any corporate will never ever do so if anyone even scans their website for vulnerabilities and the corporate takes action

A request to all members of this mailing list and the every such community

Please use your skills carefully without crossing the border line, we all know how thin is the difference between right & wrong in this domain.
Just be careful

Rohit Srivastwa
*2011-ROHIT11

[YOGESH JAYGADKAR]

u found xss then waht u did  ??? u reported or hv u done any thing wrong with it ? ... whatever ... it's all bullshit ....not tat big thing u did .. to get arrested .. & why apology here ?

--
Thanks & Regards
Yogesh D Jaygadkar.
9029102549

[Dinesh O, Bareja]

It is good that this is in public domain and is an indicator of how easy it is to mess up your life. Hope the group members will get some learning about the danger of irresponsibility een if it is fr fun. The min thing is to be responsible and stay uthin the law .... dont mess with ur white hat !! -Dinesh Sent from Yahoo! Mail on Android

---

From: Anant Shrivastava <ant2...@gmail.com>;
To: <null-...@googlegroups.com>;
Subject: Re: [null] my sincere apology to Mr Rohit Srivastavaa
Sent: Thu, Aug 30, 2012 4:48:15 PM

http://nullcon.net null - Spreading the right Information null Mailing list charter: http://null.co.in/section/about/null_list_charter/

On Thu, Aug 30, 2012 at 10:06 PM, prajwal panchmahalkar <panchmahal...@gmail.com> wrote:

If this was supposedly an apology to Mr. Rohit Srivastwa, why does it come to null mailing list? could have been a personal mail to him.

--

================== Prajwal Panchmahalkar ==================        C|EH, AFCEH         -------------------------------------- Research Assistant - Cyber Security Critical Infrastructure, Graduate Student, Texas Tech University

-- Get ready for the Dilli Shakedown! nullcon security conference Delhi Sept 26-29th 2012 http://nullcon.net   null - Spreading the right Information null Mailing list charter: http://null.co.in/section/about/null_list_charter/

[webDEViL]

Sorry to hear about that Kunal!

It doesn't make sense to me to register a case for someone who is just doing something out of curiosity or negligence or even if he is just trying to gain some silly cred over you.
I deem it abuse of power! This is much like the other corporates out there who tend to sue you over finding a vulnerability or disclosing something very puny in nature.

If I were to tell you that some government sponsored attack took place on my emails. Just to figure out who I was, what law does that come under?

Regards,

webDEViL

http://twitter.com/w3bd3vil

[Abhishek Lyall]

why such a hyip for just an xss attack. and filing legal case against kids. its kiddish. better secure yourself when u know a bug exists

[prince sameer]

Webdevil - Hats off to you Sir. #RESPECT.

If White hats are not supported by white hats, leave the site to black hats, they will do the talking. Remember the saying " You cannot be helped unless you want to help yourself "

It would be good, if the case is withdrawn and given a chance. Secondly, it would reduce a person's chances of advancing in career as Pentester or Security Analyst would be impacted. traveling to countries would also be affected because of any kinda criminal case would be taken into account, during Visa filing.

My thoughts, Decision lies with the Mr.Srivastava

Regards

[TAS]

Webdevil, if you read his rant and rohit's email, he and his folks ran whole bunch of tools on his websites. Which I can to some extend believe it to be just out of curiosity, not negligence certainly. They probably got carried away. Which is a legal offense.

Running a scanner does not make you whitehat or blackhat! It means no hat.

TAS

[webDEViL]

I wasn't being specific to him. That's why the "or's" in the email.And I understand what a legal offense is but I just don't expect people aware of security and hacking to be using their defenses against such incidents.

[Great men are meteors that burn so that the earth may be lighted.]

totally agree with webdevil

Regards

[Akash]

This debate is endless and everyone is entitled to their opinion. At null we are very clear that abiding by the law of the land is paramount. 

Apart from the non-technical aspects of this, I guess the big lesson is anyone who wants to learn "hacking" at the expense of others, without permission, they shouldn't brag about it in a public forum using their gmail email address. That doesn't help your case at all. 

I am sure Kunal will get past this and be a better, more responsible security pro after this incident. All the best to you Kunal. 

Mods I think we should stop this thread before it becomes like the floor of the parliament. 

Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy 

[Sudhanwa Jogalekar]

On Thu, Aug 30, 2012 at 11:24 PM, webDEViL <w3bd...@gmail.com> wrote:

Sorry to hear about that Kunal!

It doesn't make sense to me to register a case for someone who is just doing something out of curiosity or negligence or even if he is just trying to gain some silly cred over you.
I deem it abuse of power! This is much like the other corporates out there who tend to sue you over finding a vulnerability or disclosing something very puny in nature.

From any of the server logs or any other evidences, the objective of the activity can not be found. As such, it can be done only after a formal complaint is launched and then the investigations reveal the objectives.

I know Rohit for some years now and I don't think he will file a case for some script kiddie kind of activity. In the current case, either he is really frustrated or there is something serious he has noticed.

 

If I were to tell you that some government sponsored attack took place on my emails. Just to figure out who I was, what law does that come under?

If it is an official activity for some legal investigations, law enforcement authorities have the rights to do that. If not, they are breaking the law.

It is usually said that if someone wants to break the rules, he/she must know the rules properly.
Not knowing the rules does not make you innocent. You still have to face the consequences- legal or otherwise.

If you have the power to use some tools, use that power cautiously and responsibly.

Regards
-Sudhanwa
ps. Not sure why the name of OP was disclosed in the mail thread.

~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!
web: www.sudhanwa.com  blog: www.sudhanwa.in
Twitter: sudhanwa Check on FB, Linkedin for more.

[webDEViL]

On Fri, Aug 31, 2012 at 1:21 AM, Sudhanwa Jogalekar <sudhan...@gmail.com> wrote:

On Thu, Aug 30, 2012 at 11:24 PM, webDEViL <w3bd...@gmail.com> wrote:

Sorry to hear about that Kunal!

It doesn't make sense to me to register a case for someone who is just doing something out of curiosity or negligence or even if he is just trying to gain some silly cred over you.
I deem it abuse of power! This is much like the other corporates out there who tend to sue you over finding a vulnerability or disclosing something very puny in nature.

From any of the server logs or any other evidences, the objective of the activity can not be found. As such, it can be done only after a formal complaint is launched and then the investigations reveal the objectives.

Just wondering, Do you mean Interrogation reveals the real objective?

I know Rohit for some years now and I don't think he will file a case for some script kiddie kind of activity. In the current case, either he is really frustrated or there is something serious he has noticed.

Would be interesting to know that.
 

 

If I were to tell you that some government sponsored attack took place on my emails. Just to figure out who I was, what law does that come under?

If it is an official activity for some legal investigations, law enforcement authorities have the rights to do that. If not, they are breaking the law.

So, where's my warrant then? Or is it that they deem everyone a terrorist they spy on, requiring no legal stance.
 

It is usually said that if someone wants to break the rules, he/she must know the rules properly.
Not knowing the rules does not make you innocent. You still have to face the consequences- legal or otherwise.

Typical reply. And I thought hacking was more than that.
 

If you have the power to use some tools, use that power cautiously and responsibly.

Regards
-Sudhanwa
ps. Not sure why the name of OP was disclosed in the mail thread.

It was disclosed earlier when he posted the information initially.
 

~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!
web: www.sudhanwa.com  blog: www.sudhanwa.in
Twitter: sudhanwa Check on FB, Linkedin for more.

--
Get ready for the Dilli Shakedown!
nullcon security conference Delhi Sept 26-29th 2012
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

[simran]

I'm not sure it was the best course of action for kunal to be sending his plea to the whole list, but it is possible that he aired his grivance in a public forum because was getting no responses privately. Initially i had thought it was spam or a joke, but RS weighing in with his comment seems to have validated it's a real case! 

It is disappointing to see a litigious approach by someone who is prominent in the security community. I strongly suspect it's an ego issue, and many of the heavyweights on this list / in the industry will not speak their mind as they risk their friendship / community / partnership backlash. IMHO, it's ego's that were hurt - chmag having a vulnerability exposed against it does not look good for the mag/clubhack-community, and i can suspect many a question were asked about this when chmag is shopped around to get sponsors and other such meetings - this obviously causes embarrassment to the founder / management team. 

I agree that the disclosure was not responsible, but it appears that the response of the litigious approach is even more irresponsible! Perhaps a sit down with and a good talk to the kid (rather than sending police around) would have been a more mature thing to first attempt (perhaps it was - and if it was, the floor is indeed still open (this thread has not yet been killed! :) - for the initiator of the legal/police path to come forth and explain his chosen path. Excuses such as [corporates would never let you get away with it, they would take your firstborn, second born and third born, i am a very nice guy and may not pursue this issue] is truly the pot calling the kettle black! After sending police around to a kid's house (most likely without making any serious attempt to help the kid), the litigator is trying to appear the "nice guy" - seriously! i mean come on! 

[utsav mittal]

To the least police should not be sent to the kids house, a simple warning/call from a police officer would have been enough. Sending police would have really given him a bad name.

According to IT act as well , the kid didn't have any intention to harm, and there was no monetary loss that can be proved, he just made a irresponsible disclosure of vulnerability, which is basically is not a crime.

But on the other hand some precedent like this was needed, so as to make the irresponsible people aware about the law.

-Sent from my iPhone

[simran]

On Fri, Aug 31, 2012 at 12:34 PM, utsav mittal <utsav...@gmail.com> wrote:

But on the other hand some precedent like this was needed, so as to make the irresponsible people aware about the law.

Surely that line is said in jest! That's like giving someone capital punishment because they illegally parked! Sure, a precedent needs to be set so that people don't illegally park - but is capital punishment the appropriately measured response! 

I for one will be unsubscribing to anything chmag / clubhack, until that is perhaps "full disclosure" is given by Rohit on the situation and his actions are either justified, or an apology for his heavy-handidness / abuse of privilege and power is publicly made. 

(as an aside, i think this thread is relevant (even if it has the potential to go astray) to this list as actions like those of RS kill the industry this list is all about and sully the reputation of all in it) 

[insert "derryn hinch catchphrase" here]

[Karthik Rangarajan]

This is my second "responsible/full/no disclosure" thread of the day, and that argument will never get settled.

Almost everyone has raised valid points here. I am not a lawyer, and neither am I fully aware of the laws relating to Internet crime in India, but from the looks of this, the OP got carried away, and publicly disclosed a vulnerability. Yes, he could have handled it better, and yes, he could have been more mature about it. It is possible that he was motivated by the million other "hackers" that are posting public vulnerability information on other websites all over pastebin, or the Internet in general. Maybe he thought he would score major points by posting security vulnerabilities about a security website. Whatever it was, it did not warrant going to the police, or the police knocking his door, or him being scared enough to send a public plea. Again, I am not fully aware of the situation here - maybe Rohit contacted the OP and requested that he remove the information, or redact it in someway, and the OP was not compliant to it, or was arrogant about it. Or maybe that never happened at all - I cannot say. However, an act like this sets a precedent for other big corporations to do the exact same thing. What if I was a security researcher who contacted a major company and said that there was a security vulnerability in the product, and I was ignored? What if I took all the necessary steps in responsible disclosure, yet got no response? And what if then I posted to Full Disclosure/Null/other security groups about what I found, because I thought it was important, and more importantly, others with more malicious intents would find it. The corporation could now just call the police, get them to come to my house, and intimidate me.

In fact, this reminds me of the episodes that Kevin Mitnick had to go through in the 80s/90s because people were ignorant about security, and thought he could hum nuclear codes into the phone, and it would work. Obviously, its not at the same scale - but it easily could be!

We, as security professionals, should be the one educating others on what security is, and why it is important. We shouldn't be the one filing police cases for a simple vulnerability a random scanner found. That is not how security research should be treated, at any level. You can say this had to do with ego issues, power trip, whatever you want to call it - but if the person who runs a security group/magazine is going to take action such as this, where is the incentive for others to encourage security research? Whatever the case was here, it should have been handled privately.

Many of you might call this "Well, they are teaching a lesson to these kids who are just running scanners and wreaking havoc." Really? No, that is not the case. This might be a harsh lesson for the OP who might forever be discouraged from doing any security research because of this experience. It will only make the other kids that are already doing this more incensed and cause them to do more harm.

Whether you are a security person, or not, there is one thing you must remember - if someone found a flaw and disclosed it, there is a VERY HIGH chance that somebody else found it, and is using it maliciously. This applies for all companies of all sizes, it doesn't matter. I see pastebins every day that says "1000 Indian Websites hacked!". Going to the police is NOT GOING to fix them. Being smart and going to the root of the problem, analyzing it, and fixing it does.

All that said, I sincerely hope that Rohit takes the case back, and the OP will not forever be traumatized and discouraged from security research.

Apologies for the long winded answer, there were just certain things that needed to be said.

Karthik Rangarajan
MS, Information Security

InfoSec Daily Podcast: http://www.isdpodcast.com
Twitter: @krangarajan

[Akash]

Hi Simran,

If a website is under attack, it is fairly difficult to gauge from the logs if it is a teenager with a tool or something more sinister. From his original post it seemed like a hacker gang with its own name and that awful language "underground" hackers speak in.

At the same time if someone is taunting the site owner on a public mailing list, not doing anything about it doesn't give assurance either. In any case if your site is under attack there is a cost attached to monitoring the site, fixing the issues while dealing with people like me and you, who at best are mere spectators to the drama playing around. 

I think it is an unfair assessment you make that people are scared/supportive/anything of Rohit and will not give their opinion. This is not simply about Rohit being some magnanimous soul and the poor script kiddie who dared to attack him. It is simply a case where a person who wasn't very smart about this, bragged about it and got caught. Reading anything more into this whilst not being a party to it is a very subjective way to look at it. Just because Rohit is a public figure doesn't automatically mean that he has to be forgiving.

As a consultant/CTO, I am sure if your web properties are under attack you would do what you think is the best in the scenario. 

We faced the same thing at null last year when we had to move out of a shared hosting ( which wasn't very secure ) to a more expensive host because there was threat of defacement. We have had to spend good money doing that and also 4-5 of are always constantly monitoring the server. I don't know what business model CHMag has but I do know that the magazine is a free download. There is a team of people who work hard to bring out the magazine every month and I am sure there are many volunteers too. 

About the police being involved, as a site owner Rohit has every right to do that. Just because he is well known in the community doesn't mean anyone should get a free pass to hack his websites. Also I don't think that once it is a police matter, Rohit would have a say on how exactly the police will investigate. 

Please note that I am not stating a case for or against full-disclosure or responsible disclosure. All I am saying is that we don't know the facts of the case and we can't say for sure that it was simply a case of reporting a XSS issue. 

In a way it will be hypocritical of us (atleast all of us who work on web app sec) to now claim that it was "simply" a harmless XSS issue when most likely that is not how we present it our clients. Anyone who has done web PT/VA will list XSS as a critical issue. 

 

tl;dr : This case can't be made about not following the law of land just because you are a hacker. We aren't anarchists and if that is what someone believes in, they don't need to be part of a mainstream community. 

[Akash]

Hi Karthik,

What you state is your opinion about what should happen. But how do you know that major corporates aren't already filing cases and getting people arrested. Why is there an expectation that people should take a moral high-ground and not follow the law of the land? 

We as security professionals should also be educating each other about ethics and legal issues around this as well. 

[webDEViL]

Unfortunately, this is about Rohit being well known in the security community and especially more when ClubHack attracts college grads.
Everyone here understands the fact that no one in their legal terms can blame Rohit for what he did. It's just that we don't take the main stream community as the CISSP study group stressing on the Laws and Ethics domain.

[Dinesh O, Bareja]

Akash - well said. Also, easier said than done (closing the thread I mean) ... 

@nullcon team - let us have an open house debate on the issue of "legal risks when working or playing" 

I did write about this long back in 2008 and inspite of all the education and well meaning friends, things are not changing... the post may not address this issue completely but the message is in the context  http://infosecgallery.blogspot.com/2008/01/cyber-criminal-is-getting-younger.html

---

From: Akash <akashm...@gmail.com>
To: null-...@googlegroups.com
Sent: Thursday, August 30, 2012 10:46 PM

[Karthik Rangarajan]

On Fri, Aug 31, 2012 at 1:15 AM, Akash <akashm...@gmail.com> wrote:

Hi Karthik,

What you state is your opinion about what should happen. But how do you know that major corporates aren't already filing cases and getting people arrested. Why is there an expectation that people should take a moral high-ground and not follow the law of the land? 

Yes, it is completely my opinion about what should happen. I am not saying people should take the moral high-ground and not follow the law of the land, and I am not saying that major corporations aren't already doing it. Yes, what the OP did WAS illegal, and against the law. Rohit WAS within his rights to go to the police about it.

I guess what I am trying to say is that there needs to be a line drawn between "this is a kid who is being an idiot" and "our company is facing an imminent threat, we need to get the best IR resources out there, and notify law enforcement". I've been in plenty of situations where I have come across a public disclosure of a vulnerability that was found on the website of either a current/past customer, my own company, or companies where I know other people. If these are minor vulnerabilities like XSS, SQLi, and no sensitive data, or PII has been leaked, then I don't see the necessity of involving law enforcement. Involving IR personnel, maybe. Getting a security assessment, definitely.

We as security professionals should also be educating each other about ethics and legal issues around this as well. 

I agree. That is very important. A lot of kids out there have no idea what the hell they are doing, and are either motivated for the wrong reasons, or just want to be cool. They need to learn that what they are doing is NOT legal, and that there are better ways to use their skills. However, an instance like this will only make them only more resistant, and will bring out the streak of non conformism, and resistance to authority that most of these guys already have more strongly.

All I am saying is that the situation could have been handled better, by both parties. We could go on forever about the ethical and legal implications, but we all know that it is a discussion that will never end.

[Karthik Rangarajan]

On Fri, Aug 31, 2012 at 1:26 AM, webDEViL <w3bd...@gmail.com> wrote:

Unfortunately, this is about Rohit being well known in the security community and especially more when ClubHack attracts college grads.

That is the case, like it or not. There is also an argument that could be made that this instance could be used to set an example of how to deal with such an instance, and how to get the best result out of it. Given the customer base, it would teach everybody a positive lesson, and we wouldn't be having this conversation right now.

That said, it is not an ideal world. Hopefully, it is a good lesson learned not only for the parties involved, but for anyone who is involved/is reading this thread.

Everyone here understands the fact that no one in their legal terms can blame Rohit for what he did. It's just that we don't take the main stream community as the CISSP study group stressing on the Laws and Ethics domain.

I was waiting for the first CISSP reference! It took long enough to appear. :)

--
Regards,

[Dinesh O, Bareja]

Excuse me .... if breaking into my house amounts to "security research" you better have a second look at your dictionary. 

Running amok on the internet defacing websites and finding holes in my underwear and posting on pastebin is not research - it is anarchy. 

Just because you learned karate does not mean you go around doing a drop kick on everyone (friend, foe, acquaintance or passerby). Imagine a rapist in court - "Your Honour I was just researching the cause and effect of a MITM in the physical sense with her. It was totally non destructive, i can assure you."

It is very disturbing to see such intelligent disregard of the law especially on this forum where you guys are riding the cutting edge. 

PS: you are all talking about Kunal - what about his friends ? No one thought of asking how many more are in trouble.

Welcome to the real world my friends, and I hope all our new friends (and old ones) will be taught the provisions of the IT Act and about police action because we all walk that thin line everyday.

.../Dinesh

---

From: Karthik Rangarajan <rangaraja...@gmail.com>
To: null-...@googlegroups.com
Sent: Friday, August 31, 2012 8:00 AM

Subject: Re: [null] my sincere apology to Mr Rohit Srivastavaa

[Karthik Rangarajan]

On Fri, Aug 31, 2012 at 1:44 AM, Dinesh O, Bareja <bizs...@yahoo.com> wrote:

Excuse me .... if breaking into my house amounts to "security research" you better have a second look at your dictionary. 

Yes! I was WAITING for someone to bring up this reference.

Breaking into a house, and finding a vulnerability in a website are two completely different things. That is why you cannot be booked under "breaking and entering" if you exploit a vulnerability, that is why there is a different law for it. While it might seem like a "oh this is equivalent" argument, it is NOT.

Not that long ago, before web security (or any other security for that matter) came into the forefront and started making big news, there were a different kind of security researchers. These guys did not break websites, they didn't decompile programs, they didn't write exploit code. In fact, they didn't even deal with computers. They were lockpick enthusiasts. They would take the best lock out there, and they would find a way to pick it. And then they would go and report to the company that manufactured the locks that they did it. You know what the company did? They didn't say "Oh its not research, this is breaking and entering, you are violating people's privacy, oh the sky is falling". No. They instead said "Oh, that's awesome. Tell us how you did it, and we will make this better". And they did. And then they shipped those locks to these researchers FOR FREE for them to go against it.

These were locks. Locks that were used on houses, vaults, banks, whatever. So essentially, yes, they had the ability to break into a house. But they didn't. True security researchers FIND vulnerabilities, and report them. Luigi Auriemma sneezes and finds a new security vulnerability. Should he be locked up? No. Why? Because he is making the world better by working with companies to improve their security.

Running amok on the internet defacing websites and finding holes in my underwear and posting on pastebin is not research - it is anarchy. 

You are confusing security researchers with script kiddies who have too much free time on their hands. I am talking about security research, and the way security research should be approached. Granted, this wasn't really a case of research, but it could have been dealt with that way, thus avoiding drama.

Just because you learned karate does not mean you go around doing a drop kick on everyone (friend, foe, acquaintance or passerby). Imagine a rapist in court - "Your Honour I was just researching the cause and effect of a MITM in the physical sense with her. It was totally non destructive, i can assure you."

Um...ok. I don't even know how to respond to this.

It is very disturbing to see such intelligent disregard of the law especially on this forum where you guys are riding the cutting edge. 

Hackers have a general disregard for authority. That's what makes them so good and so "cutting edge". Does that mean we should disregard the law? No. I don't think anyone here said that "Let's all screw law and go into a world of anarchy." This has nothing to do with whether what happened was legal or not. It was clearly illegal. The discussion is about whether the response could have been any different.

PS: you are all talking about Kunal - what about his friends ? No one thought of asking how many more are in trouble.

Welcome to the real world my friends, and I hope all our new friends (and old ones) will be taught the provisions of the IT Act and about police action because we all walk that thin line everyday.

This part is true. Every single security researcher walks a very thin line. It is important to know the law, cover your ass, and more importantly, to not post something on the Internet if it could ever get you into trouble.

[Dinesh O, Bareja]

I am just too tired trying to

Sent from Yahoo! Mail on Android

---

From: Karthik Rangarajan <rangaraja...@gmail.com>;

To: <null-...@googlegroups.com>;

Subject: Re: [null] my sincere apology to Mr Rohit Srivastavaa

Sent: Fri, Aug 31, 2012 6:07:02 AM

[simran]

Well Hello Akash :) I have a lot of respect for your viewpoint because in my eyes, you have certainly earned it, but my opinion for whatever it's worth interlaced below: 

If a website is under attack, it is fairly difficult to gauge from the logs if it is a teenager with a tool or something more sinister. From his original post it seemed like a hacker gang with its own name and that awful language "underground" hackers speak in.

It would have been my expectation, that as an "evangalist" for the security community, someone looking at promoting the community (not just for business), and given his experience, RS might have had wisdom to go along with his experience. Legality and "morality" or the "right thing to do" are not the same thing. It's the "spirit of the law" vs the "letter of the law" - and yes, the letter of the law might state that punishment should be handed out, blah blah... but the spirit of the law is to help mitigate the causes. I'm not sure (without knowing more, i reserve my "final judgement" as RS has not explained his course of actions, not that he has to, but it would be good to have his side) his actions promote any of the values his mag probably seeks to. They do not progress the industry. And yes, given his experience, i would have expected him to examine the issue better himself and know that it was a script kiddie and not an army of malicious hackers! After all, don't the police come to people like him to actually trace people down! Ignorance of who it was [in this case] unfortunately is a lame excuse for the heavy-handed approach. 

At the same time if someone is taunting the site owner on a public mailing list, not doing anything about it doesn't give assurance either. In any case if your site is under attack there is a cost attached to monitoring the site, fixing the issues while dealing with people like me and you, who at best are mere spectators to the drama playing around. 

I think it is an unfair assessment you make that people are scared/supportive/anything of Rohit and will not give their opinion.

Emails i have received (as private replies to the post) prove that my assessment was absolutely accurate. There are many personal agenda's at play, and what some people publicly say is motivated by their desire to be "in the good books" for a potential personal gain (albeit, maybe just association). It is unfortunate, but it is true. I do not hold it against those people, but it's a recognition that it happens, and is happening right now! 

 

This is not simply about Rohit being some magnanimous soul and the poor script kiddie who dared to attack him. It is simply a case where a person who wasn't very smart about this, bragged about it and got caught.

Totally... so take appropriate action, ensure he understands the consequences, find a way to "make him pay", but MOST IMPORTANTLY, don't kill his spirit, understand the positive core motives as well (and learning was one of them no doubt; albeit it was overshadowed by the desire for fame via a public disclosure). Getting the police on to him was intimidation out of ego and anger no doubt! 

 

Reading anything more into this whilst not being a party to it is a very subjective way to look at it.

Of course it is, there is no such thing as objective... :) but that's a discussion for another day no doubt :) 

Just because Rohit is a public figure doesn't automatically mean that he has to be forgiving.

No. But with power (of fame / publicity / etc) comes responsibility! SRK smoking would be seen as a lot worse than Random.Mr.Joe smoking. SRK influences millions of teenagers - and if he does not recognise that, it would be rather daft of him. Similarly, RS is a public figure, and his dealings of such issues will be scrutinised publicly, and the heavy-handidness does not bode him well! I believe he should weigh in, and justify his actions (no doubt most people on this list are mature enough (as opposed to "old" enough) to change their mind with further data presented to them). 

As a consultant/CTO, I am sure if your web properties are under attack you would do what you think is the best in the scenario. 

As a consultant/CTO, i would want the butt kicked of the person that did it, send him to prison for life! But as a person with an interest in this field, as a person - fullstop, as a person who believes that attributes and qualities at the core actually facilitate being a better consultant/CTO, i would investigate further, try to find the root cause, and perhaps make a better decision than "revenge"! 

 

We faced the same thing at null last year when we had to move out of a shared hosting ( which wasn't very secure ) to a more expensive host because there was threat of defacement. We have had to spend good money doing that and also 4-5 of are always constantly monitoring the server. I don't know what business model CHMag has but I do know that the magazine is a free download. There is a team of people who work hard to bring out the magazine every month and I am sure there are many volunteers too. 

Oh ... free did you say... oh, that's okay then... we can't hold them to any quality standard! I mean hell, linux is free, so next time we find a bug our attitude to our clients should be "what are you whinging about, it's free, stop complaining"... i think the null core team approached the hack with a lot of maturity, by REALISING that even though it was going to be more expensive, rather than teflon the lack of quality and shoot people down by saying "it's a community, you are not allowed to complain [which if done rightly, is a cry out to make things better]" - it was appreciated that perhaps a security community should not be hosting on such vulnerable servers (and perhaps an alternative was that no-site is better than a totally insecure one if it cannot be afforded; trust me, no reputation is better than a bad one!)... if chmag was some fashion magazine, the actions can be much more excused... it's a security magazine, the management of which need to show maturity and be able to take feedback in whichever way it comes and not dismiss the issue because it's a "free mag".

 

About the police being involved, as a site owner Rohit has every right to do that.

Oh yes.. just like Assad has every "legal right" to probably shoot all the citizens of Syria (after all, he makes the laws!) - but that does not make it "right"! 

 

Just because he is well known in the community doesn't mean anyone should get a free pass to hack his websites. Also I don't think that once it is a police matter, Rohit would have a say on how exactly the police will investigate. 

Agree... which is precisely why i hope RS did everything in his power before he took it to the police... in this case, silence is not golden - he is a public figure, and to preserve his reputation, i believe the public will want to know his motives and attempts to deal with this maturely. 

 

Please note that I am not stating a case for or against full-disclosure or responsible disclosure. All I am saying is that we don't know the facts of the case and we can't say for sure that it was simply a case of reporting a XSS issue. 

In a way it will be hypocritical of us (atleast all of us who work on web app sec) to now claim that it was "simply" a harmless XSS issue when most likely that is not how we present it our clients. Anyone who has done web PT/VA will list XSS as a critical issue. 

Just to make my position clear (based on what i know), i am not at all saying that Kunal did the right thing... hell, he should pay for it, and pay for it heavily... but i suspect that a crime equivalent to "throwing stones" should not result in a return nuclear missile attack! There are more measured and appropriate ways! 

 

 

tl;dr : This case can't be made about not following the law of land just because you are a hacker. We aren't anarchists and if that is what someone believes in, they don't need to be part of a mainstream community. 

Take this quote with a bucket of salt in this context, but "every revolution was first a thought in one person's mind". Virtually every law that exists now, was at some point - "illegal" - it was the bravery of a few that has given us what we have today, and it's the bravery of those that push the envelope which will help us progress tomorrow - and in this case, i refer to a bravery i hope RS will still show, who knows, stranger things have happened, and i have no doubt he is a wonderful person, whose ego will not get in the way if the "right" thing to do is say that "the heavy handed approach was an error of judgement; and the hacker will still pay for his "crime", but more appropriately". 

[Dinesh O, Bareja]

Sorry about that earlier msg .... my samsung tab is acring dunny ever since they got hit with the 1 billion patent violation fine. So unfair na ! All they did wa use a few ideas about touch and feel - so innocent. Anyway like i wanted to say it is getting tiring flogging the same topic so am giving it a rest. Lets debate his at nullcon and keep he knives ready!

Sent from Yahoo! Mail on Android

---

From: Dinesh O, Bareja <bizs...@yahoo.com>;
To: null-...@googlegroups.com <null-...@googlegroups.com>;

Subject: Re: [null] my sincere apology to Mr Rohit Srivastavaa

Sent: Fri, Aug 31, 2012 6:17:05 AM

.../Dinesh

-Sent from my iPhone

--

Regards, Karthik Rangarajan MS, Information Security InfoSec Daily Podcast: http://www.isdpodcast.com Twitter: @krangarajan

-- Get ready for the Dilli Shakedown! nullcon security conference Delhi Sept 26-29th 2012 http://nullcon.net   null - Spreading the right Information null Mailing list charter: http://null.co.in/section/about/null_list_charter/

-- Get ready for the Dilli Shakedown! nullcon security conference Delhi Sept 26-29th 2012 http://nullcon.net   null - Spreading the right Information null Mailing list charter: http://null.co.in/section/about/null_list_charter/

--

Regards, Karthik Rangarajan MS, Information Security InfoSec Daily Podcast: http://www.isdpodcast.com Twitter: @krangarajan

[simran]

Excuse me .... if breaking into my house amounts to "security research" you better have a second look at your dictionary. 

Mate... seriously! What analogies... but if we are going to play that game.. here goes... knocking on doors to see if it falls over, and having it fall over, and then shouting "hey, this door fell over" is not "break and enter" - it might be "break" - and does probably deserve reprimand but locking the guy who did it for a life sentence! seriously! 

Running amok on the internet defacing websites and finding holes in my underwear and posting on pastebin is not research - it is anarchy. 

oh... and watching movies is piracy... after all, you watching them sends a clear message to the pirates that people want it, and hence they pirate it, and so all movies should be banned from even getting made... 

the level of debate in those comments (the posters and mine) actually makes me laugh... 

 

Just because you learned karate does not mean you go around doing a drop kick on everyone (friend, foe, acquaintance or passerby). Imagine a rapist in court - "Your Honour I was just researching the cause and effect of a MITM in the physical sense with her. It was totally non destructive, i can assure you."

mate, do you even know the different between anything... this email is just so ridiculous... you are now likening rapists to have had similar impact to what an automated scanner did? Sounds like someone got some lessons from shock-jocks! you are purposely trolling right? no-one is that dumb! surely! :) you got me.. haha.. you are trolling... i can think of no other explanation... :)

It is very disturbing to see such intelligent disregard of the law especially on this forum where you guys are riding the cutting edge.

mate, lets get our facts right... no-one ...and i mean no-one so far has said Kunal did the right thing... there is no "disregard for the law", it's the heavy-handed response that's surprising! An appropriate response (that would have still taught kunal a "lesson") would have no doubt gone unnoticed by the community, not one eyebrow would have been raised at something appropriate... 

[Juriked Postre]

LOL registering complaints against kids who were not careful enough to use VPN. more kiddish

2012/8/31 simran <sim...@dn.gs>

[utsav mittal]

Simran,

Wow !! this is really lot of discussion that I am seeing on the thread.

I am in no way with the big corporations 'misusing' the law, 

by setting a precedent,  I meant that this will make skiddies aware that their irresponsible behavior could lead them landing in jail, which many people are not aware of , because they think that Indian police forces are fools in case of Hitech crime.


So filing this complaint not case by RH has the following advantages:

[Gaurav Jain]

On Sat, Sep 1, 2012 at 2:26 PM, x37lol_Romanian <x37...@gmail.com> wrote:

 requesting ip from gmail its not a proper way to show ur skillz to catch a hackerz..

 
well i dont know who is rohit or chmag what ever 

i just googled ur name and saw linkdin and more profilez according to that info i am all saying this 

@rohit
if you have a good knowledge in this field   and has some year of experience  then y ? ur site is vulnerable with xss?

if some hacker or scriptkid find loop hole in ur site then y u going to police  "because of ur company ego + repo +  missuse of  power ? "
y ur security team not able to find little xss hole

in this feild no one is kid no matter whats ur age 13 or 50 this feild totaly depand on knowledge

as u said he is just kid 1st u have to contact him and tell him like dont do this type of activity..  because u r mature ... u have to show him right direction.. 

if some ppl has skilzz please support them.

this is the reason y indian IT Sector is not growing because of fu**ing attitude.  if some kid showing there skill in front of public no matter kid way is wrong or right

u guys are mature show him/her right direction

thats it...

4g3n71337 Romanian hackers are with you we will support u  join us

https://rstcenter.com/forum/forum.php

sorry for my bad english 

--
Get ready for the Dilli Shakedown!
nullcon security conference Delhi Sept 26-29th 2012
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

LOL! Now, a person from Romania is an expert on Indian IT Sector growth. :P.

Thank You for confirming that you feel that way about our IT Sector!! That is precisely what we wanted to convey. :P. Please, by all means, continue underestimating us like this. :D.

[4g3n7 1337]

i am not here for fight and giving a lecture on indian it growth because world know the truth
my main goal is support ur upcoming hackers who really want to lean more advance tricks to protect there country..

[4g3n7 1337]

and mr x37lol i got ur mail please stop now all mater is solve i will contact u on gmail please stop stop stop

[lol lolz]

i am just saying :-)  no problem...

 ppl calling u kid hehehe lol

[Juriked Postre]

grow up all u kids

and also mr rohit (first secure yourself then talk of security)

2012/9/1 lol lolz <x37...@gmail.com>

i am just saying :-)  no problem...

 ppl calling u kid hehehe lol

--

[webDEViL]

x37lol is probably Kunal himself. Because even before Kunal's message was on the list, x37lol replied.
tsk..tsk..tsk
Kids these days!

[Anil Aphale]

Bechara Fas Gaya...

grow up guys....

[4g3n7 1337]

x37lol is on my team viewer and he asked me to tell all story i am just saying to him he just used my email through team viewer for reply

 if u think ki mai FAS GAYA still np  i am no more bad guy :)

@webdevil

i wish to become a x37lol but problem is i m not   :)

and yeah i am kid np from my side

[null]

Alright!

Time to step in here!

Th-th-th-Thats all folks!!!

I'm starting a new thread on "Law vs Ethics of Responsible vs irresponsible disclosure"

Please who wish to debate further on the same topic please feel free to do so. All unmoderated list member, please stop replying to this post.

Kunal, now that there is no case against you, take time out to visit and present at null meets, will help you in building your career in security research and community contribution. Also, remember ke...@null.co.in, the next time you find a vuln.

Cheers,

@

--
Get ready for the Dilli Shakedown!
nullcon security conference Delhi Sept 26-29th 2012
http://nullcon.net
 
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
 
 

--
Cheers,
@seem

[PP Singh]

okay, I think this is the time when the moderators may like to step in. Few pointers for all concerned:-

 

(a) when you run a scan on a live website, lets say X. do you have their permission to do sö?

(b) security researcher -- well the stated motive is 'knowledge' -- do you have the where withall to establish your motive to a third person that you are a 'good guy'and doing what you do for the better of mankind yada yada --- if not refer point 1. Abstract things like motive are difficult to prove or disprove. If it is knowledge you seek, create a lab with virtual machines and freak yourself out.

(c) the concept of ANNONIMITY on the internet is a myth, so if cops come calling be prepared.

 

I am sure Rohit & team gave some thought prior to going to the cops, if traceback was what they wanted, they have the capability to do so WITHOUT going to the cops. So all the guys who are advocating general social service please take note.

I also hope that the matter gets resolved so that no youngster gets unduely penalised.

 

I also hope this thread is closed, as THIS IS NOT WHAT NULL IS ABOUT.

 

Regards

 

PP