Absurd Cases of Cyber Crime

Infinite Loops, Bugs and Responsibility

Recently a story broke about a 13 year old female student from Japan being charged for publishing a web page that ran a script which showed an alert message in an infinite loop which looked like this.

Frankly, It’s as ridiculous as it gets and at first I figured there was something lost in translation between the original source and Ars Technica’s take on the story but others have been reporting the same story so under the assumption that it’s true I just have to say it’s a truly bizarre case.

Basically the “malicious” code in question boils down to a single line of JavaScript code being hosted on their own webpage.

while (true) { alert("beep"); }

Nothing malicious happens when you run it, at best it’s a mild nuisance. Most browsers will actually present a checkbox as seen in the screenshot above which will prevent further messages from popping up once checked and hey at the end of the day one could always close the browser tab.

The whole case is just bizarre, heck if anything this girl could be a rock star developer in Silicon Valley, she’s following the principles of modern web development to the letter, pop-ups and modal dialogs all the way.

It’s Your Fault For Downloading Files From Our Public Server

Which brings me to this other story that broke back in 2018 where a young Canadian was charged for downloading files publicly available from Nova Scotia’s freedom-of-information portal.

The teen has been charged with “unauthorized use of a computer,” which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases.

Yes, you read that right, for downloading freely available documents from a freedom-of-information portal.

Basically what happened was that the site had all the files which they ater claimed were not for public consumption, publicly available on their server where each file was named in a sequence.

Imagine the file was at https://supersecret.com/secret-file-1.pdf and all you had to do was change the digit in the file number to get at the next file. Well that’s basically what he did, he had a knack for scraping and archiving things on the web which, if you ask me there’s nothing wrong with.

Again, another really bizarre case, and the irony isn’t lost on the that it’s a freedom-of-information portal. It’s like being charged for picking the secret book in the public library, the one next to all the other books which you are allowed to read, but that one book that looks like all the others was a no-no.

If the files really are that sensitive, that makes it a severe case of negligence on their part but hey lets not focus on that.

Don’t Hit F12

And finally there’s the case of the kid that got arrested for reporting a bug around two years ago. Basically the Budapest Transport Authority wrote their online payment system to be a piece of junk with no server side validation of their prices. So the “hacker” was fiddling around in the browser’s developer tools and changed the prices on the page which let him buy tickets for cheap (anyone with even a moderate knowledge of how a web works could do this). He then reported his findings to them which, drumroll guess what? It got him arrested.

On or about July 14 an unnamed 18-year-old — “The boy is nobody. He’s not even a programmer,” said one Hungarian who wished to remain anonymous — emailed BKK about a hole he found in their system. The hole, if it can be called that, let anyone with passing knowledge of modern browsers to set any price they wanted for any ticket in the system. By simply pressing F12 a “hacker” could change the price of a ticket right in the browser, and because there were no server checks, they could purchase the ticket at that price. The 18-year-old “hacker” discovered this and showed BKK that he was able to buy a monthly ticket. “A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF,” wrote Laszlo Marai in his post on the attack.

Yay for doing the right thing huh? This one is arguably slightly more malicious but he did disclose it. I guess the moral of the story is that it never pays to do the right thing, never go full white-hat.

Also, look away! It’s not like anyone was negligent here it’s the users fault for looking behind the curtain.

Responsibility and Blame

One thing all of these cases have in common is that, in my opinion they should never even have been a thing, I’d think most people will agree with this especially fellow programmers and other technical people who understand what’s going on.

Speculating here but seems like someone who had very little idea on how the technology works at all was deciding on how to take action. While there has been no conviction in any of these cases as far as I could find it’s still fairly damaging to one’s reputation to have 15 cops bust down your door for trying to report a bug and do the right thing.

He might have gone about it the wrong way but then again it’s an 18 year old kid.

Personally I don’t even bother to report security flaws and bugs any-more. Going through the right channels and disclosing a bug “responsibly” to a company is quite an annoying and time consuming undertaking.

Cases like these don’t exactly make me eager to pay attention to any bugs either when the person finding the issue is the one ends up being blamed for a company’s blatant fuck-ups like in the case of the Budapest Transport Authority.