Australian teen accepts police caution to avoid hacking charge

Joshua Rogers' case illustrates the fine legal line computer security researchers tread

Joshua Rogers

Joshua Rogers

An Australian teenager has accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country's public transport authorities late last year.Joshua Rogers of Melbourne accepted the caution, he told IDG News Service via email on Monday. He will not face charges, and the caution -- an acknowledgement that he broke the law -- will be expunged from his record in five years if he does not commit the same offense in that period.Rogers' case illustrates the fine line that computer security researchers tread when hunting for software vulnerabilities on public websites.Large technology companies such as Google and Facebook encourage security researchers to probe their sites and pay rewards for supplying security information. The rewards are paid on the condition that researchers do not share the information publicly until the problem has been fixed.But without that kind of blessing, activities that may be research could easily be considered malicious and violate computer crime laws.

Rogers found a SQL injection vulnerability on the website of Public Transport Victoria (PTV), which runs the state's transport system. The type of vulnerability affects databases that do not filter certain kinds of input correctly.Rogers found he gained access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. He maintained he downloaded two or three records from the database as part of his research, then deleted the data. He notified PTV of his findings via email on Dec. 26, a public holiday in Australia, copying 13 employees of the agency on the correspondence. After not receiving a response, he contacted Fairfax Media. Its Melbourne paper, The Age, covered the story.At the time, PTV decline to comment and said the incident was under investigation. Then in May, between six and eight police officers came to Rogers' residence and seized various electronic equipment, including USB sticks, his Samsung phone, a laptop and a server, Rogers wrote on his blog.Rogers was interviewed at a police station the same day and told he may have violated a computer crime law that prohibits "unauthorized access, modification or impairment with intent to commit a serious offense." According to Australia's Cybercrime Act of 2001, the offense is punishable by between five years and life in prison. On July 2, police gave Rogers the option of admitting he broke the law by signing the caution."The other option was to go through the whole process of being charged, and then going to court," he wrote via email. "It's not like I could have said 'I didn't do it!', after all."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalPublic Transport VictoriaExploits / vulnerabilities

More about FacebookFairfax MediaGoogleIDGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place