Learn More
Resend Email
39
AndSoWeCode
7y

This happened a while back but thought it would be an interesting story.

So there is this guy, I'll call him Jack. Jack was a weirdo. He just graduated high school but thought of himself as very hot in terms of dev skills. He boasted lots of good programs, that are the best in industry, except they don't work (like the best proven file compressor, that just can't decompress anything because of some "bugs"). He also entered language holy wars quite actively, saying that Delphi is the best platform ever.

Aaanyway, a couple of years pass. Jack is now a student. Jack tries to make some money, so he talks to some guy, that offers him a "job" at the tax office, where he has to modernize the data infrastructure of the tax authorities. If you think this sounds very wrong, then you're 100% correct. But it gets better. After 2 months of work, the guy manages to do that. It's a simple CRUD application after all.

So everything works, but the guy who gave him this job refused to pay. He stalled and then just stopped answering the phone. Jack is now furious. So what he does, is publish the databases online, so everyone could see the income of every citizen. Authorities are in panic. They send the police to his door. They seize his computer and lock him up for a few days.

To sum it all up: Jack took up a job, without any contract, without any NDA, which is completely illegal in of itself, but he did that with the tax authority. And delivered the product before getting paid. And when he understood that he was owned, he published all online. He got bit back. The guy who gave him this job had no consequences for illegally hiring someone and not paying for their work.

Lesson: Don't be Jack

undefined

no contract

backfire

bad customer

revenge

leak
Favorite
Ranter
Comments
  • 18
    7y
    Actually, he had no NDA, so he could publish all the data. The way Jack went into possession of the data but that wasn't Jack who broke the rules.
    That guy who hired Jack broke all possible laws he could. After all, non written agreements are valid.

    If I were Jack, I'd go to the press or sell the data on the darknet.
  • 9
    7y
    Yeah, I know. Jack didn't break the law by publishing that data. But ya know... a country that has an undergraduate rewrite their fiscal data infrastructure without any contracts, is kinda likely to fuck you over even if you didn't break any laws.

    I mentioned the absence of an NDA to illustrate how clueless are those assholes in the police force and fiscal authority.

    Regardless, don't be Jack. Always have some form of a contract.
  • 5
    7y
    @mt3o if I remember correctly, he was charged for illegally coming into possession of personal data (since he had no contract). There is a vague law there that states that if you access data that you aren't supposed to be accessing, you're committing a crime. So basically if you are in a situation where you want to view your fiscal records online, and see a url like this:

    fiscal_data.php?user=62454

    And try to change it manually to

    fiscal_data.php?user=10

    and without any restrictions see the income and all of the assets of some other person, you're committing a crime.
  • 2
    7y
    You get my point :-D

    A law student should win a court battle against Jack.
    Such law should be used when there is a security mechanism to be broken. The API you described is like a postcard lying on the street.
    API should check if you are authorized to view the data. Jack definitely should find a lawyer. Also, he should sue authorities over not paying him for the job.
    Did they have any email exchanged? :-D
  • 1
    7y
    O, btw, there was a story here or on stack overflow where guy freshly hired as a junior dropped production database using a faulty script. That guy should be safe too even though the company wanted to sue him.
  • 0
    7y
    @mt3o I'm not familiar with more details. I know this guy from a developer community where he liked creating flame wars, and was a huge cunt, on a very high horse. We made fun of him for that. Some asshole doxxed him, so I remembered his actual name, and he left the community because of that. A year later I've encountered his name on the news, after he published that data online, on Wikileaks even. The news was worthy especially because the database also contained data about high ranking government officials and their families. Basically he stirred the bee hive, after he behaved like a complete newb when interacting with clients.
  • 0
    7y
    @mt3o as for the script example that I shown - it's just an example, that illustrates the fact that it doesn't matter that the information had nothing but the most basic protection against unauthorized access. If you have it, and you're not supposed to have it, you might be in trouble.

    I broke that law a few times, like when I swept through some debug output on an unprotected website, and in that stack trace I discovered the database credentials with which I was able to connect from the outside, but didn't have the heart to drop all the tables. But now I'm in another country so "come get me mothafukas!".
  • 1
    7y
    Oh my. What's the country?
  • 1
    7y
    Thanks for sharing, ”Jack” 😉
  • 1
    7y
    @mt3o Republic of Moldova :)
  • 1
    7y
    Greetings from Poland where a waiter with a recorder can cause ruling party to terribly fail upcoming elections.
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment