back to article Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested

The arrest of a Hungarian bloke after he discovered a massive flaw in the website of Budapest's transport authority – and reported it – has sparked a wave of protests. Thousands of users have flooded the Facebook page of the capital city's transport authority Budapesti Közlekedési Központ (BKK) – and its main website was taken …

  1. Long John Brass Silver badge
    Unhappy

    No doubt

    That Mr Kálmán Dabóczi was rubbing his hands with glee at the thought of being able to report that *HE* had bought to justice an *Evil* haxor and would be showered with cash and prizes.

    Whoops; How bad, how sad, never mind.

    Next time these idiots screw up; I suspect that the 0-Day will quietly sold on the black market :(

    Muppets

    1. desht

      Re: No doubt

      "Muppets" is awfully polite of you. The word I was thinking of also has 'u', 't' & 's' in it (in that order), mind.

      1. BillG Silver badge
        Devil

        Re: No doubt

        Reminds me of the old saying, "There is no one more dangerous than an embarrassed bureaucrat".

        1. John Brown (no body) Silver badge

          Re: No doubt

          Reminds me of the old saying, "There is no one more dangerous than an embarrassed bureaucrat".

          Yeah, the default reaction these days seems to be to deny everything until the position becomes untenable and then claim no knowledge and blame someone else.

        2. Frumious Bandersnatch Silver badge

          Re: No doubt

          > Reminds me of the old saying ...

          Reminds me of "A légpárnás hajóm tele van angolnákkal". But then, my mind has been corrupted by naughty, naughty British TV.

      2. Anonymous Coward
        Anonymous Coward

        Re: No doubt (RE:desht)

        Muppetsunts?

  2. Anonymous Coward
    Anonymous Coward

    No good deed goes unpunished. This has happened before in the past, and it's why I don't help anyone and if I find a flaw in a system I abuse it 'til the cows come home, because I know exactly how bad they would treat me if I kindly reported it instead.

    1. Anonymous Coward
      Anonymous Coward

      No good deed goes unpunished. This has happened before in the past, and it's why I don't help anyone and if I find a flaw in a system I abuse it 'til the cows come home, because I know exactly how bad they would treat me if I kindly reported it instead

      I think there's a little step in between that has been skipped over here: you can notify a company of a breach WITHOUT using the weakness. Not that that in any way excuses the way they handled it (I would rip a serious strip off T Mobile for this), but if you find a weakness best let the service owner generate their own evidence or you leave yourself open to exactly this sort of stupidity. You still hold the rights of the notification(and can maybe set a time limit) but at least it makes it much harder to accuse you of hacking because you have not acted on the weakness (it makes it impossible to prove harm in court).

      I have been there on a number of occasions, and the only time I ever actively used a vulnerability I ensured I had prior written permission to do so - and even then I stopped before it got dangerous (it would have had a global impact). With ability comes responsibility, just because you can doesn't mean you automatically should.

      In the days I did security audits (when they were still "find and fix" instead of "find me some problems so I don't need to give the team a raise but still leave me compliant" tickbox affairs), I once had to evaluate the segregation between some divisions at a bank. It took me just a few minutes to discover that that segregation was at best imaginary, but I was shocked I had to explain to the project leader that I wasn't going to copy any file as evidence because having access to information meant that any leak of that information would create risks for us.

      Instead, I got an authorised member of the division who owned that data and let him do the copy and sign off that he could so in the manner I described which could have gotten ugly from a regulatory point of view.

      That said, I'm done with the public good work. In my experience, if you find a flaw, especially a dangerous one, and you just disclose it to an organisation, the first thing that happens is that the company tried to hide it. Now I sell them a couple of days of my time which allows me to document the problem for them, find an approach to mitigation and gives them the benefit of a non disclosure agreement. It's not an approach everyone agrees with, but I work in spheres where public disclosure is frowned upon, and this ensures that the issue is at least flagged and processed at the right level.

      1. jaduncan

        Without putting through the order it's impossible to know if the backend checks; without that he'd merely have demonstrated that Chrome does indeed allow one to edit delivered website code.

        I question your understanding of the bug.

      2. ShelLuser

        @ac

        "you can notify a company of a breach WITHOUT using the weakness."

        You honestly think they'll believe such stories and would bother to look into them? I don't.

        To me this is no different than playing on a Minecraft server and finding a bug. First you try it again to ensure that it was really a bug or a glitch and not an oversight on your end. Once you got that out of the way you get all you need to report it.

        The #1 rule of bug discovery is the reproduction of the glitch. If you can't reproduce a bug then you also can't be 100% sure it actually was a bug.

      3. TheElder

        Re:if you find a weakness best let the service owner generate their own evidence

        Precisely. I have quite a collection of certain things I shall not mention. Notification only is the way to go. However there was a time very early in the game when I used one of those certain things to shut down someone on their own territory. I exchanged pleasantries and it worked very well. I wear a white hat but is a bit stained with time.

      4. Public Citizen
        Childcatcher

        ""you can notify a company of a breach WITHOUT using the weakness.""

        Says the IT professional with more than a decade of experience.

        This is an 18 year old under discussion, not somebody with years of experience in the IT School Of Hard Knocks to help shape the way they deal with duplicitous bureaucrats.

        1. Prst. V.Jeltz Silver badge

          Reading between the lines

          I didnt read anything about what order anything happened , but i dont think we have the full story

          Did he *really* inform the authorities 2 minutes after finding it? Funny behaviour for an 18 year old computer enthusiast.

          "and then posted his discovery of the hole online." - ah now i see why the authorities are up in arms . So he went through the motions of informing them on an unmonitored email, , just to tick that box , before shouting about it loudly on the web in order to gain moneyz , famez , girlz, lulz ,credz whatever it is the kiddies want these days....

  3. Anonymous Coward
    Anonymous Coward

    So you found a bug in a corporate system

    Responsible disclosure: No

    Leak on 4chan: Yes

    1. Graybyrd
      Windows

      Re: So you found a bug in a corporate system

      So you found a bug in a corporate or government system. Expect no gratitude; rather, expect exactly what this young man received: retaliation and punishment for the exposure of an embarrassment to the authorities.

      It's a common knee-jerk reaction here in the U.S. KILL Destroy the Messenger, cover up the mess, and... deny, deny, deny.

  4. Big John Silver badge

    Find me a scapegoat!

    Sounds like the guy found the bug, emailed the company, after some indeterminate time made the bug public. Perhaps at that time some clever people were able to ride for free for a short time, due to the company's failure to promptly respond to a bug report. Such a tragedy.

    One can see how they might be miffed at the short notice, but it's way better than being blind-sided. They have no moral leg to stand on.

  5. Christian Berger Silver badge

    It's T-Systems...

    ... those used to have a contract management system connected to live systems, so you could, for example, alter your passwords by editing your contract. It turns out you could edit everyones contracts, not just yours.

    T-Systems is not where you go for IT.

  6. Anonymous Coward
    Anonymous Coward

    He's in hot water now.

  7. Anonymous Coward
    Anonymous Coward

    I thought Kafka came from Prague.

  8. John Smith 19 Gold badge
    Coat

    OMG CEO performs major CMA dance to deflect blame on IT cockup

    Is that what they mean by "Hungarian" coding?

  9. Your alien overlord - fear me

    Hungarian notation

    Noteworthy, noticeable, not-nice-to-bite-the-hand-that-feeds-you !!!!

    1. TechnicalBen Silver badge
      Joke

      Re: Hungarian notation

      Ah, I'd almost forgot about the Reverse Hungarian Notation!

  10. Nick Kew Silver badge

    A time-honoured tradition

    Shoot the messenger.

    This young chap's now got himself a real-world education!

  11. h4rm0ny

    Sounds to me like T-Systems fucked up and this guy contacted BKK about it (entirely reasonably). Effectively reporting a problem to T-System's employer. Probably the first thing that happened was BKK called up T-Systems and the latter went "Not Us! Evil Hackers!"

    But who knows? What was the notice period he gave them before disclosing it publically?

  12. Will Godfrey Silver badge
    Unhappy

    Business as usual

    Lots of huffing and puffing.

    Bug gets fixed (and only that one).

    Both companies use this as an excuse to get rid of some 'troublemakers' (nobody actually resposible is bothered).

    Another pretty good kid gets pushed towards the dark side.

  13. StaudN
    Mushroom

    Their website is still down

    Karma.

    1. Nolveys Silver badge
      Flame

      Re: Their website is still down

      Their website is still down...Karma.

      I expect they will be having issues for some time. I wonder how many people are looking for exploits specifically for "irresponsible disclosure" at this very moment.

  14. Bloodbeastterror

    I visited Budapest a couple of years ago and heard the stories of the bad old days of the police state. It seems that they aren't entirely free of the mentality just yet.

    1. Anonymous Coward
      Anonymous Coward

      The BKK has never been anything but dicks towards the public

      It's almost like they're on this holy crusade against the rest of humanity who are all eeeeeevil scum trying to ride for free (some of which certainly are, granted) - but it's an irreconcilable "us vs. them" thing. And a large dose of "you made me lose face in public therefore I will eat you soul" corporate vindictiveness, with some "l'etat c'est moi" knee-jerk Stasi reflexes (very much alive and well, make no mistake). Nobody in any position of power is there to serve, they're there to cover their own precious asses at all times and crush troublemakers (defined as anyone potentially interfering with the flow of money into their own pockets) in their little fiefdoms. When you look at it that way, the hapless bloke causing embarrassment is obviously a major threat.

      1. Dave559 Bronze badge

        Re: The BKK has never been anything but dicks towards the public

        There's an excellent documentary, "Kontroll", about the Budapest Metro, which I recommend seeing if you get the chance:

        http://m.imdb.com/title/tt0373981/

    2. Tom 38 Silver badge

      Hungary suffers a lot from crony capitalism/statism. Lots of EU money comes to Hungary for things like building roads; these contracts are allocated on the basis "Who do you know, and how much are you prepared to pay in kickbacks". Cigarettes can only be sold in special single purpose shops, funnily the licenses to operate them seem to only go to relatives of local politicians.

  15. sitta_europea

    When we've had our fill of all the emotion, I'd really like to know what actually happened.

    1. lglethal Silver badge
      Trollface

      You're new to the Internet, right? I'm afraid we dont get past the Emotion on here, our Ritalin affected reduced attention spans cant wait that long before being distracted by the next event... oh look a Cat Video....

      1. Sir Runcible Spoon Silver badge
        Facepalm

        " our Ritalin affected reduced attention spans cant wait that long before being distracted by the next event... oh look a Cat Video...."

        I know that's a flippant remark and this is El Reg etc. but you do know that speed actually *improves* the attention of adhd sufferers?

      2. handleoclast Silver badge
        Thumb Up

        Re: Cat Video

        Did somebody say cat video? Where???

        Damn. There was no cat video. :(

        I'll just have to provide one myself.

        Some affectionate cats.

        El Reg needs a cat video icon. :)

        1. Sir Runcible Spoon Silver badge

          Re: Cat Video

          Wow, what did that guy do do earn that kind of love? oo-er :P

          1. handleoclast Silver badge

            Re: Cat Video

            What he did to earn that kind of love was (mostly) raise them from cubs after they'd been abandoned by other sanctuaries/breeders.

            Then there's his Tough Love video.

            I'm not (quite) insane enough to try it myself. I know you need to bond with them from an early age for that to happen safely. Well, sort of safely. He's had a few nips and scratches. Serious ones. He says they don't know their own strength. Actually, they do, it's that they don't know how weak he is and play as hard with him as they do with each other.

            Even so, knowing how utterly insane it would be for me to try it, I keep wishing I could give it a go.

            1. Triggerfish

              Re: Cat Video

              Offtopic but there's a good video on Youtube about a Lion called Christian, bought at Harrods, kept in a London apartment, released back into the wild. Several years later in Kenya still remembers his former owners and comes up and greets them and his pride of completely wild lions are all totally chilled out around them.

          2. dmacleo

            Re: Cat Video

            its a cat.

            feed it.

            all you need to do, least with all of mine.

            during mealtimes I am REALLY loved LOL

        2. uncommon_sense

          Re: Cat Video

          Don't hold your breath.

          We never got the ARSE icon I requested.

        3. Dr. Ellen
          Windows

          Re: Cat Video

          Squirrel!

  16. d3vy Silver badge

    You seem to have fallen into the trap of referring to an 18 year old adult as a kid.

    Please rectify this.

    1. Sir Runcible Spoon Silver badge

      It seems pretty fitting these days (at least in the UK).

      95% of the 'young adults' I meet these days are pretty child-like in their emotional range. It's almost like they've been wrapped in cotton wool all their lives and not taken any risks (therefore not suffered any failures from which to learn).

    2. Snorlax Silver badge
      WTF?

      @d3vy:"You seem to have fallen into the trap of referring to an 18 year old adult as a kid."

      You seem to have fallen into the trap of assuming that all 18 year olds are mature, responsible, level-headed-adults...

      1. psychonaut

        they havent had time to grow up - they are too busy being offended...

        1. mattje

          "they havent had time to grow up - they are too busy being offended..."

          I am offended by that, Dad.

          If you had raised me better, then things would be different

      2. d3vy Silver badge

        "You seem to have fallen into the trap of assuming that all 18 year olds are mature, responsible, level-headed-adults..."

        Not at all, but by all reasonable definitions you cease being a kid at the age of 18 - he is over this age so is legally no longer a kid. Maturity does not come into it.

        My point of course being that the more we pander to these immature *adults* by referring to them as kids the worse the problem gets, we are reinforcing the attitude that they dont need to accept responsibility for their own actions because they are 'not all growed up yet'.

        I read an article the other week that some people don't consider themselves to be "grown up" until they hit 30... Jesus, what kind of messed up generation are we raising?

        None of the above rant has any bearing on the subject of the article who I dont believe has referred to himself as a kid at all, its just the way that its being reported that I object to!

        Having said all of that I now feel very old.

        Damn kids, get off my lawn.

        1. John Brown (no body) Silver badge

          "Not at all, but by all reasonable definitions you cease being a kid at the age of 18 - he is over this age so is legally no longer a kid. Maturity does not come into it."

          Childhood is being ever extended. See the Challenge 21 scheme and now the Challenge 26 scheme for sale of age restricted items in the UK. Or the US, must be 21 to buy alcohol in so many places and even aged 90, you still have to show ID to prove you are old enough to buy alcohol in most places.

          1. CustardGannet
            Pint

            In Stalybridge (near Manchester) there's a pub which sports a sign by the door :

            "NO UNDER 28's.

            If you look under 35 you will be asked for ID."

            My kinda place.

          2. d3vy Silver badge

            Challenge 21 is to challenge anyone who looks under 21 for ID, if you can prove your over 18 there's no legal reason for a sale to be withheld.

            Your argument does not alter the legal definition of adult.

        2. mattje

          You were oh so wise and mature as soon as you turned 18?

          Relatively, to the people he is dealing with, he is a naive kid not realising that the older some people get, the more corrupt and lacking in responsibility they appear to be.

          1. d3vy Silver badge

            "You were oh so wise and mature as soon as you turned 18?"

            Probably not.. though maybe (at 18 I was in stead full time employment and looking to buy my first house with my partner) , but that's not the point, I don't care if your 18 or a 50 year old man child you are legally an adult with all of the responsibilities of such at 18.

          2. d3vy Silver badge

            Mattje

            You also failed to read my whole comment, which was not aimed at the subject of the article but the reporting of him as a child in the headline.

          3. psychonaut

            mattje..

            "I am offended by that, Dad.

            If you had raised me better, then things would be different

            You were oh so wise and mature as soon as you turned 18?"

            no, i'm still a fucking idiot! cant see that changing any time soon.

        3. Jamie Jones Silver badge

          I read an article the other week that some people don't consider themselves to be "grown up" until they hit 30... Jesus, what kind of messed up generation are we raising?

          I'm in my 40's, and still haven't grown up.

        4. eldakka Silver badge

          @d3vy

          Not at all, but by all reasonable definitions you cease being a kid at the age of 18 - he is over this age so is legally no longer a kid.

          Your definition of reasonable is not reasonable.

          If the author had of said minor, then you might have had a leg to stand on.

          Kid != legal minor.

          Kid does not have a legal definition (since you are referring to 'legally no longer a kid') that sets a specific age.

          Kid just means someone who is younger than the speaker, 90 year old's call 40 year old's kids.

          When I was a youngin. the adults (and police, teachers, and so on) had a term for those in the ~14-~25 year old range, which seems to have fallen out of vogue in these "wrap em in cotton wool so no harm ever comes to them" times. It wasn't "minor" if you were under 18, or 'adult' if you were over 18, it was 'youth'. As in the YMCA, Y=youth. It was an acknowledgement that at say 15, no matter that you are a minor, you aren't (mentally) a child, and likewise if you are 20 doesn't mean you are (mentally) an adult.

          You don't magically stop being immature and childish the moment you turn 18, and likewise just because you are 15 doesn't mean you are immature and childish.

          Words like kid, child. adult, youth, 'tween, are often used as an indicator of maturity, or as an indicator of relative age, or the level of (dis)respect the speaker has of the subject, not necessarily as a legal statement of calendar age.

          1. d3vy Silver badge
            Joke

            FFS, its all getting a bit silly isn't it? I merely raised a point about the ADULT in question being referred to as a kid

            Clearly some ones pedant nerve has been struck.

            To that all I can really say is... Grow up and act your age ;)

    3. Agamemnon

      When 18 year old Children begin to act like Adults, I may give it a go. Until then, everyone I know that is under 30 is a "Kid". Get over it.

      As evidence, I submit his Starry Eyed Nievete' that The Process actually Functions, Correctly. Any reasonable adult knows this is bullshit of the first order.

  17. Sweeping Brush

    Did not disclose the bug publically.

    Where are people reading that he disclosed the bug publically?

    I've read the article here and nowhere does it state that he did anything other than report it to the company 2 minutes after discovering it.

    1. TonkaToys

      Re: Did not disclose the bug publically.

      The CEO fella claims it was posted online

      >

      As the outcry against the company's actions grew, Dabóczi was forced to defend himself Monday morning on the radio. He doubled-down, claiming that the boy has sent his emails to accounts that he knew the company would not read – one of which was bkk@bkk.hu – and then posted his discovery of the hole online.

      1. Alistair Silver badge
        Windows

        Re: Did not disclose the bug publically.

        "posted discovery of the hole online" != "disclosed POC code"

        He could simply have said that he'd found a bug in the website, and reported it to BKK.

      2. Count Ludwig

        Re: Did not disclose the bug publically.

        "he posted it to an email address they don't read"

        Um, it seems they did read it, and their reaction was to call the police.

    2. unwarranted triumphalism

      Re: Did not disclose the bug publically.

      It doesn't matter whether or not he did, the commentators have to vent their outrage at a young person.

  18. Anonymous Coward
    Anonymous Coward

    $h1t'$ your thanks!

  19. Anonymous Coward
    Anonymous Coward

    They better have secured that bkk.hu website properly before bringing it back online.

    Because something tells me there's a bunch of black hat hackers just itching to discover any other flaws in the system, only this time nobody will be telling the owners what they discovered...

  20. Christopher Reeve's Horse
    FAIL

    Reminds me of...

    ...that great Richard Feynman safe-cracking story at Los Alamos. When he informed the General (I think it was) that classified military documents were at risk because he could easily open the safe door, Feynman was instead excluded from accessing the area where the 'safe' was. He was seen as the risk, not the fact that the expensive new safe was not fit for purpose.

    1. Sir Runcible Spoon Silver badge
      Alien

      Re: Reminds me of...

      There appears to be a species of human, often to be found in positions of authority, that have the same thought processes as the renowned Ravenous Bugblatter Beast of Traal.

      1. Christopher Reeve's Horse

        Re: Reminds me of...

        "The Ravenous Bugblatter Beast of Traal is a vicious wild animal from the planet of Traal, known for its never-ending hunger and its mind-boggling stupidity. The Guide calls the bugblatter the stupidest creature in the entire universe - so profoundly unintelligent that, if you can't see it, it assumes it can't see you."

        Seems about right.

    2. TechnicalBen Silver badge
      Joke

      Re: Reminds me of...

      Wait... Richard Feynman safe-cracking!? Did he just tell them the probabilities of his entire body quntum tunnelling into the thing? (I'm hoping it was room sized!)

      1. Notas Badoff

        Re: Reminds me of...

        He did things, to see if he could do things. Sorta like this kid. Encourage talent, win wars. Lock'em up, everybody loses.

  21. Anonymous Coward
    Anonymous Coward

    The only conclusion I can come to is that the backdoor was intentional for certain people to get cheap travel and by exposing the bug this has now been closed much to the annoyance of the ruling classes.

  22. Domquark

    Maybe...

    Kálmán Dabóczi is getting PR lies - oops, I mean lessons - from Alex Cruz?

  23. Tigra 07 Silver badge
    FAIL

    Inspired by...

    Sounds like they're learning from Apple.

    Isn't this almost exactly how they treated bug reports in Germany?

    1. Tigra 07 Silver badge

      Re: Inspired by...

      In addition they've also done this to one of their own fanboy researchers: https://www.theregister.co.uk/2011/11/08/apple_excommunicates_charlie_miller/

  24. Paper

    In communist Hungary, bug reports you!

  25. alain williams Silver badge

    Gary McKinnon

    This is much the same thing. Guy discovers gaping hole in computers, is held to blame and arrested - this is an attempt by the site owners (in this case USA military) from having to admit that their own staff are incompetent. It is called saving face that just ends up showing the site owner to be arrogant & stupid.

  26. Anonymous Coward
    Anonymous Coward

    Windows Macro Recorder

    Working in my first job for the Benefits Agency I showed the sysadmin how a simple tool, built into Windows 3.1 could act as a keylogger and defeated the PID(keycard) system completely using a decoy card.

    Next day I was pulled into an office with my line manager and was told off for "meddling".

  27. Kevin McMurtrie Silver badge
    Facepalm

    FU to the customers

    BKK just announced that they're not reading the bkk@bkk.hu address that they tell customers to use?

    1. onceuponatime

      Re: FU to the customers

      But of course, I mean who listens to customers these days?

  28. TechnicalBen Silver badge
    Meh

    This is why...

    Whenever I see obvious tech or non-tech door wide open staring you in the face hilariously stupid mistakes in massive companies, I walk on by and "forget" I ever saw it.

    If you are a small company/business I may mention it, politely, but not even expect you to notice me beyond "that strange person who pointed at that window in the shop". I barely even bother with those, as most companies have been going for 10+ years, so why would me spotting something like a door left open, make any difference, they are probably just on a cig break out the back anyhow.

    Non anon, because even the Reg will get hacked one day and loose the credentials anyhow, and who would be interested in me? :P

  29. DagD

    The BKK makes lousy burgers...

    oh, that's BK, my bad.

    Good luck kid. It's amazing how staunchly stagnant regulations and regulators have become.

    We would almost be better off without governments.

  30. GeorgeHilman

    Always approach the system with caution and always expect a bad reaction.

    Anonymity is your friend.

    .

  31. Stuart21551

    Give the kid Kalmans job.

    Ethics is the first requirement.

  32. Anonymous Coward
    Anonymous Coward

    Hmm

    > The tale started last week when an unnamed 18-year-old found that he was able to,

    > when purchasing a ticket online, poke the BKK website in a particular way to modify

    > the ticket's price and buy it at that new price.

    and then

    > "I did not use the ticket, I do not even live near Budapest, I never traveled on a

    > BKK route. My goal was just to signal the error to the BKK in order to solve it, and not to use it."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019