# ThinkDigit Site Hacked



## iMav (Apr 26, 2008)

How can something like this wither away as a post in a thread, this needs a full blown thread of it's own.

Our fellow member rohan_shenoy (who's wedding card is most probably gonna be in php) has found vulnerabilities in ThinkDIgit's site and gained access to the admin panel  cool if I were him I would have sent raaabo to shameful misery for 15 days  but that's just me, however...

check out his post on his blog:

*www.w3hobbyist.com/view.php?id=10

and here is the post he made in the blogger's corner of this forum:

*www.thinkdigit.com/forum/showpost.php?p=813594&postcount=240

good going bro, what's next?


----------



## Cool G5 (Apr 26, 2008)

Saw his post.
The thinkdigit webmaster is a n00b. 
Congrats Rohan_shenoy.


----------



## victor_rambo (Apr 26, 2008)

Thanks Manan and Gaurav.

Now something more:
Though I managed to hack into the admin section of the website(Screenshots on my blog post), I immediately informed Digit about it(You can check copies of emails too on my blog post).

That is the reason now they have put the admin/ folder under .htaccess protection. If you try to visit *www.thinkdigit.com/admin/ you will get a basic authentication type of popup which was implemented after i informed them about it.


----------



## Cool G5 (Apr 26, 2008)

I visited your blog, but was unable to read the responses of nimish ?& the other which was in .pdf format.
Donno i am unable too view it.
Also I was not able to post comment.


----------



## praka123 (Apr 26, 2008)

good going, shenoy!


----------



## victor_rambo (Apr 26, 2008)

^
Are you browsing with disabled javascript?
The comment form is visible only with javascript.

wait, I will make some modifications that will not need javascript to be enables.


----------



## Cool G5 (Apr 26, 2008)

Javascript is already unable. I do get the comment box.
Filled the required details but still unable to comment.


----------



## slugger (Apr 26, 2008)

Really noble of you not to mess up anybody's accounts and report it immediately 

while we here go about badmouthing and abusing things that contain i* M.S. or the tux, somebody did something _realllllllly_ useful and note-worthy but chose not to blow his own trumpet

Great going buddy


----------



## victor_rambo (Apr 26, 2008)

@Cool G5
right now people are getting this error, but their comment is being inserted into the database.


> *Warning*: Cannot modify header information - headers already sent by (output started at /home/mhtcet/public_html/w3hobbyist.com/comments.php:4) in */home/mhtcet/public_html/w3hobbyist.com/admin/config.php* on line *12*


Ignore this error if you get it. Ur comment will be inserted into the database, but it will be visible only after moderation.

@Slugger
Thanks dude! I actually intruded into their admin CP just by "matka". Just use some exploits and whoa!I could log in 
I had not expected that the exploit wud work with this site.


----------



## praka123 (Apr 26, 2008)

@Rohan:Yes,I got the same error message  ! ofcourse,java script enabled!but I was using firefox3beta5


----------



## victor_rambo (Apr 26, 2008)

^Prakash,
Ignore that error, btw ur comment is visible now on the blog.

and yeah, I don't use linux, stuck with ms box


----------



## Cool G5 (Apr 26, 2008)

@Rohan - No buddy, I just get that plz check ur email id,ur name etc etc.
Do not get the error you mentioned.


----------



## slugger (Apr 26, 2008)

something wrong with your comment feature
i keep getting this messasge



> Dear visitor,
> Your comment could not be due to one of the following reasons.
> The 'name' field can contain only alphabets, numbers and spaces.
> The email address is invalid. Email address can contain only alphabets, numbers, underscores, hyphens, dot and the '@' character.
> ...



i used slugger as the name and contact[at]shubhspace[dot]co[dot]cc  as mail id (put it correctly in the section)


----------



## victor_rambo (Apr 27, 2008)

@ Slugger And Cool G5,
enter email in format "johnsmith@ms.com"

There is no need for using [AT] or [DOT]. The email address is NEVER put on the comment page. Only I can see through the backend database.


Also, .co.cc email addresses are not accepted as yet because of the standar email pattern, but I will soon allow that too. For now, if you want to use some fake email address, u can do so.

@Slugger,
Thanks for the compliments 
I have received ur comment and it is visible now.

btw I coded the blog script myself-from scratch.
Was tired of standard blog scripts that are susceptible to comment spam


----------



## slugger (Apr 27, 2008)

another problem. after i press submit (this time i put .com = fake id)



> 404 Not Found
> 
> The server can not find the requested page:
> 74.86.90.81/view.php?id=10 (port 80)
> ...


----------



## iMav (Apr 27, 2008)

i guess it was the wrong time to link to rohan's site


----------



## victor_rambo (Apr 27, 2008)

^That is some issue with server, it works perfectly on my localhost, I am aware of that problem and working on that too!


----------



## slugger (Apr 27, 2008)

LOL!!!!

not even an hour passes and the NEWS will start spreading like wildfire

*Indexed on Google*


----------



## victor_rambo (Apr 27, 2008)

^ The web design firm "Indus Net Technologies" really deserves that kind on negative publicity for the risk they ran with thinkdigit.com website.

If they had been even a *bit* careful, all could be avoided.



iMav said:


> i guess it was the wrong time to link to rohan's site


If u are speaking this because of the error......
then all those errors were unexpected for me too 
I had just upgraded few scripts tested them on localhost, they were fine.....but.........


----------



## slugger (Apr 27, 2008)

Raaabo_seth_ and the new owners must be aghast now that the News is indexed

what a way to take up ownership of a high-selling *tech* mag

may actualy have faar reaching effects - credibility, sales all may take a hit (to make up for this they will probably give out some _reallllly coool_ freebies )

the other pblications must be laughing thier guts out by now (or at least with their morning cup tommorow)


----------



## victor_rambo (Apr 27, 2008)

^ It was possible to steal personal information of registered users using XSS attack.


----------



## Pathik (Apr 27, 2008)

Do you mean that there was no authentication for the admin panel before? Anyways great going doc!


----------



## Faun (Apr 27, 2008)

lol...


----------



## The_Devil_Himself (Apr 27, 2008)

did you find out who is agent001?


----------



## praka123 (Apr 27, 2008)

^Nimish Chandiramani?


----------



## x3060 (Apr 27, 2008)

he ha ha ha . . really funny to see this . . but yes it was commendable that you did not screw them but immediately notified about it . . well done


----------



## Lucky_star (Apr 27, 2008)

Great work!... 

Is your site's cms custom made?


----------



## rosemolr (Apr 27, 2008)

glad to hear that thinkdigit is hacked..!


----------



## Faun (Apr 27, 2008)

^^why ?
you hold some personal grudge ?


----------



## DigitalDude (Apr 27, 2008)

haha rohan bro nice find.. I knew you would come up with something like this  with all those posts in the feedback thread 


_


----------



## hullap (Apr 27, 2008)

Hope this thread wont be deleted


----------



## CadCrazy (Apr 27, 2008)

Absolute genius. Main apna website tumhi se banvaunga


----------



## spikygv (Apr 27, 2008)

wicked cool dude.. .gr8 work ..


----------



## naveen_reloaded (Apr 27, 2008)

very sad.....

hope this forum has some kinda backup ...

i woul;d always prefer someone starting a similar forum like thinkdigit... coz i seriuosly now starting to doubt whether this(forum) will last...
i need some mirror for this forum @@@@!!!!


----------



## victor_rambo (Apr 27, 2008)

Thanks guyz!
@Pathik
There was an login system but I could exploit it 

@Lucky star
Yes, its is custom made by myself


----------



## iMav (Apr 27, 2008)

*admin alert*


----------



## slugger (Apr 27, 2008)

looks like this News has also been reported on the *blogosphere*


----------



## Gigacore (Apr 27, 2008)

awesome rohan!


----------



## nvidia (Apr 27, 2008)

Awesome!!!!! Great work!


----------



## adi007 (Apr 27, 2008)

Awesome work Rohan...Keep it up...
Your's site commenting system is not working

```
Warning: Cannot modify header information - headers already sent by (output started at /home/mhtcet/public_html/w3hobbyist.com/comments.php:2) in /home/mhtcet/public_html/w3hobbyist.com/admin/config.php on line 12

Warning: Cannot modify header information - headers already sent by (output started at /home/mhtcet/public_html/w3hobbyist.com/comments.php:2) in /home/mhtcet/public_html/w3hobbyist.com/admin/config.php on line 13
```


----------



## talkingcomet (Apr 27, 2008)

hats off rohan bhai!!!
keep up the _good_ work!!! 
try again!!!


----------



## victor_rambo (Apr 27, 2008)

Thanks guyz!
@Adi,the comment system is working. Though it gives some error on the server, I am able to receive your comments at the backend. They are visible only after moderation.


----------



## Krazzy Warrior (Apr 27, 2008)

Amazing rohan


----------



## dheeraj_kumar (Apr 27, 2008)

The people who have themselves written security handbooks working on their own site... good work rohan!

If a biology professor can hack into thinkdigit, a comp.sci student can too!!!

Dheeraj Kumar: Hack! Hack! Hack!
Thinkdigit.com: WTF??? Access Denied.
Dheeraj Kumar: BWAHAHAHA!!! Brute Force Technique!!!
Thinkdigit.com: Noob.
Dheeraj Kumar: OMG WTF???
*BOOM*


----------



## hullap (Apr 27, 2008)

dheeraj_kumar said:


> Dheeraj Kumar: Hack! Hack! Hack!
> Thinkdigit.com: WTF??? Access Denied.
> Dheeraj Kumar: BWAHAHAHA!!! Brute Force Technique!!!
> Thinkdigit.com: Noob.
> ...


----------



## blackpearl (Apr 27, 2008)

Wow! Our resident hacker!
Good work.

List of articles that are going to appear in May on Digit. 

*w3hobbyist.com/files/images/thinkdigit_admin_cp3.jpg


----------



## praka123 (Apr 27, 2008)

Isnt it a crime though  think about hacking *microsoft.com ,I am sure they will sue you


----------



## slugger (Apr 27, 2008)

i wonder if they would add his blog to their blog directory 

*BTW* are the links in the directory working when you click - not here


----------



## victor_rambo (Apr 27, 2008)

praka123 said:


> Isnt it a crime though  think about hacking *microsoft.com ,I am sure they will sue you


I have already thought about the legal aspects before posting that thing


----------



## praka123 (Apr 27, 2008)

^Did u used something like TOR to protect ur identity(IP range)?


----------



## iMav (Apr 27, 2008)

@praka: ethical hacking is appreciated by all big and small alike ... there was an announcement by MS recently wehrein they said that they would appreciate people who found bugs in their sites  

if rohan would've messed something and then noticed the admins chances were that some legal action could be taken (not saying they would) but only if you fcuk around else ur only doing good


----------



## victor_rambo (Apr 27, 2008)

praka123 said:


> ^Did u used something like TOR to protect ur identity(IP range)?


no. They may have logs of my IP address


----------



## Krazzy Warrior (Apr 27, 2008)

praka123 said:


> Isnt it a crime though  think about hacking *microsoft.com ,I am sure they will sue you


----------



## NucleusKore (Apr 27, 2008)

Good work


----------



## axxo (Apr 27, 2008)

IMO TDigit has to seriously give a thought on forum modding also...lot of spam bots crawling and posting crap posts throuhout the forum.


----------



## victor_rambo (Apr 27, 2008)

The forum scripts must be clean installed again.
The existing scripts are outdated and there is some problem with these scripts. May be something went wrong during modding.


----------



## kumarmohit (Apr 27, 2008)

More than the fact that Rohan was able to do it, I appreciate the fact that he did not do anything wrong. Naturally there are people in the world who would hold the sites to ransom after doing this.

The world can really do with more people like Rohan.


----------



## utsav (Apr 27, 2008)




----------



## BBThumbHealer (Apr 27, 2008)

awesome rohan ... keep it up ! 



iMav said:


> (who's wedding card is most probably gonna be in php)




 ROFL


----------



## Rockstar11 (Apr 27, 2008)

good work


----------



## Voldy (Apr 27, 2008)

Awesome work bro .....
You're a freaking genius dude


----------



## gary4gar (Apr 27, 2008)

have you hacked any other site before?
or this is your first time?


----------



## victor_rambo (Apr 27, 2008)

gary4gar said:


> have you hacked any other site before?
> or this is your first time?


....cannot tell this

I read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........


----------



## Quiz_Master (Apr 28, 2008)

Cool dude.. Awesome..
And thanks for Alerting the admins.. Yes..Digit people needs to seriously consider this sites security..(Maybe they can hire u )

Though I tried to tell this on ur blog(As I am avoiding this forum these days) but couldnt comment cause of some technical difficulties.


----------



## gary4gar (Apr 28, 2008)

rohan_shenoy said:


> ....cannot tell this
> 
> I read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........


whoa, you got lot of attention
wonder if its positive or negative publicity, please figure out 


Regarding my Comment on your blog.
I suggested  you because There is no harm taking some precautions.
Like, imagine if Digit report it to Enforcement agenies(Thank God, they are Not doing it)
they have enough proof against you
1) Your Ip address
2) Your Name
3) Your location
4) Your Photograph  even
5) Your Blog post & this thread, openly confessing the act(A solid piece of evidence)

Even you motive was good, so you have chances of walking free but at minimum your name spoiled
Remember, Always Play extra Safe

In addition, You could contact Webmaster before the attack, and give a prior information(Read: Open challenge)
Now this way, You are Doing Ethically correct   

Not all Organizations are Good as Digit. they are evil ones out there


Ps: I am not against ethical  hacking. Just advocating safety measures


----------



## din (Apr 28, 2008)

*@rohan_shenoy*

Really appreciate it, I mean you informed Digit about the vulnerability and didn't do anything bad. Nice of you.

What *gary4gar* mentioned is also very valid. You have done something good, but take care because it may go negative too.

Some other things related to this.

To be honest, not surprising or shocking. I remember reporting a major vulnerability (like without any hack we could see a lot of personal details of members) in Rediff 3 year back. The toughest thing was to get a contact number to inform them ! Had to google a lot at that time, finally found the phone number and told them. First they didn't believe, then they transferred it to their tech section and they called me back for details. But they could fix it within hrs. If Rediff is open to attacks, Thinkdigit will be for sure ! 

Main thing is - advantage (and disadvantage too) of PHP-Mysql is, anyone with a basic knowledge in programming can learn it very easily. May be 1 month is quite adequate. Once they know the basics, over confidence starts. They think programming is all what they learned in 1 month. They start coding and never think of any precautions that they should take.

Another thing is the multi-level outsourcing. One of my friends  working in a famous Indian IT firm (do not want to name !), told me they outsource projects which they get from abroad( which they get as out sourced !). But the final product will be in their name. So the quality may not be the same. In big companies, coding is just one part, there will be team for multi level testing, debugging, security testing and a lot. But small companies or people who are new in the field, may not think of all those. They just start coding and once its done they deliver it. 

Thing is these kinda people not only lose their credibility, but spoils the image of other Indian companies which are doing very good in the field 

*PS : @rohan_shenoy*

There is some small bug in your blog's comment page. It is not javascript, something with PHP itself. I think there is a space or "echo" or some redirection set wrong in the file /home/mhtcet/public_html/w3hobbyist.com/admin/config.php . Even a blank line can cause it. The comments goes to db it seems but fails to load the next page (due to the header issue)

Offtopic : I guess w3hobbyist.com is a parked / add-on domain ? If so, I strongly recommend you to make it separate web space as it will do better with search engines ? Please ignore if it is not.


----------



## victor_rambo (Apr 28, 2008)

@Gary
If its negative publicity, its for the Indus firm. The way they designed such as high-profile made them "deserve" such kind of publicity.


@Din, 
If the firm has outsourced the services, it is still responsible for the mess because the services were sought from the "firm". It is not a case of reference of a freelancer from a firm. The firm is responsible for web design and programming.

EDIT: Din, since you are PHP-MySQL programmer, I think you will better understand the issue.
and yeah, that for those tips. It is an addon domain.


----------



## Faun (Apr 28, 2008)

only if hey hav made it in ASP/JSP, it was a tad bit to crack the nuts.

I knew php is just a dirty fast way to create pages, and a noob can easily forget to make it hack proof.


----------



## din (Apr 28, 2008)

@rohan_shenoy

You are 100% right. I mean the firm is fully responsible for it. I was no way justifying it. I was telling the reasons why the quality of programming / sites goes down sometimes.


----------



## praka123 (Apr 28, 2008)

what @gary said is true.@shenai,you shouldve used TOR or some other proxies...better luck next time


----------



## victor_rambo (Apr 28, 2008)

T159 said:


> only if hey hav made it in ASP/JSP, it was a tad bit to crack the nuts.


Even if its ASP, the same exploit wud work.



> I knew php is just a dirty fast way to create pages, and a noob can easily forget to make it hack proof.


Are you calling PHP dirty  no way



din said:


> @rohan_shenoy
> 
> You are 100% right. I mean the firm is fully responsible for it. I was no way justifying it. I was telling the reasons why the quality of programming / sites goes down sometimes.


ya......I agree to your views.


----------



## Raaabo (Apr 28, 2008)

Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.

Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.


----------



## din (Apr 28, 2008)

*@Raaabo*

Thanks a lot for clarifying it, I mean about the forum.


----------



## iMav (Apr 28, 2008)

Raaabo said:


> Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.


absolutely


Raaabo said:


> Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.


damn that means even if hacked (which I dont know how to) I wouldn't have been able to send you to Shameful Misery, oh damn!


----------



## victor_rambo (Apr 28, 2008)

Raaabo said:


> Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.


Thank you


> Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.


Yes the user details which could be stolen were of registered users of the site, not the forum.


----------



## tuxfan (Apr 28, 2008)

rohan_shenoy said:


> Thanks Manan and Gaurav.
> 
> Now something more:
> Though I managed to hack into the admin section of the website(Screenshots on my blog post), I immediately informed Digit about it(You can check copies of emails too on my blog post).
> ...



Good work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.

Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.

Be careful mate.


----------



## blackpearl (Apr 28, 2008)

@tuxfan: It's alright bro, nobody his pressing charges on him. He is fine.

@rohan: You should now target chip-india.in website. About a year or two ago, their old site had a staggering number of silly security loopholes. Forum members used to regularly discover them every couple of weeks. I bet they still have vulnerabilities even on their new site.


----------



## victor_rambo (Apr 28, 2008)

tuxfan said:


> Good work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.
> 
> Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.
> 
> Be careful mate.


Thanks for your concern mate. But I know the loopholes which I am obviously not discussing out here 

And yeah, in the Court of Law, Intention DOES matter. They say:
"If a doctor gives a medicine with an intention to harm the patient, the doctor is a criminal even if the medicine does not cause harm. In the same way, if a doctor gives a poison with the intention of curing the ailment, it is not a crime."

Obviously you have to have something to PROVE your intention, which I already have.


----------



## iMav (Apr 28, 2008)

@tuxfan:

raaabo was here


----------



## Kiran.dks (Apr 28, 2008)

Good exploit Rohan.... You saved Digit website from being hacked by unethical hackers. Good work.


----------



## FilledVoid (Apr 28, 2008)

I must say good work. Definitely will keep the slackers in the Development Firm on their toes . However, what tuxfan said is true. 



> _Section 43(a) : Penalty for damage to computer, computer system, etc.- If any person without permission of the owner or any other person who is  in charge  of a computer, computer system or computer network,- accesses or secures access to such computer, computer system or computer network downloads, copies or extracts any data, computer data base information from such computer, computer system or computer network including information or data held or stored in any removable storage medium._



Under the IT Act you need not prove intent to become liable. On the contrary everyone appreciates efforts taken by white-hat hackers which demonstrate flaws in their software / network as rohan did.


----------



## victor_rambo (Apr 28, 2008)

Thanks Kiran, FilledVoid and Tux bhaiyya!


----------



## Ecko (Apr 28, 2008)

GR8 Job 
Though I'm a little late at congratz 
Keep Going 
Someone hack Indian Army Website They Consider IT Engineers not as Engineers (Personal Grudge )


----------



## victor_rambo (Apr 28, 2008)

Ecko said:


> GR8 Job
> Though I'm a little late at congratz
> Keep Going
> Someone hack Indian Army Website They Consider IT Engineers not as Engineers (Personal Grudge )


Thanks.
Looks like u are an Army Officer


----------



## phreak0ut (Apr 28, 2008)

Good job. Did you get the exploit from somewhere or did you write the exploit yourself? oh, by the way, why don't you put this news as an Announcement?


----------



## victor_rambo (Apr 28, 2008)

phreak0ut said:


> Good job. Did you get the exploit from somewhere or did you write the exploit yourself? oh, by the way, why don't you put this news as an Announcement?


Every decent PHP programmer is aware of the exploit. Can't reveal anything more.


----------



## phreak0ut (Apr 28, 2008)

rohan_shenoy said:


> Every decent PHP programmer is aware of the exploit. Can't reveal anything more.


 It's such a simple exploit?? seriously??? Then, why didn't the admins patch the site?


----------



## victor_rambo (Apr 28, 2008)

phreak0ut said:


> It's such a simple exploit?? seriously??? Then, why didn't the admins patch the site?


It was not that simple. An UNEXPECTED variation was used. The routine method failed to work. Ofcourse, all these info is useless until I disclose some other details, which I am not  gonna do.

What I actually suspect to be the reason for this exploit being successful is something else, but I still cannot justify to myself so as why the coder must have used that method.


----------



## tuxfan (Apr 28, 2008)

rohan_shenoy said:


> Thanks for your concern mate. But I know the loopholes which I am obviously not discussing out here
> 
> And yeah, in the Court of Law, Intention DOES matter. They say:
> "If a doctor gives a medicine with an intention to harm the patient, the doctor is a criminal even if the medicine does not cause harm. In the same way, if a doctor gives a poison with the intention of curing the ailment, it is not a crime."
> ...



Yup, intention does matter in case of a crime - *mens rea* - thats what its called. But thats a generic proposition, not law.   FilledVoid has pointed out the applicable provision of the IT Act. The key words here are "*accesses or secures access*_"._ It does not talk about intention. Just gain access and you violate the law.  IMHO, provision needs to be re-worded.

I am glad that it has been taken in the right spirit by Digit. Don't expect everyone to be sensible enough. Be aware of the law before you plunge in hacking other sites as someone suggested here. Ignorance of law is no excuse. 

OFF TOPIC:
Just a small question on _mens rea_ aka intention. What if I go to a place to kill "A" and accidently kill "B"? I never intended to kill "B"!


----------



## victor_rambo (Apr 28, 2008)

tuxfan said:


> Yup, intention does matter in case of a crime - *mens rea* - thats what its called. But thats a generic proposition, not law.   FilledVoid has pointed out the applicable provision of the IT Act. The key words here are "*accesses or secures access*_"._ It does not talk about intention. Just gain access and you violate the law.  IMHO, provision needs to be re-worded.
> 
> I am glad that it has been taken in the right spirit by Digit. Don't expect everyone to be sensible enough. Be aware of the law before you plunge in hacking other sites as someone suggested here. Ignorance of law is no excuse.


You have mentioned only one clause. But I have a legal point that will defeat every other clause you say! Now don't expect me to spill the beans here 

You see, you are aware of the clause, but I am aware of its loopholes  because i have not disclosed each and every fact related to the case in public.


----------



## tuxfan (Apr 28, 2008)

rohan_shenoy said:


> You have mentioned only one clause. But I have a legal point that will defeat every other clause you say! Now don't expect me to spill the beans here
> 
> You see, you are aware of the clause, but I am aware of its loopholes  because i have not disclosed each and every fact related to the case in public.



Spill the beans?! Thats called sharing of knowledge! A law is not a secret treaty or map to a treasure  We tried to enlighten you by showing you something. Now it's your turn to reciprocate 

What if I say "you have committed a crime, don't ask how/what/why because I can't spill the beans"!!


----------



## victor_rambo (Apr 28, 2008)

tuxfan said:


> Spill the beans?! Thats called sharing of knowledge! A law is not a secret treaty or map to a treasure  We tried to enlighten you by showing you something. Now it's your turn to reciprocate
> 
> What if I say "you have committed a crime, don't ask how/what/why because I can't spill the beans"!!


lol.........bachhe ki jaan le lego kya........


----------



## Faun (Apr 28, 2008)

rohan_shenoy said:


> Even if its ASP, the same exploit wud work


yours was a xss exploit ?

and what else actually aprat from this ?

I really hav to look through all this, if time permits


----------



## tuxfan (Apr 28, 2008)

rohan_shenoy said:


> lol.........bachhe ki jaan le lego kya........



Bachcha? Who's a bachcha here? You? Me? 

C'mon! What so secretive about a few legal provisions?


----------



## Ecko (Apr 28, 2008)

rohan_shenoy said:


> Thanks.
> Looks like u are an Army Officer



Are yaar ye profile pic galti se meri statement ke saath match ho gayi 
I'm not a ARMY OFFICER neither I want my next 7 generation to be part of it 
I know they are excellent,brainy,courageous & possess qualities unmatched but let them do their job & let us do ours (Pun Intended) 
I'm changing  it now 

ONTopic :If U Are you holding lectures for SQL Javascript Injection do adjust me 2


----------



## victor_rambo (Apr 28, 2008)

Ecko said:


> Are yaar ye profile pic galti se meri statement ke saath match ho gayi
> I'm not a ARMY OFFICER neither I want my next 7 generation to be part of it
> I know they are excellent,brainy,courageous & possess qualities unmatched but let them do their job & let us do ours (Pun Intended)






> ONTopic :If U Are you holding lectures for SQL Javascript Injection do adjust me 2


----------



## Ecko (Apr 28, 2008)

Yaar U must have got excited(on hacking)happy(after posting here)cheerful(after reading comments)& last but not the least irritated(replying to all)


----------



## victor_rambo (Apr 28, 2008)

^
One thousand one hundred and ten


----------



## blueshift (Apr 29, 2008)

IndusNet ki toh poll khol di tune... wah!!


----------



## tuxfan (Apr 29, 2008)

Rohan, did you miss my post? I just wonder why you are not willing to discuss legal provision about hacking after actually hacking?

If you wish, I can try and get opinion of Mr. Krishna Dhamapurkar, Investigation Office, Cyber Crime Cell at Mumbai or his boss Mr. M. Pawar, Inspector, In-charge of Cyber Crime Cell at Mumbai. May be I can call up or email a link of this thread with a request to post their opinions.


----------



## iMav (Apr 29, 2008)

i have never seen some one so hell bent on taking a white hat's case


----------



## victor_rambo (Apr 29, 2008)

@Tuxfan

I had read ur post, but still I won't disclose anything more than I have already disclosed.

You know the sections for punishment but you are missing on something basic. Think again and you will realize the funda down there.

And I welcome Mr. D and Mr. P to post their opinions, if you can bring them to discuss this issue. If I getting free legal advice from top-notch officials, I welcome it.

All I can say right now is that your situation is like: "Thinking about Theory of Relativity but don't understand Newton's First Law" . Get the hint and exercise your brain cells dude! Just take care that you don't waste Mr. D's and Mr. P's precious time for this issue.


To everybody, please don't talk about legal clauses until you are a competent IT lawyer. Even though you may have studied IT law, if you feel that you can prosecute me successfully, you should re-consider the case. Please, this is a request because I doubt how accurate is the legal advice given here and I don't want to go on telling everybody that I have an exit door. Again, please. I appreciate your concern but since this is a legal matter, I will discourage people from posting legal advice if they are not qualified.



iMav said:


> i have never seen some one so hell bent on taking a white hat's case


But I can see something more deep down there


----------



## din (Apr 29, 2008)

I really appreciate (again) what Rohan done. All these shows hes a very nice person who never do anything un-ethical - which is not very common these days. I am very proud hes a member of ThinkDigit forum, also very happy hes my (our) friend.

I think we need not worry too much on him !

*First* - ThinkDigit officially announced that they will never take any measures against him. They are very glad he didn't misuse the info, they are thankful to him .

*Second* - Rohan agreed that he will take precautions in future, he already know the loopholes of legal aspects, he is pretty sure he will not get in trouble and he know more on the legal side. As he is very confident in this matter, I think we need not worry on that.

*Third* - He might have his own (may be personal too) reasons not to disclose much info on the hacking as well as the legal side. I think we should support him and respect his decision. He already provided the details which he can reveal, I mean what sort of exploit was it, how it was vulnerable etc. People who are really interested can learn more about this from various sites, can ask him in direct but I think we should not force him to reveal everything in public. That does not sound good. 

*Personal suggestion to Rohan* - Please feel free to fully ignore if you do not like. 

I know you will be busy with teaching etc, but please continue on this. Learn more about the vulnerabilities, exploits, how we can keep sites secure, what are the ways hackers use and related matters. Just as a hobbyist (as your site names). I am sure it will be interesting as well as useful. It will benefit you and a lot of other people who own websites. 

Once again - Hearty Congrats from my side.


----------



## kalpik (Apr 29, 2008)

rohan_shenoy said:


> To everybody, please don't talk about legal clauses until you are a competent IT lawyer. Even though you may have studied IT law, if you feel that you can prosecute me successfully, you should re-consider the case. Please, this is a request because I doubt how accurate is the legal advice given here and I don't want to go on telling everybody that I have an exit door. Again, please. I appreciate your concern but since this is a legal matter, I will discourage people from posting legal advice if they are not qualified.


I'm sure you don't want to indulge in a discussion about IT Law with Tuxfan. Don't underestimate anyone


----------



## iMav (Apr 29, 2008)

i don't seem to understand what is the problem here 

raaabo has explicitly said that 9dot9 is not considering prosecuting rohan, end of discussion, why do we have to get into a verbal duel


----------



## FilledVoid (Apr 29, 2008)

As much as I appreciate what you did I think Im missing what you are talking about and likewise you are missing what tuxfan is talking about. However I do love the fact that some of the premier Software Devlopment Institutes had their rear handed to them. 



> You know the sections for punishment but you are missing on something basic. Think again and you will realize the funda down there.



The IT Act is as clear as it can be. Further more when it comes to CyberLaws it states clearly and I quote that when you gain access to a "protected system" it constitues hacking. In the eyes of the law there is no such differentiation between white hat or black hat. If there is something funda here that I'm missing then I'm sorry but I fail to miss your point. 



> All I can say right now is that your situation is like: "Thinking about Theory of Relativity but don't understand Newton's First Law" . Get the hint and exercise your brain cells dude! Just take care that you don't waste Mr. D's and Mr. P's precious time for this issue.
> 
> To everybody, please don't talk about legal clauses until you are a competent IT lawyer. Even though you may have studied IT law, if you feel that you can prosecute me successfully, you should re-consider the case. Please, this is a request because I doubt how accurate is the legal advice given here and I don't want to go on telling everybody that I have an exit door. Again, please. I appreciate your concern but since this is a legal matter, I will discourage people from posting legal advice if they are not qualified.



I found this a bit insulting . I believe my brain cells are working pretty fine and I think so is tuxfan's. You don't need to be a rocket scientist to understand simple law. I quoted the section of the law for the threads benefit. What I was hoping for was a loophole in the law which I could probably refer and quote in my assignment or two . There is a fine line between attitude and discussion . Tread carefully .  

@din and @iMav : Im pretty sure that tuxfan didn't have some kind of an agenda to prosecute Rohan over a website which the owners had no problem with. But was rather hoping for whatever "the funda" was which would trump the IT Act. Well at least thats what I was looking for.

Oh By the way @tuxfan: The Law gets thrown out if the Authorized Personnel of the website just state that he was allowed to do so in the first place  .


----------



## praka123 (Apr 29, 2008)

what if Rohan had already joined *9.9*? J/K  then it became a administer's test of his system  ??


----------



## din (Apr 29, 2008)

*@FilledVoid*

Sorry for the confusion. I am no way against the views of Tuxfan. Actually I know him for quite a long time. What he meant is, this is kinda hacking and it may put Rohan in trouble. But Rohan prefer not to disclose much on the hacking or on the legal side, so I was just suggesting we should not force him. That is the point I made.

I do not know what Rohan has in mind (I mean the legal aspect), I know Tuxfan is an expert in this area too, I was just suggesting, we should not go too much in to this topic as Rohan do not want to disclose much on it. I was thinking like its his decision, so we should respect it. Thats all.


----------



## FilledVoid (Apr 29, 2008)

> what if Rohan had already joined 9.9? J/K  then it became a administer's test of his system  ??



 Yes it does and it again invalidates everything  . Kurutu Budhi Ariyamalo !


----------



## victor_rambo (Apr 29, 2008)

FilledVoid said:


> I found this a bit insulting .


I am dropping a hint. YOU need not feel insulted or offended.



kalpik said:


> I'm sure you don't want to indulge in a discussion about IT Law with Tuxfan. Don't underestimate anyone


I am not underestimating anybody, but sometimes people need more time to realize something.

Whatever you say, something is crystal clear, which he missing. I don'y know who Tuxfan is, whether is an IT enthusiast, professional lawyer, or anybody related to this field. But I can makeout that he is clearly missing out on something.

He may be a competent lawyer(I assume this from ur statement) but still he needs to examine the case carefully before putting the clauses. If he will spend some more time on it, things will be clear to him. He has actually struck at a point.

I just googled if addon doamins are bad for SEO and found these. I am also using a addon subdomain but since this is the first time I am doing this, I too have hardly and experience .


----------



## kalpik (Apr 30, 2008)

Rohan, relax man, i think i speak for everyone when i say that i appreciate that you did not do anything wrong with the site. We are just concerned that if you do that to another site, and the site owners decide to take some action, you should not be in trouble. That's all. We are not just taking this particular incident into consideration, but are speaking generally 

P.S. Im in no way qualified to argue with you on the IT laws, but if you have some qualified people on this forum itself, why not discuss this with them (maybe via PM, if you dont want to discuss publically) so that if you are wrong, you would be more carefull next time, and if they are wrong, they can learn from this "case study". Ofcourse, this is just my *suggestion*. You are free not to take it


----------



## din (Apr 30, 2008)

^^ Now thats a very sensible and best suggestion.


----------



## gary4gar (Apr 30, 2008)

din said:


> ^^ Now thats a very sensible and best suggestion.


Thats what i tried to say here


----------

