• (cs)

    TRWTF is letting your name be known when you reveal security flaws. Unless you're management, you WILL be the scapegoat.

    If a reward is offered, get the offer on paper before you blow your cover.

    Edit: It's unlikely to get fixed anytime soon anyway, so you might as well make yourself an all-access card, if you find yourself in a similar position. It's more likely that the access zones (for door locks) get tightened to the bare minimun and beyond, even though the system itself will not change. Then you can get extra applause for letting the professors into their own labs.

  • Moo Cow (unregistered)

    So ... they fired the person who just demonstrated that he could easily circumvent their "security"?

    Don't see any problem here at all.

  • Egon (unregistered)

    Yay, frontpage! An I didn't spend all day drinking beer... the head Prof made his own cider too! :D

  • (cs)

    It's always amusing that when somebody thinks they're doing a good deed to expose a flaw, they get punished instead. I really wonder what thought process is going on in the management's heads when this goes on. It should be:

    Boss #1: This guy found out that it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: Good on that guy for finding that, we never would have known!

    and instead it's:

    Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: He must have found out because he was trying to sabotage us, because he's thinking OUTSIDE THE BOX! We can't have that, can we? OFF WITH HIS HEAD (thinking: Shit, I left that flaw in...)

    Stupid every single time, yet this behavior continues. So the question becomes, how do we fix it?

  • Epaminaidos (unregistered)

    Killing the messenger is always a good idea to fix security flaws!

  • Matthijs (unregistered) in reply to ObiWayneKenobi

    You found a human flaw. Off with your head!!

  • Icarium (unregistered)

    Damn, that is so sad! With all the description of how great the job was in the beginning this is pure poetry! >_<

  • It'sMeMario (unregistered)

    He should have made dozen of those card and spread them over the University. All the students would use them for free food, which will cost them money.

  • (cs)
    Egon was fortunate enough to land a front-line support job fresh out of college.

    That was a joke, right?

  • cyborg (unregistered)

    The mission to South America was obviously to get the President's daughter back.

  • nacram (unregistered)

    My university did the same thing. The cards encoded the student/faculty ID number, some constant framing characters, and nothing else. I found out when I was playing with a card reader module from a discarded POS terminal. The cards were used to pay for vending machines, laundry, food, etc. as well as control access to pretty much every building.

    And this is why I didn't tell anyone. I knew there was a pretty good chance that something like this would happen.

  • Egon (unregistered)

    To be fair they did at least fix it a few months down the line, all the stripe readers where changed to enabled reading of the second track and all the ID cards where re-issued to include a random number on the second track.

    This way you did at least have to be in possession of a card in order to clone it, where as before, you only had to know someone's staff/student ID number... which is printed on the card, and wage slips, and their mail etc..

  • Rob R (unregistered) in reply to Egon

    Egon - can I ask what country this happened in? So many of these WTF firing stories would be easily classed as wrongful dismissal in some places - it would be good to know where to avoid looking for work. :)

  • Dave H (unregistered) in reply to nacram
    nacram:
    My university did the same thing. The cards encoded the student/faculty ID number, some constant framing characters, and nothing else. I found out when I was playing with a card reader module from a discarded POS terminal. The cards were used to pay for vending machines, laundry, food, etc. as well as control access to pretty much every building.

    And this is why I didn't tell anyone. I knew there was a pretty good chance that something like this would happen.

    Plus you never know when that smallpox sample might come in handy.

  • Rnd( (unregistered) in reply to Rob R
    Rob R:
    Egon - can I ask what country this happened in? So many of these WTF firing stories would be easily classed as wrongful dismissal in some places - it would be good to know where to avoid looking for work. :)

    Most likely in the grand old land of freedom. USA...

  • annon (unregistered)

    he would include more illict, combustible refreshment with his liquid lunch.

    My first though was, "What? He was drinking petrol?"

    Also that should be ilicit.

  • Eng Jim (unregistered)

    The guy gave up too quickly.

    At the least, a meeting with the Dean, or the Dean's boss, explaining that "research is getting me fired" and "what happened to open discourse?" would produce some squirming.

    At best, a front page article in the campus newspaper (or a threat to do so) so provoke more interesting action.

  • Chikpee (unregistered)

    As a security professional, the sort of ignorant...on second thought, outright idiotic...behavior the university mgmt makes my blood boil! And especially sad because it cost you a sweet gig when all you wanted to do was HELP them! I could understand if you did something moronic and unauthorized to prove your point, like cloning the Dean of Students' card and going on a cafeteria spending spree...but all you did was read your own card! Ugh!

    Did you have any legal recourse? Hell, I would've told them my side of the story and said either stay the execution or I'm taking this story to the local paper and TV news!

    I hope you've found another great job since then and not one where they kill the messenger for trying to make the org more secure.

  • QJo (unregistered)

    Way back in the very early 1980s a couple of old schholfriends of mine found themselves on a university course at a certain uni in the south of England. This was of course the days before cheap personal computers, although the first micros were out, and my age-group had the opportunity to make obscene amounts of money getting in at the ground floor on the sharp end, so to speak.

    These friends, being particularly intellectually able, soon found that their course work was insufficient to occupy their minds and imaginations, so took it upon themselves to see how easy it was to crack open the security on the university computer (see, told you it was a long time ago)

    The upshot was that soon they knew more about that damn computer than anybody else in the university, and their lecturers and other assorted staff members basically gave them free rein to explore and exploit every single loophole in the security they could find, as long as they reported back at the end of the day where that particular flaw law.

    Thirty plus years later, one of those friends is still working in the field of computer security.

  • AntonD-WTF (unregistered)

    This same thing happened with me.

    I worked for a well known IT company here in South Africa, and proved to my then manager that the new electronic Payslip system had security holes, after being assured that there were double firewalls, SSL security and who knows what else.

    I showed my then manager that I could get her payslip on the screen (While I looked away she confirmed it was her payslip).

    She reported it up the chain, and 2 days later I was called into a meeting, and was at the point of being fired. She stood up for me. At the time I was very naive, and did not understand their reasoning. Now I understand it was their inability to understand security issues, (and how lucky they were I reported it to them) and getting rid of me was a way to make "the problem" go away.

    I kept my job, and a few weeks later got a phone call to see if I would like to join their security team, and see if I had perhaps any valuable input. I agreed, but after that one phone call, never hear of them again.

  • Infinita (unregistered)

    I just tried to read my Students card with my phone (which have NFC), all my basic info are here. I dunno if it could be copied because I'm not really into NFC but this story reminded me of my brother, back in high school (in France) he told the IT crew that he found a way to access "secure" administration server (which was basically a samba server without any password).

    He had to do some work for the IT during vacation and was forbidden to access any school computer during the next year.

    This attitude is really annoying I think, students aren't encouraged to think out of the box, you have to do what you are told and not try anything new. I think there is a large flaw here in the education system.

  • C (unregistered) in reply to cyborg

    I don't know if Egon was a bad enough dude for that.

  • fanguad` (unregistered)

    I found some major security holes in our homegrown timecard, but made sure I reported them to intelligent managers only. People who I could trust to either stand up for me, or merely report it as "someone found a hole." I didn't have any problems, and the hole got kinda-sorta fixed.

  • Popeye (unregistered)

    Once it becomes a known security flaw a company can't claim ignorance when their piss poor system is compromised and say "we had no idea this could happen!"

  • katastrofa (unregistered)

    Universities have worse HR departments and management practices than about any corporation. Any conflict, any "controversy", and the university will just fire the youngest person available, regardless of who - if anyone - is to blame.

  • Paul M (unregistered)

    Well done Egon. You learned, at a young age, and with few repercussions: never, never, never fuck with security. Security guys have no sense of hum our or playfuless. None.

    Don't do it.

  • Paul M (unregistered) in reply to It'sMeMario

    This is just about the dumbest advice I have ever heard. Courtcase, you will be ordered to pay back the college for every scrap of that free food, and you will never work again - you may even be ordered never to use an "electronic device" again.

  • Anon (unregistered) in reply to Egon

    Sadly, my place of employment does the same thing - and I even work in the electrical engineering department, and have done the same thing.

    I keep all the card reader/writer equipment locked up for that very reason, and luckily, have never thought to push the issue with the administration, as I worry the same thing would happen to me.

  • Mike (unregistered) in reply to Egon

    The real WTF is that your job required you to bring your own beer. The shame :)

    Most orgs take anyone pointing out their security flaws more seriously than the flaws themselves. There was a student I read recently in Canada I think it was that got booted out of his (I think it was even a cyber security program) for showing that one of the systems was vulnerable. Think it was more that they interpreted it as a DOS attack since he was running a vulnerability scan on the network. Anyways not sure if he took it but he had several job offers afterwards.

    The long and short of it is unless it is your job AND you have a good paper trail proving someone more senior to you approved it just don't do anything related to security. Don't try to find away around the firewall to get your torrents working, don't try to check someone else's email etc. Just don't do it.

  • Ned (unregistered)

    Never report a security flaw. People like to believe everything is rosy, and they will retaliate against anyone who shows them the truth.

    For that matter, never conduct a security test unless it is your job to conduct security tests, and your boss told you to conduct that specific test. In writing, if possible.

    And we wonder why everything is so insecure...

  • ereh-emaNrouY (unregistered)

    Nothing like a little "Kill the Whistleblower" or "Shoot the Messenger" type action.

  • (cs) in reply to Mike
    Mike:
    The long and short of it is unless it is your job AND you have a good paper trail proving someone more senior to you approved it just don't do anything related to security. Don't try to find away around the firewall to get your torrents working, don't try to check someone else's email etc. Just don't do it.
    Or at least don't do it with your own account.
  • (cs) in reply to Moo Cow
    Moo Cow:
    So ... they fired the person who just demonstrated that he could easily circumvent their "security"?

    Don't see any problem here at all.

    This is a distressingly common response at universities. And, from my personal experience, has been going on for a long time.

  • Pedro (unregistered)

    No good deed goes unpunished.

  • Dan (unregistered)

    The problem with using the ID as the code is not just the ridiculous ease of forging a card. If you lose your card and someone picks it up there is no way to invalidate the old one and issue a new one.

  • john (unregistered)

    Sadly typical where security reports are concerned. No good deed goes unpunished.

  • trololo (unregistered)

    Same stuff happened to me twice,

    In high school found out that the photocopier which was using an magnetic stripe "paying system" would work for free if you expel the card fast enough before the job would start.

    Did I told anyone ? Nah I liked my school too much

    At my current job I've managed to find out that some routers still use the default user/pass (see cisco) same for some remote surveillance systems

    Did I told anyone ? Nah I love my job too much

    So the question is, why try and do others job when you should eventually enjoy yours ?

  • Gailees (unregistered) in reply to Egon

    Damn. This was rough to read. Hope youre on to even bigger and better things now!

  • Ross Presser (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    It's always amusing that when somebody thinks they're doing a good deed to expose a flaw, they get punished instead. I really wonder what thought process is going on in the management's heads when this goes on. It should be:

    Boss #1: This guy found out that it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: Good on that guy for finding that, we never would have known!

    and instead it's:

    Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: He must have found out because he was trying to sabotage us, because he's thinking OUTSIDE THE BOX! We can't have that, can we? OFF WITH HIS HEAD (thinking: Shit, I left that flaw in...)

    Stupid every single time, yet this behavior continues. So the question becomes, how do we fix it?

    Dammit, he's found the security flaw in Humanity 1.7. Fire him immediately!

  • Bob (unregistered) in reply to Egon

    Reminds me of some years ago, when collections of law books were first distributed on cd. These were hugely expensive (actually, the foolish law book companies made them the same price as the physical books... so a 150 book collection was mucho expensive). Anyway, the companies did everything they could to make the cd's inaccessible to anyone except the subscriber/password holder, including hardware needed to be attached to the computer, proprietary formatting etc. However, I found a little crack in the system that would let anyone in to do anything they wanted, including read the books or copy them over in ascii, etc.... So I was having lunch with an IT friend, and I told him about it. I asked if he thought I should send a letter to the company to warn them of their vulnerability. I figured I'd be a hero.... He almost fell out of his chair. "What ever you do" he said. "Don't tell the company. They'll blame you for the issue and probably prosecute you."

    I took his advice, but I still wonder if it was correct.

  • Snoodles The Wonder Dog (unregistered) in reply to Egon

    This story is exactly why I'm not saying anything (just yet) about the SQL injection vulnerabilities at my new job.

  • cyborg (unregistered) in reply to Bob
    Bob:
    I took his advice, but I still wonder if it was correct.

    Absolutely.

    You aren't finding a flaw you're a criminal and a hacker. You are a terrorist.

    Most computer security is designed to give piece of mind that something has been done even if that something is as effective as a "do not steal" sign because most people asking for it and those who end up implementing it don't have the ability to recognise the "do not steal" sign they've created. They think they've created Fort Knox.

  • Mike B (unregistered)

    The firing is political. Someone researched, championed and funded a security solution that has a big flaw.

    So instead of openly exposing this deficiency fire the guy to create a diversion of wrong doing to silence the issue then fix it quietly.

  • Not-that-alex (unregistered)

    Some university (I don't tell you which one) uses RFID chips nowadays. But for additional fun, they hand out RFID readers to students, if the students need them for some fancy project. Just write a proposal.

    Additional fun: There are three universities very close to each other (not as close as Harvard and MIT, but close). They bought there security system from the same vendor, so they have the same system. The student-ID-cards even look the same (except for the logo). The system obviously was configured the same way at all three universities. So my student ID is 123456789. "123" obviously is some code for the year in which I started my studies, "45" is a code for computer science, the rest is random (or I didn't get the system yet, I figured that out by comparing to other student's IDs). Naturally the ID is stored in ASCII...I can't think of a more convenient and less space-consuming format to store a number < 2^32...

    At the neighbouring university, 123456789 was given to someone who started the same year and has the same term of studies, so my card opens the software lab at my university, it also opens the software lab at the other university (which is pretty much known to everyone). Probably this one is by design, as the universities co-operate.

    I am writing my thesis in software engineering, so my card also opens the software engineering chair at my university. Besides the main entrance that is the student work room, the seminar room (which is boring), the chair's library and the chair's server room. When one of the phD students lost his card, I found out that I can open his office. I did not try the professor's office yet, but I guess it does work.

    I don't know that guy, but probably 123456789 at the neighbouring university is related to the concurrent systems chair somehow. I figured that out one day late in the night. They do have HP Blade servers. I met the guard at my way out, but he thought it probably is okay, because I had a key card and the photo on the card was in fact me.

    PS: Yes, hacking the universities security was a fancy project, so we got RFID readers for it. The proposal was titled "Pen-testing the software lab entrance system". We even got a good grade for this, but they did not change it.

  • (cs) in reply to Chikpee
    Chikpee:
    I hope you've found another great job since then and not one where they kill the messenger for trying to make the org more secure.
    Do jobs like that actually exist?
  • (cs) in reply to Mike B
    Mike B:
    The firing is political. Someone researched, championed and funded a security solution that has a big flaw.

    So instead of openly exposing this deficiency fire the guy to create a diversion of wrong doing to silence the issue then fix it quietly.

    The last line of the above policy is often optional.

  • Norman Diamond (unregistered) in reply to Bob
    Bob:
    "What ever you do" he said. "Don't tell the company. They'll blame you for the issue and probably prosecute you."

    I took his advice, but I still wonder if it was correct.

    It was.

    If the DMCA had existed back in Dick Feynman's day, he would have gone to jail. Luckily he was allowed to keep his freedom to travel except to offices where he might potentially continue to be a whistleblower. [akismet]http colon slash slash www.cs.virginia.edu slash cs588 slash safecracker.pdf[/akismet]

  • Carlos M (unregistered)

    Never, ever, report an obvious vulnerability like that before counting to ten million. In another language. The moron that created the vulnerability is likely to be someone in charge and it is easier for him to fire you because you are a hacker than to explain why he left an open backdoor.

  • (cs)

    Even the Ghostbusters started somewhere.

  • (cs) in reply to Popeye
    Popeye:
    Once it becomes a known security flaw a company can't claim ignorance when their piss poor system is compromised and say "we had no idea this could happen!"

    Depending on local law they can't even claim ignorance, because they may have an obligication to verify (optionally through an outside contractor) that their security measures are adequate and up-to-date.

Leave a comment on “The Firing Offense”

Log In or post as a guest

Replying to comment #:

« Return to Article