- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
My company has a pretty well advertised no retaliation policy. It might be one of a kind.
Admin
Not the only one. I've disclosed a number of major security issues in our production systems, going as far as to demonstrate how easy to exploit some of them were. I'm a technical manager (company uses dual track management), and sometimes my resources will come to me to discuss security issues.
On a number of occasions, one my guys found a security issue, but didn't feel comfortable "owning" it. In one case, the code was written by the now-CEO's father. When that happens, I present the issue to the company as something "the team" found. Depending on how paranoid the resource is, not even the team knows who among them discovered it.
Thing is, never in the company's history has anyone been fired for reporting a security issue. Some have been fired for being intentionally malicious, but that's a completely different story altogether.
Admin
although still a pity they fired you for making it obvious that it was insecure, perhaps you uncovered a nice ruse they already knew about and now they would have to change it, the game was up, so you got the chop for exposing the game.
Admin
Yes, altering credit cards for fun and profit is a fun exercise. If you have the proper equipment, making up a stripe on a card that is the same as your ex-wife's ATM card is a wonderful exercise. It becomes even better when you "recover" some payoff money you had to give her and use it for a sailboat day trip with you new friend (who is now your wife 2.0). Some of these things give you a wonderful feeling at the end of the day.
Not that I did anything like that, as it might not be too lawful, but the $100 really did feel good.
Admin
No, I used to work at a company with a no-retaliation policy. It's an easy policy to write, and it makes for good PR. Less well-publicized was the ubiquitous retaliatory practice.
Admin
Never, ever disclose a security flaw before having a written statement from management that it is ok to look for them. Even (especially) if you've found such a flaw.
Then mention that you found such a flaw, and its consequences, but still don't disclose the method. (So they can't quickly fix it.) Let them worry. Only when it is firmly established (in writing) that it is your job to discover such vulnerabilities, and you negotiated a raise, you disclose the method.
Management never takes something serious until is costs them.
Admin
Admin
Yeah, you turned it down... remember? He asked you about hiring snoofle.
Admin
Sounds Like you screwed the pooch.
Admin
Instead of disclosing to management, you publicize it to the world. For a while people might continue to get fired, but after enough of these, companies will realize it's much better for their employees to disclose problems internally than it is to tell the world about them
Admin
Do it anonymously. Plus you get the benefit of them actually fixing the problem.
Admin
Why was the boss and the employer in this story anonymized? These dumbasses should be named and shamed, so that, not only will anyone with half a brain refuse to work for them, but that everyone on the underbelly of the internet knows that they don't like having their problems pointed out to them, and so they have their systems attacked time and again until they realize they need to change their ways.
Admin
Fortunately, I work in Tech support for a software where I get kudos for reporting problems. I've found a few security bugs, and they get fixed. True story.
Admin
It seems to be management policy (in almost all organizations, in almost all industries) to shoot the messenger.
Theory: Given the ubiquity of this approach, and the fact that ostensibly-educated people continue to promulgate it, I think it's reasonable to conclude that Shooting The Messenger is being taught to management students as the correct approach.
Solution: Instead, shoot the managers.
Admin
Admin
When I was in grade school, we had a punch card for lunch -- you paid your money, and got a punch card that was good for 2 weeks. Well, punching the card took too long, so they switched to a rubber stamp. It turns out that if you tear your punch card and tape it back up, that the ink just rubs off the tape. I got lots of free lunches that way, until the tape got too black and the lunch lady moved on to the next punch.
And don't ping on me; that was like 35 years ago and I was just a little kid back then.
Admin
This article makes me sad.
Admin
Human Resources?
We have a whole department that has betrayed you.
Admin
Bruce Schneier on the subject.
Too bad Egon didn't read it before he attempted to do the right thing. When I was younger I probably would have naively tried that too, but not anymore.
Whistleblowing doesn't work because companies don't care for security, except in appearances. They care, however, for PR and that's why the best aproach is turning the flaw into a matter of PR. If they have to decide between receiving bad press or paying the cost of patching they'll always chose the latter.
Admin
This wasn't at a university in Southern California, was it?
Admin
Believe it or not, it's actually somewhat damaging to be labeled as a whistle blower publically. I'm sure we wouldn't be doing "egon" any favors to expose his former employer publically for them to do the same in kind.
My company has a lot of critical infrastructure products. If we had a problem that was publicly exposed before we could fix it, it could have serious consequences for our customers. For security reasons we would -not- hire anyone who has a history of sharing internal issues of previous employers.
Admin
I wish I could say this was an isolated, extreme case, but I know several people who were fired (mostly from universities) for the same type of "attack" on computer security.
I was almost fired from a corporate position for such a thing. I showed the network admin just what could be done with an ssh tunnel and VNC. She showed her boss, and they had a discussion regarding what should be done about me. They decided that they'd rather have me on their side than against them, so they didn't get HR to show me the door. They just decided to keep an eye on me. Double-secret probation, as it were; I didn't find out I was on a watch list until much later.
It just doesn't pay to point out security holes. Especially when you're right. If you find a hole it can't be their fault; they're professionals and their security is obviously air-tight. No, you must be... A HACKER! Duh-duh-DUUUHNN!
Admin
Admin
In my experience, the last step seldom happens.
Admin
An alternative explanation; Management found out well after the fact of all the crap he WAS doing, but given the time delay, were disinclined to initiate disciplinary proceedings.
Then along comes this excuse. Not a good excuse, mind you, but an excuse none the less.
That the previous tech up and went on a "mission", despite this being a dream job, suggests the lax supervision was a temporary state of affairs.
Admin
How you know they changed the design of the security badges suggests you might need to update us with another WTF.
Admin
And I expected he tried to sell the smallpox virus over eBay!
Instead of making flaws in the system public it is always way better to use them. Because then a) you remain anonymous and b) you profit from it and c) because of that it might actually get fixed.
Admin
Admin
I suspect a lot of the time the thinking is this: Boss #1: This guy found out it's possible to <do nasty thing here>. Wow! We need to fix that ASAP. Boss #2: How much is it gonna cost to fix this? Boss #1: (big sum of money) Boss #2: Ok, lets not fix this since the money to fix it would probably come from our executive bonuses, lets find a way to blame it on the guy instead.
In this case fixing it would mean replacing all the cards, the back end systems and software and possibly all the readers too.
Admin
the real WTF is he didn't clone people's cards and get free parking and lunches. What's the point in having that knowledge if you don't benefit from it?
Admin
If I were Bill, the exit conversation would have gone "I've been told to fire you, and so I must. However, I happen to know that there will soon be a urgent vacancy in this very department, and they haven't told me I can't hire you again. Might be more money in it with for someone with relevant experience".
HR could probably be made to play ball if approached in the right way (cough (lawsuit)).
Admin
So, let us just recap:
(1) Person A is wearing a pair of trousers, unaware they have a large hole in the crotch.
(2) Person B notices hole in crotch, and politely informs Person A that they may wish to do something about it.
(3) Person A responds by blaming Person B for the hole, slapping him around the face, AND THEN... CRUCIALLY... LEAVES BALLS HANGING OUT.
(4) Person B now, apparently, has Person A by the balls.
...
(5) Profit. <--- Why hasn't this bit happened?
Admin
FTFY
Admin
I was once threatened with expulsion from university for using net send *.
Walked into the deans office, told him exactly what I thought of their poor response, told him I'd show the "TSG" (incompetent tech people) how to block it if they dropped the "community code charges" (huge fines and expulsion, very vague "offenses". I "acted contrary to the standards of a $uni citizen" or some such crap) otherwise I was filing a lawsuit for future lost income over the wrongful dismissal.
The told him I didn't have all day and to make up his mind. Took the old fuck off guard and won.
Admin
Yeah... that's so outrageous.. only.. is it the whole story?
I suspect, maybe Egon did a little more.. eh? Maybe he actually MADE a fake dean's card.. and then, after he showed off before all his friends and colleagues, only then he told the management about "security flaw".
..I'm just suspicisous because I've seen a lot of guys fired because of some serious security breaking who then claimed that all they did was they pointed out the problem and they shoul've been rewarded..
Nothing personal Egon, maybe you are the victim here.. but I know some of the TDWTF stories contains a fair share of bullsh*t..
Admin
Admin
Most companies I've worked, management'll struggle to raise an eyebrow if you point out a security flaw. Most likely ignore you and continue on their way. If you're lucky you might get an enquiry as to how much to fix it. Then told to fuck off and do some work.
Admin
cf. Richard Feinman's lock-picking adventures during Manhattan project from "Surely You're Joking, Mr. Feynman!"
Admin
That's a good point. One simple, practical rule I've learned in life is: If someone tells you of a conflict he had with another person, it will almost always be phrased to make the speaker sound like the completely innocent and rational party and the other person the foolish or evil one. And of course sometimes that's the reality. But sometimes it isn't.
I recall one time a co-worker telling me about an argument he had with another person in the organization, and I walked away thinking, "Wow, the other guy was really a jerk about this." Then later I heard the other guy's side. And it really struck me: He did not at any point contradict anything that the first guy had said. There was no need to suppose that one was lying and the other was telling the truth. It was quite possible that everything that each of them said was 100% true. But the first guy just didn't mention some things that the second guy brought up, and vice versa. It wasn't even like one of them left out something obviously crucial, like "Well, yes, I did punch him in the face before he started cursing at me, didn't I mention that?, but he had no right to speak to me that way anyway." They each just had their own perspective.
(Not saying that the person in this story DID do something questionable. I have no idea.)
Admin
By way of comparison: Fast forward to a private US high school in 1998 or so, with a fresh T1 and some shiny newish NT machines for student use. I was one of the small (and by small, I mean 3) class of CS students at the time, having been mostly a DOS user, minimal experience with the horrors of Win 3.x, then 'happily' puttering with trying to get OS/2 Warp to run on anything. The one and only unclean trick I knew was how to get an unencumbered Netscape running on the NT boxes and that was about all I cared about.
I think the CS teacher, along with much of the ad-hoc IT staff, was a Mac beard. Anyhey, after about 6 months or so, the more Windows-familiar kids had started poking at the library machines and for some reason I was drafted to 'secretly' "keep an eye on them, okay?" Sort of an 'unofficial' hall monitor status, and I didn't mind the idea of keeping things running smoothly and learning something, so why not?
Well, that lasted about a week. The Troubled Mac Addict of the class bumped into me and advised that he could easily drop to root (or Administrator, or whatever the NT/Windows-sphere calls it). Mindful of my 'duties' and not sure if he was full of crap (just another Mac user, right?), I did the obvious and asked him to demonstrate. Which he promptly did - probably leveraging rundll32 although memory is hazy now - and setting the screensaver marquee to "Welcome to the Hell library!" [So if any of you are reading this - hey, A.K., I salute you, and a big belated GFY to the administrative parties who pulled what happened next.]
There I am, having just collected 'useful' info on the exploit to report, waiting around for him to leave so I can change it back without 'blowing my cover' or being a spoilsport - after all, the goal is to secure the network, and nobody seriously expects me to rat out friends or frenemies in a total graduating class of two dozen kids, right? - and the librarian [who generally didn't mind us nerds] pulls up: "HEY, WHAT'S THIS? L.W., FOR SHAME, YOU'RE SUPPOSED TO BE 'IN CHARGE OF SECURITY!' AND A.K., RUN ALONG, EVERYONE KNOWS YOU'RE JUST A MAC USER SO YOU COULDN'T BE INVOLVED IN THIS."
Thus began the discussion of my expulsion, beginning with an intimidating screamdown from the football coach / disciplinarian for "abusing my power" that left me in tears - hey, 15 year old kid, trying to do the right thing, surely everyone knew me well enough... and once the CS teach came around this would be sorted out, right? Nope, it was the '90s, and suddenly the whole administration had found a witch to burn. Either I'd done it, or I'd Allowed It To Happen, and people I'd previously respected as sane educators / mentors were ready to kick me to the curb.
As I later found out from Troubled Mac Kid, who may or may not have had his own good reasons to be troubled [P.S. A.K.: I dunno what was up with you, but if it somehow wasn't blatantly obvious, I was and still am a total furfag!], the school was under audit by whoever sets the rankings for private schools, and so potential future tuitions and everyone's job was on the line. Nobody wanted the suits to see any evidence that anything was less than spit-and-polish plus full-student-satisfaction, because there's never any drama or tomfoolery in a brick box full of teenagers, right? And/or nobody wanted to be the one to have The Conversation about who messes with the screensaver ... and while I ended up leaving for an early admissions program before anything hit the fan, there could've been other reasons why it was Important that someone else's name not be attached to this horrible "IT security breach."
So, I'd gotten a pretty good education there up until that point, and thence learned that The Stories were true and people would go totally batshit whenever 'normal teenage behavior' met 'computers', as held for much of the ensuing decade - things seem to slowly be simmering down now that this generation's teachers are realizing they never figured out how to delete their old bonghit photos from Facebook and they should probably pay more attention to that one kid who tortures cats.
Unfortunately, while my interest in security (from the boring whitehat direction - a job's a job and work to live, right?) persisted, the lesson that it's a high-risk game and people will turn on you as soon as they need a scapeweasel did too, and I'll just say the whole shenanigans (which probably blew over in less than a week) was one of dozens of contributing factors in the demise of my academic career. No sweet security job, or IT job, or any job for me (thanks, economy from 2001 to 2006 or so!) - That Other Guy I Knew who went all the way to jail for defacing a website made out better, since it legitimized his resume as soon as he was out.
Moral: Eh, whatever's the same one as for the OP's story.
Admin
They fired the whistleblower. Tut, when will we learn. if you see a possible exploit and report it, then you're the one making them work, worry, sweat and lose sleep. Best always to keep quiet until a 3rd party (maybe an auditor) finds it. Of course you can suggest to the auditor that they look at <thing> first.
Captcha... tristique - the small island near Mustique but only big enough for two...
Admin
I was about to write that, buy you got there first. Only utter arseholes refer to their employees as resources.
Admin
I did that, too. I determined the same thing: school put ID numbers in the clear encoded on the cards and it wasn't too hard to find the ID numbers either. I alerted the proper authorities and explained the flaw.
Because I'm at a State university, the campus PD are sworn state police officers. Well... turns out behind my back I was then arrested for "felony possession of a forgery device" for explaining a simple flaw and how to fix it. Court system found me to have had no malicious intent and dropped the case to a misdemeanor and a sealed record (hooray mandatory 'youthful offender' status!).
The kicker? I'm out $2800 (lawyer, $100 fine, $200 surcharge) and all they've done is just slapped a crappy hologram that says "SECURE" on the card.
Admin
Admin
Are you kidding?? They make LAW books. You seriously do not think they would not sue for everything you have ever owned, and do their best to ruin your life ala Aaron Swartz?
Admin
Admin
A lot of people treat hackers (any kind of hacker) as a complete criminal and are highly prejudiced against hackers lile they are the scum of the community. Forget that the jailbreak on their phone was created by hackers, saying something as innocent as "that looks hackable" or "I can hack" completely blacklists you from being their friend, acquiantance or anything remotely related to them.
And most people in high positions think like that.
Sort of like how suggesting cheat codes to some gamers make them give you the dirtiest look in the world and lose all respect for you.
Also, its like reporting a fault with the bank's security vault (i.e. you can open it without authorization, outside the allowed hours). You will be investigated and charged with stuff... they can't tell what you stole, and why the hell were you snooping on how to open their vault (nevermind that you are for example an expert locksmith hobbyist i.e. lock hacker, and you found it by accident).
Things like this can never go well. Its really sad though, jobs with virtually no workload, that allowed you to drink beer during lunch and weed too... and seemed like it paid well and was a secure job if he didn't get fired for that.... you could look for several lifetimes but I doubt you'll ever have it that good.
Admin
Wow, that's much like how I was once (almost) fired for pointing out a POS gift card bug. I pointed it out to a coworker, whipped up a couple of gift cards out of thin air, deleted them and went on my way. She, on the other hand, thought I was embezzling or something and I ended up doing some fancy talking to keep my job. At least for a while: they brought it up again when they fired me for "insubordination" a few months later.
Admin
I once demonstrated that you could easily get the stored login/password combos out of Firefox (if not using a Master Password). In my enthousiasm I had written a script that would look for computers in a certain subnet and show the plain-text result on-screen. With the same enthousiasm, I took quite a big range and exposed all information for about 180 users.
Imagine the management looking at 100s of lines showing user/website/login/password all in plain text. Imagine that some of these website were... funny. Imagine as well that the management was part of those users.
They thanked me for my demonstration and took measures, but I was kindly but firmly asked not to ever do this again or I would risk my job :)
Captcha: I wasn't OPTO something, really.
Admin