
Security Researcher Assaulted Following Vulnerability Disclosure - wglb
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
======
saagarjha
With articles like this, I often to take out the horrible thing that the
company is doing and post the quote to Hacker News, to give a sense of the
scale of the issue; in this case me trying to do so would require including
the majority of the article. It’s _that_ bad. And yes, apparently the company
thought it was ok for the COO to physically assault security researchers at a
conference.

~~~
tacon
One of the Glassdoor reviews mentions the COO getting wasted at tradeshows, so
maybe the assault is just normal behavior for him.

~~~
clubm8
Weird, I've gotten "wasted" at tradeshows but never assaulted anyone :)

~~~
JabavuAdams
Angry drunk vs. happy drunk is a good zeroth-order personality test.

~~~
clubm8
> Angry drunk vs. happy drunk is a good zeroth-order personality test.

And to be fair even "happy drunk" can be unprofessional in the wrong context.

But I think anyone who judges someone for how they act in a bar, after dark,
and the concern is they were too _jovial_ (absent some kind of sexual
harassment or belting out racist jokes) is not someone I'd want to work with
anyways.

------
cody8295
I was once fired from a state job (USA) for bringing a vulnerability forward
in the online ethics training. You can run "setScore(100, 0, 100)" in the
developer console and pass the exam without actually taking it. (The state
used a third party online exam provider who I contacted). I was fired by the
end of the week

~~~
saagarjha
In that case you fail the test for showing a lack of ethics ;)

~~~
excalibur
I would say the state failed the ethics test for firing him.

------
Animats
Now that this is out in the open, I wonder how much longer Atrient will stay
in business. These people sell these systems to casinos. Their customers are
not going to like this at all.

Atrient mostly handles affinity cards and such. So they have lots of info
about customers, including drivers license scans[1], but not much of a
connection into the casino's main systems. A basic break-in might get you a
suite upgrade or free booze. A more ambitious attacker would obtain the
casino's customer list, with enough info to identify big losers and big
winners.

[1] [http://www.atrient.com/products/card-printing-
enrollment/](http://www.atrient.com/products/card-printing-enrollment/)

~~~
technion
Regarding a "casino's main systems"..

Going back a few years I was involved with a gaming organisation. We were
advised that certain activities legally had to be air gapped (we are not in
the US), and I raised an issue of how it is that servers could be accessed by
VNC (single dictionary word password) over the Internet if that were the case.

I was advised that the server was installed in a rack with 1RU of space
between it and the router connecting it to the internet, and that lawyers had
reviewed it and considered that to meet the legal definition.

I strongly suspect you'll find core activities just as vulnerable.

------
whyisthewhat
This is not the first time Atrient has been sloppy with the details of their
NDAs, nor the first time Jessie Gill has gotten in trouble for being a touch
too eager to get physical.

[https://www.leagle.com/decision/infdco20180828d81](https://www.leagle.com/decision/infdco20180828d81)

~~~
corebit
Hahahaha, how terrible is Atrient's lawyer, Mark E. Ferrario, for filing a
complaint _that didn 't even allege a cause of action_?!

He just asked the court to do some random stuff without arguing a case. The
whole opinion is just, "Plaintiff didn't allege anything, so dismissed".

------
bredren
To assault a programmer on the floor of a conference and expect to get away
with says a lot about what this person has likely gotten away in their past.

~~~
Keverw
Yeah, especially a tech conference. Everyone has phones with cameras, vloggers
and journalists covering things.

I know there are stories of casinos in Vegas breaking people's legs for
cheating, but I guess that doesn't happen anymore since big corporations run
them now with too much to lose. Plus if that ever happened and went viral, it
would hurt their business.

------
YjSe2GMQ
If you (like me) didn't know what a Shodan safari is, you're in for a fun
ride:

[https://techcrunch.com/2019/01/21/shodan-
safari/](https://techcrunch.com/2019/01/21/shodan-safari/)

~~~
jstanley
Without Oath's abusive GDPR wall:
[https://outline.com/JF28AH](https://outline.com/JF28AH)

~~~
justaj
It's quite ironic that I can view the techcrunch.com link without JS just
fine, but the outline.com link requires me to allow JS on at least 2 domains
before viewing the content.

------
meritt
Disclosing security vulnerabilities that aren't part of a bug bounty program
takes a large amount of either courage or ignorance. Until there are
protections in place for a given jurisdiction, far safer to leak it
anonymously or just stay quiet. I was surprised that GDPR didn't contain any
sort of protections for security researchers. The fines collected are hefty
enough they could easily run a very successful bug bounty program.

~~~
3pt14159
I agree with you, but it isn't a clear cut issue. Attacking a server right now
comes with _some_ legal risk, which is a deterrent to some. It's impossible to
tell white hats from black. If it were paired with a law that made it a felony
to resell vulns to third parties then it would be much more robust.

~~~
jplayer01
The only way you're going to reduce the amount of vulnerabilities being sold
on black markets is to provide sufficient financial and social incentive.
There are enough people with dubious morals who don't care how illegal it is
to find and exploit them, who will eagerly take the biggest payday. Combine no
guarantee you'll get paid, poor treatment by authorities and employers and the
(albeit low) risk of getting your shit kicked in, I'm not surprised people
aren't lining up at the door to report vulnerabilities.

~~~
3pt14159
I agree completely, but the issue is that the vulnerability value is
asymmetric. It's about $1m to get an iPhone no-click RCE. Up to about $4m for
one with a seemingly long shelf life. Apple is not going to pay $Xm for their
bug bounty.

That said, that there will be _some_ that continue to engage in illegal
activity doesn't mean we shouldn't make it illegal in the first place. I'd
even be in favour of treating certain classes of vulnerability sale as an act
of terrorism or treason or arms export violation.

I know it is hard, but we have to try to solve this.

~~~
jplayer01
Yeah, I'd rather not make security research any more taboo and frowned upon
than it already is. Regulation should be put towards forcing companies to put
bug bounty programs into place and forcing companies to put the necessary
money into it, not disincentivizing the absolutely crucial and important work
that researchers do. Apple can easily afford it.

~~~
3pt14159
I agree that regulation should be put into place, I've blogged about it in the
past and I've argued that it should scale with number of affected users, but
that doesn't mean we shouldn't make certain acts illegal. Selling a iOS 0day
to the Saudis should be illegal.

------
AndrewKemendo
Casinos have such a large attack surface that they should be thanking anyone
and everyone who exposes any vuln.

------
penagwin
So is this still a vulnerability? Time to do some more digging boys!

~~~
saagarjha
In the off chance that you're serious, this sounds like a great way to land
yourself in federal prison.

~~~
WrtCdEvrydy
> a great way to land yourself in federal prison.

For what? Checking shodan and seeing that people don't know how to write
secure code.

~~~
pm90
Dude, just don't.

I get the excitement of knowing how easy it is to do this stuff. But US
Federal Laws can be interpreted in creative ways to throw you in Federal
Prison. And I think that will continue to be the case until American society
(the Jury, in US) learns more about how these things work.

------
a3n
Wouldn't the Nevada Gambling Commission be interested in this?

~~~
rhexs
I mean, maybe, but do you really think they have some sort of well-staffed
cyber-division that would 1. understand this and 2. know what to do with it?
My guess is they're still operating like it's the 1980s. Hopefully I'm wrong!

Curious that the FBI now does vulnerability coordination. Haven't ever heard
that before.

~~~
reaperducer
_do you really think they have some sort of well-staffed cyber-division that
would 1. understand this and 2. know what to do with it?_

1\. Yes. 2. Also yes.

The Nevada Gaming Commission, all of the big casino companies in its state,
and the companies that make the gambling machines, are quite remarkable,
technologically speaking.

Sometimes I think the terrible web sites they have for hotel reservations are
just a smokescreen.

~~~
dylan604
> Sometimes I think the terrible web sites they have for hotel reservations
> are just a smokescreen.

Captain Obvious says he'd imagine that the amount of money brought in from
room reservations is a drop in the bucket to what is made on the casino floor,
hence the comping of rooms for players. The money spent on reservations vs
protecting the gaming would be in proportion to that.

Maybe Captain Obvious is being a bit simple minded, but makes sense.
Everything about the hotel is geared to get you to lose your money in the
casino.

~~~
reaperducer
_Everything about the hotel is geared to get you to lose your money in the
casino._

That's last century thinking. Gambling's influence on the bottom line
domestically is waning.

These days it's all about entertainment, clubs, and restaurants. That's why
every casino in Las Vegas is falling all over itself to build new sports and
entertainment arenas, and paying huge bucks to put celebrity chef names on
their restaurants.

~~~
dylan604
That sounds like the mindset they must have used when they had the Vegas is
family friendly ad campaign. That failed, and the What happens in Vegas
campaign took over. I would have a hard time believing concerts, magic shows,
celeb chefs generate the same kind of money that the casinos and sports
betting brings in. However, if you have something that backs that up, I'd
definitely be willing to read it and change my view.

------
jstanley
> Because there is no SSL protection and because the API is wide open and
> vulnerable to abuse, it is possible to identify kiosks by their Mac address

Eh?

~~~
ScottBurson
It should have said "MAC address" [0]. Nothing to do with Apple Macintoshes.

[0]
[https://en.wikipedia.org/wiki/MAC_address](https://en.wikipedia.org/wiki/MAC_address)

~~~
jstanley
That still doesn't make any sense to me in the context of the rest of the
sentence.

~~~
bashinator
Possibly, existing kiosks are registered by MAC address in the API. By
querying the API for registered kiosks, you can pretend to be one by spoofing
the MAC

~~~
chopin
I still don't understand it, TCP/IP doesn't transmit MAC addresses. Your
knowledge of it ends at the next router... Therefore you definitely can't
authenticate/authorize by MAC address.

~~~
paranoidrobot
> Therefore you definitely can't authenticate/authorize by MAC address.

I would be entirely unsurprised to see that the device is calling out to the
API with it's MAC address as some kind of authenticator.

eg:
[http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx](http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx)

~~~
stephenhill
I've used quite a few systems where the MAC address is used as a secondary
password to verify that someone didn't just steal the hard drive out of a
kiosk.

------
michaelmrose
Such behavior needs to lead to jail time and not just a trivially payable fine
so that the rich like the poor understand that wrongdoing has consequences.

------
craftoman
We should not forget the 18 year's old Hungarian "hacker" that was arrested
for opening Dev Tools and modified HTML values.
[https://techcrunch.com/2017/07/25/hungarian-hacker-
arrested-...](https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-for-
pressing-f12/)

------
jeddhor
Wonderful man, this Jessie Gill.

[https://www.leagle.com/decision/infdco20180828d81](https://www.leagle.com/decision/infdco20180828d81)

------
gene_vache
Does anyone figure this guy is connected and the third party contractors hired
to program the kiosks were some student working from home in his off time?

------
LaserToy
This one does deserve to be called vulnerability. It is a plain stupidity.

------
Abimelex
People are complaining a lot about GDPR here but such a case would definitely
lead to a fine of 4% or 8% of atrients revenue.

~~~
topkai22
Konami is at huge risk, too, as it sounds like they were the global
distributors.

------
helios893
So open season on Atrient?

------
techslave
g’bye atrient. we hardly knew ye.

------
heyjudy
Play stupid games with mafioso, win stupid prizes. (Pun intended.)

------
nodesocket
While the behavior of Atrient and specifically Jessie Gill is absurd in terms
of working with the researchers to address the issues and pay the bounty, I am
always skeptical of these captured videos. We don't have any context of what
was said before and what the communication between the researchers and Atrient
was like other than their accounts. Maybe I am just being cynical, but I've
personally had interactions with security researchers who are extremely
arrogant and on a vendetta to show how smart they are, and drift from white
hat to grey or in some cases black hat territory.

~~~
nereus18
I personally (and unfortunately) know Jessie Gill of Atrient. I have to, for
work purposes. The way his interactions and comments/quotes were described in
that article were exactly things that he would say and do. He's a pretty
violent guy actually. And the way he's acting in that video, only saying, "I
don't know you" and sitting down, he knows he needs to watch what he says
because there are a lot of things that that video could tie to later. Anyway,
I wasn't there so I can't be 100% sure of anything, but I have known Jessie
for years, hell I've been to his house several times, and the behavior is spot
on.

~~~
me9187
hello! thanks for this comment would you be able to contact me on twitter
@me9187 (this account is mentioned in the secjuice article for verification)
and tell us a little bit more about your experiences?

~~~
nereus18
Unfortunately I can't risk being caught in Jessie's sights right now. He has a
way of twisting things into his favor and always seems to get himself out of
trouble by turning it on someone else. I have been following this story though
and I may contact you in the future. Thanks, and sorry.

