
The Firing Offense - Udo
http://thedailywtf.com/Articles/The-Firing-Offense.aspx
======
vidarh
The first security flaw I ever found was when the company I worked at used a
cookie with an "encrypted" customer ID as sufficient to authenticate to their
web app, which allowed you to access a lot of private details and run up
substantial bills for the company via various phone services (e.g. you could
easily use our API's to dial 30+ premium rate numbers and let the bills rack
up...)

It was a big enough WTF that there was no nonce or time element to the
authentication, so that if you got hold of a cookie you could replay it
forever.

It was a bigger WTF that the "encryption" looked suspicious, and turned out to
simply be base64 of the customer ID.

In a tripple whammy, the customer id that was "encrypted" was a sequentially
assigned integer, so it took me about 10 minutes to demonstrate that I could
access the accounts of everyone in the company and every customer simply by
working backwards from my own id.

Thankfully my boss at the time was smart enough to not playing shoot the
messenger. They thanked me, and were somehow amazed that I'd figured out how
to "break" the encryption, and asked me to review their fixes, and we went
back and forth a few times until it was reasonably secure.

~~~
lostlogin
I just updated a colleagues registration to a medical imaging professional
body by working back from my own crap login/password which they chose. This
was done to save him some time on a busy day. I noticed that his user ID was
just a few digits different to mine so tried the same increment on the
password. Surprise! I'm not sure how much damage one could really do, but deep
frustration could easily be inflicted.

------
rdl
Some companies haven't stopped at firing and have actually pushed for criminal
prosecution.

[http://w2.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case...](http://w2.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro)

<http://en.wikipedia.org/wiki/Randal_L._Schwartz>

~~~
vidarh
Randal Schwartz and the Intel VP with "Pre$ident" as a password was the first
thing that sprung to my mind too.

~~~
rdl
Randal is also a great example of someone who used adversity to become greater
-- "oh, shit, my legal bills are hundreds of thousands of dollars" to he went
out and did a lot of high-value consulting, becoming even more well known as
one of the best Perl developers out there.

~~~
ceautery
He's also a good example of how a cult of personality can adversely affect
one's humility.

------
speeder
Once I decided to make my final.university assignment with Game Maker, and
I.bought two copies for me and one for a teammate.

The thing started to refuse to launch after a update on Windows, and this
started a long talk with their helpdesk and people in forums. Eventually I was
convinced the bug was in their DRM, found a cracked.version, and indeed the
cracked version worked just fine.

I told this finding to the helpdesk, hoping they would fix it, or at least say
sorry...

Their reaction was call me a filthy pirate, delete all my support tickets, and
after I wrote.the whole tale on.the forums they quickly hellbanned me, by
removing all permissions.instead of.banning me, so other users.think.I left,
not that I was banned.

~~~
Udo
Offtopic, but this is the second comment of yours where many space characters
have been replaced by random periods. It really makes your posts more
difficult to parse. Did you get a new keyboard or something? ;-)

~~~
shrikant
I'm guessing they're typing comments on a mobile keyboard, where the period
character and the spacebar are right next to each other. With the sort of
keyboard software that doesn't auto-capitalise.

~~~
speeder
I am using a.android, the WiFi of the place I live broke, and thus I need to
use mobile 3g, also HN behaves really badly on mobile, I have to type
everything in one go, if I close the keyboard to see errors in the form, it
does not open in correct place anymore.

~~~
orangethirty
Im also on an android, and can confirm the keyboard to be shit. This took too
much effort to write.

~~~
mintplant
Try SwiftKey [1]. I've never looked back.

[1]
[https://play.google.com/store/apps/details?id=com.touchtype....](https://play.google.com/store/apps/details?id=com.touchtype.swiftkey.phone.trial&feature=more_from_developer#?t=W251bGwsMSwyLDEwMiwiY29tLnRvdWNodHlwZS5zd2lmdGtleS5waG9uZS50cmlhbCJd)

~~~
orangethirty
I did after you recommended it. It is light years ahead. Thank you.

------
jmadsen
Shocking how common this reaction is from people.

I used to play an online soccer manager game. One day I found out -
essentially because I had copy/pasted a bit of buggy javascript into their
homebrewed forum to help them spot the bug - that the forum itself would
execute any javascript a user put into their posts.

Alarmed, I notified everyone I could think of. And waited. Knowing these guys
were infamously non-responsive, and that this was a pretty bad issue, I then
posted about it for everyone to read to raise an uproar and get their
attention. Which it did. And we all waited.

Finally, I posted a small script that popped up an alert with "You've just
been infected by a nasty bug", put it in a few places with "tasty" subject
lines to get people to click & read it.

Oh, they fixed the bug. I also received from the non-technical Forum
Moderators - real quotes, I kid you not:

\-- one week forum ban for "taking advantage of a bug" because "someone had to
be punished for this"

\-- one week forum ban for "spamming the forum" (I had post I had a great
player for sale to get clicks, then explained the security flaw instead in the
post)

Users were outraged at the bug; moderators of the forum were outraged that I
had caused such a PIA by causing all these popups when they were trying to
browse the (insecure) forum

~~~
aidos
I'm going to go out on a limb and day that it sounds as though your behaviour
wasn't very responsible. Fair enough - there was a bug, it needed to be fixed.
Bringing it to the attention of everyone in the way you did doesn't sound very
mature.

Obviously you thought it was urgent and maybe the admins weren't being
responsive enough. You have to keep in mind that priorities vary. Always keep
in mind, there are real people on the other end who have to deal with this.
What if your actions dragged an unhappy parent away from a sick child to deal
with a PITA who thought his issue was so important as to demand immediate
attention?

~~~
TeMPOraL
> _Bringing it to the attention of everyone in the way you did doesn't sound
> very mature._

It's how security disclosures work if the vendor is not cooperative enough to
fix the broken stuff. It's better to get the bug fixed silently, but if you
can't get that, then for users it's better to have the problem known widely to
public and thus fixed on short notice than for it not to be fixed for a long
time, risking exploiting by malicious individuals.

> _What if your actions dragged an unhappy parent away from a sick child to
> deal with a PITA who thought his issue was so important as to demand
> immediate attention?_

It's not OP's problem. One can't take responsiblity for everything people will
do because of a comment one wrote. Otherwise you'd have to bill me for the
time you spent reading this comment instead of working.

------
dylukes
Amusingly, I had almost this exact experience in middle school.

I'd figured out that the barcodes used on our school lunch cards were just
plaintext for our ID numbers. With minor cooperation from a nice lunchlady, I
discovered that there were a couple very low numbers (e.g. 00000001) that had
effectively infinite funds. Presumably they had been used for testing or
something.

I brought this to the attention of the schools tech guy, who thought it was
very cool and said he'd go tell the administration so he could get permission
to fix the issue.

Of course, being a middle schooler with access to a card printer, I also took
this opportunity to reprint my lunch card with an identical design and
barcode... And a Chuck Norris photo.

The administration asked to speak to me and I assumed I'd be thanked for
finding an easy vulnerability that could have been losing them funds.

Instead I was told I would be expelled or at the very least suspended for a
month, and that they thought this constituted a felony and identity theft.
Ridiculousness of those claims aside... I ended up getting a away with weekend
detention after my parents and the tech guy stood up for me.

~~~
tomjen3
Personally I am convinced that the purpose of the US educational system is to
prevent kids from having a single creative though, at least until they are
adults and can be bullied into being average.

~~~
megablast
Not sure how you get this. There are plenty of people, like the others
mentioned in these comments, who simply do not know how to react when
presented with a security problem.

They simply overreact and lash out.

~~~
tomjen3
Oh add the girl who was thrown out of school for blowing up a bottle, simmer
for a few minutes with other anecdotes from HN, season with
<http://www.paulgraham.com/nerds.html> and
<http://www.paulgraham.com/hs.html>.

------
brokentone
We had a very similar situation at my college. ID cards with mag stripes were
used for a lot of stuff-meal plans, restricted access academic areas, and
housing. I had an inkling that these were pretty insecure, so I read mine and
found that the mag stripe had a zero padded ID number, issue number, and a
single digit XOR checksum. Through a separate issue, I was able to learn most
student's IDs in the student intranet system. Also, all this info was printed
on the front of the cards, which students did not secure well.

I built myself an arduino mag spoofer: <http://lifehacker.com/5677465/diy-
arduino-magstripe-emulator> And figured out how to iterate through the issue
numbers. Got into someone's apartment with their permission, then went to the
IT people.

The lead IT guy was cool (we had a friendship from my first day there), asked
me to read his card and we went and opened the server room. He escalated it up
the chain. Not sure if it was ever replaced with something more secure
(doubtful).

------
binarymax
During college I interned in a lab for a physical security device company that
I will not name. They had state of the art magstripe readers/encoders, motion
detectors, and all kinds of really cool stuff. One slow day we all decided to
have a bit of fun with the magstripe encoder, and I changed my Wegmans
Shoppers Club card to show the name 'DANNY WEGMAN' on the till whenever it was
swiped. Aside from being admired by my younger brother that I had such powers,
not once did a cashier notice.

------
btipling
We ought to recognize that others may not understand how to respond to
security vulnerability reports. We can use this knowledge to be a little bit
more wise in our own behavior.

The best approach may be if you are unsure as to what the response will be
when you feel like you need to disclose a security vulnerability is to do so
anonymously.

~~~
josso
Definitely anonymously and with a hash of a secret message to prove it was
you, in case there'll be a bonus.

~~~
btipling
If they don't understand responsible disclosure I doubt they will understand
hashing.

------
sstarr
I was once contracting at a company which developed software for the police
and other emergency services. The server rooms all had electronic card readers
on the doors so that only people with the right security clearance could get
in.

One day there was a power cut which meant that all the card readers stopped
working and we couldn't open the server room doors. After ten minutes of
scratching our heads and worrying about the UPS batteries running out, someone
had the bright idea of dragging a desk next to the door, moving a couple of
ceiling tiles and climbing over the partition wall.

The guy didn't get fired but I'm not sure if that particular vulnerability was
ever fixed.

------
SeanDav
This seemingly makes no sense and yet it is far from the only case I have come
across.

If ever you find yourself discovering a security flaw then just pretend you
never discovered it and tell no one. If you really want to be a concerned
citizen - report it anonymously.

~~~
droithomme
This is my position as well. History is replete with examples of people being
punished harshly for reporting security problems. In the Randal Schwartz case,
discussed in a link above, he was working for Intel and doing routine best
practices security testing there that got him arrested and convicted. So even
if you are working with complete authorization, if you have political enemies
or just clueless people around, they can make the argument that you are the
bad guy.

So stay quiet and let the real bad guys figure it out.

There are also many who make reasonable incomes selling exploits on the black
market.

------
jonknee
This is the same reason why credit card skimming still works in the US (no
chip + pin here).

I got a magstripe reader for a project and had some fun swiping various cards
and seeing what was contained. My drivers license had the number and my
address which was interesting. The only cards I came across that weren't
obvious plain text were hotel keys.

~~~
UnoriginalGuy
I am still surprised there is no chip & pin in the US, plus now they're
rolling out "insecure by design" RFID chips so you can steal from someone
without having to touch them...

Even their ATMs are defective by design, they spit out the cash before the
card so a LOT of people leave their cards behind at the ATM, when this issue
was solved like 20 years ago in the UK by spitting out the card first and
beeping until you took it.

~~~
3minus1
Bank of America ATMs spit the card out first

~~~
protomyth
So does Wells Fargo and the local credit union only has the swipe machines for
the same reason.

------
notacoward
Here's a crazy idea. What would be the legal realities of putting the
disclosure details under copyright, with a license (similar to a software
license) that prohibits retaliation? Would it be possible? Would it work? I
suspect that it would run into the same problems as shrink-wrap licensing,
plus conflict with employment contracts which would deny the right to place
such information under one's own choice of license, but maybe someone else can
think of an angle that at least provides some benefit.

------
daigoba66
So here is a real-life version of this story:

[http://web.archive.org/web/20061205043511/http://nique.net/i...](http://web.archive.org/web/20061205043511/http://nique.net/issues/2003-04-18/1)

<http://en.wikipedia.org/wiki/Billy_Hoffman>

I met him while at Georgia Tech; he's an incredibly bright person.

------
deckar01
Director: Hey, the IT guy hacked our ID badges. Dean: The pothead in the
server room? I told you to fire him weeks ago.

------
deluxaran
Unfortunately there still are persons that view those that find security flaws
in products, and report them, as a threat to the stability of the world, like
if the problem is an insult to them. Never got to understand them.

~~~
Tycho
I wonder if they read it as blackmail. Like imagine you received a phonecall
from a stranger saying 'Your house alarm is insecure. Someone could break in
at night if they wanted to. You might want to think about that.'

~~~
smtddr
This, or somebody is making a lot of money selling flawed security
infrastructure and doesn't want anyone to find out.

But yeah, Do... Not... Report... security issues unless-

1) The company has a history of being "chill" with that kinda thing: e.g.,
Facebook, Mozilla, Google, etc.

2) You do it super-anonymously. Like, drive 3+ hrs away to a college campus
you've never been at. Go into their computer lab when it's really busy. Create
a new yahoo email account with a name that is opposite from any hobbies you
have, through a proxy in another country. Send them an email not using your
regular grammar style. Stay in the lab for 3 hours, send the email during the
2nd hour. That way, if there are any cameras in the room they won't just see
one person walk in and walk out within the 5mins the email was sent. Then
leave the lab and never return, never log into that email account again....
ever.

~~~
welterde
Or just use mixmaster or i2pmail. (also.. don't they have user accounts in the
computer labs?)

~~~
deluxaran
That depends on what internal rules apply to the said university. For example
the university that I've attended forced us to log in on Windows via LDAP but
you could connect on linux without any problem without any account.

------
Vivtek
A much milder version of this happened to me once. I accidentally discovered a
rootkit on the server of one of my customers and reported it. Their initial
knee-jerk was to ask me why I thought I had the right to put a rootkit on
their server.

------
peterkelly
I think the university in question deserves to be named.

------
codeulike
It seems quite elaborately made-up but that does help to illustrate its point
more effectively.

------
fredsanford
This can be summed up in a few words.... Lazy, incompetent management sucks.

Is this why most layoffs start with middle management?

------
jrochkind1
This is pretty much what working in university IT is like, yeah.

The less work you do, the more you'll keep everyone happy, and the higher your
job security. If you try actually getting anything done, you will make people
mad and lower your job security.

I suspect this is true in many/most large organizations, not just
universities, yeah?

------
jimmaswell
there need to be employee protection laws for cases like this.

~~~
androidb
only if this case is real

------
JoeAltmaier
Straw man. Citation?

~~~
UnoriginalGuy
That isn't what a straw man is...

A straw man is typically used to indicate that you think someone has
misrepresented your position, and then attacked the misrepresentation rather
than the real position you hold.

For example:

A: The world looks flat because you cannot see over the horizon.

B: THE WORLD IS NOT FLAT! THIS HAS BEEN PROVEN TIME AND TIME AGAIN! I mean if
the world was flat how would satellites work? Idiot.

A: I never said the world is flat. I said the world LOOKS flat.

B: Are you an idiot? The world is NOT flat. This has been proven time and time
again, you can literally sail around the world on a cruise ship...

A: That's a nice straw man you have there. Let me know when you win the
argument with yourself about the flatness of the world...

~~~
stevewilhelm
Odd, I use straw man to mean an initial proposal. [1]

<http://en.wikipedia.org/wiki/Straw_man_proposal>

------
obviouslygreen
...are you people kidding?

Of course things like pirating people's software or publicly posting an
exploit is going to result in some sort of ban, if not worse! Has human nature
and its long history of overreaction just escaped everyone lately?

It's not great, but it's reality. If the only fix available to you is piracy,
pirate and go about your business... if they're ignoring the exploit you've
reported, making it public isn't nearly as likely to help anyone as it is to
turn you into a whipping boy.

Of course, if you don't mind these consequences, go for it. But I don't see
how you could possibly fail to foresee the potential backlash.

~~~
jonknee
> Of course things like pirating people's software or publicly posting an
> exploit is going to result in some sort of ban, if not worse! Has human
> nature and its long history of overreaction just escaped everyone lately?

Did you read the article? He told his boss that he thinks the security badge
system had a big flaw. His boss agreed but then fired him. No software was
pirated and nothing was publicly posted.

~~~
Scottopherson
I dunno, I did interpret: "There was the 16 core workstation that he installed
“borrowed” copies of several computer games on" as installing pirated games.

He definitely didn't make the security flaw public though.

