

Ask HN: Found security vulnerability at work. rebuked. was I wrong? - throwaway_null

Obviously this is a throwaway account.<p>OK, so I have a question about security testing and whether or not I crossed a line...<p>I work at a very small company and we have a test environment running on virtual machines firewalled off from the rest of the network running under another devs desk. I have to jump into another server first to get into this environment and the only sensitive data is our source code (all customer data has been wiped from this replicated environment).<p>When I read about the following vulnerability I decided to test it out on our environment:<p>http://seclists.org/fulldisclosure/2010/Oct/257<p>I know I'm acting like a script-kiddie because I only understand some but not all of the vulnerability but I decided to try it anyways and lo-and-behold it worked.<p>I e-mailed my manager and let him know of the issue and told him about the mitigation strategies mentioned in the bulletin. I was hoping to get some credit and maybe a pat on the back (even though this is a relatively low concern - requires ssh access). Instead I was told that I risked termination and I should tell someone first.<p>My manager did not realize that I told him it was our dev box that I tried it. Once I pointed that out again he said it didn't matter. This is on a box we are told we can test anything on because we can just roll back to an old snapshot of the machine.<p>Was I being too brash? Am I a total idiot for trying this? I should point out that I have sudo on every server in our environment... I was not breaking into something I am not authorized to be logged into. Security is supposed to be important at our company. I thought I was doing the right thing by finding a threat we are theoretically exposed to, reporting it, and finding a mitigation strategy.
======
tptacek
It _wasn't_ smart of you to run an exploit you didn't understand on a box you
didn't control. In this case, there was virtually no risk that you could have
destabilized the machine. But for many of the last several years's Linux
privilege escalation bugs, that isn't the case; they involve corrupting kernel
memory and while the odds of them going seriously awry are remote, they aren't
nonexistent.

To put this in perspective: assessing the security of app servers is my day
job, and I would typically ask before running a privilege escalation exploit
on a box I had gained access to.

Your boss overreacted, but unlike the rest of this thread, I don't think there
are tea leaves to read. Had you done this on a prod server, your boss might
have even been right.

~~~
throwaway_null
Thanks! I was hoping to hear from you on this thread. You're absolutely right,
of course.

I would never have run this exploit on a production server, but considering
that I didn't ask permission to do it at all, he has reason for concern! His
main point was that I should at least let someone know so it is known that my
purposes aren't nefarious.

Thanks for the input and giving me perspective on the situation.

------
tankenmate
Two points;

1) Most distributions will have patches for this in short order, so unless
your customers are running on unsupported versions they will be fine once they
update. If the aren't on supported versions, if you roll your own version, if
ssh access is something your clients provide, if they are high profile
targets, if they have staff with poor password hygiene then you may have a
problem.

2) Given your manager's response, you may want to give serious consideration
to moving to somewhere that rewards initiative and forethought.

------
jacquesm
I think it's time for you to move on to a place where your dedication to the
job is more valued.

------
bayareaguy
I would hope that the experience of Randal Schwartz[1] would teach all
presumably well-intentioned people to always obtain clear and explicit
authorization before doing _any_ security testing in a work environment.

1- [http://www.theinquirer.net/inquirer/news/1042534/intel-
hacke...](http://www.theinquirer.net/inquirer/news/1042534/intel-hacker-has-
conviction-expunged)

------
anigbrowl
I think your manager is wrong. If you get pushback about it and are not
getting anywhere with your logical argument, you could always counterattack by
asking why there isn't a clearly defined security policy in place already (I
assume there isn't, but of course you should check that before doing anything
else).

------
nessence
Unfortunately, this is a common response from upper management.

In larger companies, one way to get around this, is to go to Human Resources
instead of your chain of command. Let them anonymously handle this issue. If
your company doesn't take action then you can continue discussing the matter
with HR until it's resolved.

If the company isn't large enough to have an employee handbook and HR then
could report to an officer of the company and note that you wish to remain
anonymous and that you're genuinely concerned about company security.

You could also consider requesting a meeting with officer+manager or
HR+manager and disclose to both at the same time.

I don't see any company in their right mind firing you if you do this -- and
are genuinely concerned for the security of your employer and it's clientele.

~~~
tptacek
I would definitely not take this issue to HR. HR is not there to help you.
Mostly, they're there to screw you out of a little bit more of your health
insurance benefit every year. Escalating this above your manager is really
just an opportunity to brand yourself "high drama".

You really ought to just have a conversation with your manager where you
acknowledge that you have just learned that he doesn't want you testing the
dev server for security vulnerabilities, and then you ask him what the most
effective way is for the company to channel your interest in security.

------
lukevdp
Sounds to me like you were being proactive.

Get 5 minutes with him, bring up the topic and ask him why?

His reaction was probably symptomatic of another issue. By talking to him you
can either figure out what you did wrong or hopefully get to the bottom of the
issue that caused the reaction.

------
SHOwnsYou
If your job isn't to handle security, this may be slightly overstepping your
bounds (ie taking time away from whatever you do to toy around with the latest
exploits).

Probably better to give it to the people in charge of security.

If that person is your boss, then you have a dilemma. Either your boss doesn't
fully understand what happened or perhaps the bug you found undermines his
security work and he viewed your testing it as a sign of insubordination.

I'm sure your company is open to this sort of thing, but send it through the
proper channels. If there aren't any proper channels, this would be a good
time to ask around to see if something can be created to handle situations
like these when they come up.

------
wpeterson
Finding security vulnerabilities can be helpful for an important system.

It sounds like this is just a test/staging box inside the network. What's the
threat to a system like that, that it's worth your boss or your time?

I agree with other commenters that running privilege escalation exploits on a
system that DOES matter would be even worse, due to the potential for side-
effects and damage.

Good curiosity and energy, but you can find a lot of better ways to channel
it.

------
mquander
It doesn't sound like your manager understands what you did.

