Hacker News new | comments | ask | show | jobs | submit login
Security Researcher Assaulted Following Vulnerability Disclosure (secjuice.com)
399 points by wglb 16 days ago | hide | past | web | favorite | 110 comments



With articles like this, I often to take out the horrible thing that the company is doing and post the quote to Hacker News, to give a sense of the scale of the issue; in this case me trying to do so would require including the majority of the article. It’s that bad. And yes, apparently the company thought it was ok for the COO to physically assault security researchers at a conference.


One of the Glassdoor reviews mentions the COO getting wasted at tradeshows, so maybe the assault is just normal behavior for him.


Weird, I've gotten "wasted" at tradeshows but never assaulted anyone :)


Angry drunk vs. happy drunk is a good zeroth-order personality test.


> Angry drunk vs. happy drunk is a good zeroth-order personality test.

And to be fair even "happy drunk" can be unprofessional in the wrong context.

But I think anyone who judges someone for how they act in a bar, after dark, and the concern is they were too jovial (absent some kind of sexual harassment or belting out racist jokes) is not someone I'd want to work with anyways.


I was once fired from a state job (USA) for bringing a vulnerability forward in the online ethics training. You can run "setScore(100, 0, 100)" in the developer console and pass the exam without actually taking it. (The state used a third party online exam provider who I contacted). I was fired by the end of the week


I had to do "online traffic school" and noticed there were 2 javascript variables that were on a timer. If you set the variables correctly in the right order, the timer expired and it would let you go to the next page.

I spent the time figuring this out because I read exceptionally fast. When I've read a page in a few minutes and the timer forces me to sit there for an additional 13 minutes, I'm going to figure those things out. It was silly.


Edit: the vulnerability still exists on many online exam styled pages.


Of course it does, half the fucking garbage software you use in a browser is using shitty client side validation.


Sorry you got fired from your old job. Sounds like your new job could be "pay a dollar to skip the exam."


Yeap. Kill the Messenger is the default setting. It's a miracle Snowden is still alive.


In that case you fail the test for showing a lack of ethics ;)


I would say the state failed the ethics test for firing him.


We don't have the full details but presumably this was on a single test at the beginning of the class.


I suspect you were fired for trying and using the vulnerability (which you no doubt did merely to confirm your suspicion of it) rather than for bringing it forward, which merely provided the evidence for the reason for firing.

Though you probably would have done better to report the problem through the state authorities overseeing the contractor (or the general government oversight agency, like th Bureau of State Audits in California) rather than the contractor, to whom your report was a threat of revealing their poor performance.

If nothing else, a report to responsible state authorities would be less likely to meet with someone with an incentive to sweep it under the rug (especially a general oversight body) and would be more likely protected by whistleblower protections, which most states have in some form.


Did you hire an attorney, or just move on with life?


Online cbts like that are mostly honor system and there’s a zillion ways to get around then.


Now that this is out in the open, I wonder how much longer Atrient will stay in business. These people sell these systems to casinos. Their customers are not going to like this at all.

Atrient mostly handles affinity cards and such. So they have lots of info about customers, including drivers license scans[1], but not much of a connection into the casino's main systems. A basic break-in might get you a suite upgrade or free booze. A more ambitious attacker would obtain the casino's customer list, with enough info to identify big losers and big winners.

[1] http://www.atrient.com/products/card-printing-enrollment/


Regarding a "casino's main systems"..

Going back a few years I was involved with a gaming organisation. We were advised that certain activities legally had to be air gapped (we are not in the US), and I raised an issue of how it is that servers could be accessed by VNC (single dictionary word password) over the Internet if that were the case.

I was advised that the server was installed in a rack with 1RU of space between it and the router connecting it to the internet, and that lawyers had reviewed it and considered that to meet the legal definition.

I strongly suspect you'll find core activities just as vulnerable.


Well there was also this:

"...and that you could enter casino cash prize draws with as many entries as you wanted in order to win them, ..."


This is not the first time Atrient has been sloppy with the details of their NDAs, nor the first time Jessie Gill has gotten in trouble for being a touch too eager to get physical.

https://www.leagle.com/decision/infdco20180828d81


Hahahaha, how terrible is Atrient's lawyer, Mark E. Ferrario, for filing a complaint that didn't even allege a cause of action?!

He just asked the court to do some random stuff without arguing a case. The whole opinion is just, "Plaintiff didn't allege anything, so dismissed".


Geez, what a creep and psychopath. This is what happens when someone thinks that they are too rich to follow the rules of society.


To assault a programmer on the floor of a conference and expect to get away with says a lot about what this person has likely gotten away in their past.


Yeah, especially a tech conference. Everyone has phones with cameras, vloggers and journalists covering things.

I know there are stories of casinos in Vegas breaking people's legs for cheating, but I guess that doesn't happen anymore since big corporations run them now with too much to lose. Plus if that ever happened and went viral, it would hurt their business.


If you (like me) didn't know what a Shodan safari is, you're in for a fun ride:

https://techcrunch.com/2019/01/21/shodan-safari/


Without Oath's abusive GDPR wall: https://outline.com/JF28AH


It's quite ironic that I can view the techcrunch.com link without JS just fine, but the outline.com link requires me to allow JS on at least 2 domains before viewing the content.


How can outline legally host another website's content?


It is unbelievable what, to this day, is still directly connected to the Internet. Everything from pharmacy prescription systems, to large cargo ships in the middle of the pacific, to dam control systems.

Shodan is an awesome tool.


Also they have a free plan for anyone with an edu email, great way to kill a few hours in between studying!


best $50 I ever spent


Disclosing security vulnerabilities that aren't part of a bug bounty program takes a large amount of either courage or ignorance. Until there are protections in place for a given jurisdiction, far safer to leak it anonymously or just stay quiet. I was surprised that GDPR didn't contain any sort of protections for security researchers. The fines collected are hefty enough they could easily run a very successful bug bounty program.


I agree with you, but it isn't a clear cut issue. Attacking a server right now comes with some legal risk, which is a deterrent to some. It's impossible to tell white hats from black. If it were paired with a law that made it a felony to resell vulns to third parties then it would be much more robust.


The only way you're going to reduce the amount of vulnerabilities being sold on black markets is to provide sufficient financial and social incentive. There are enough people with dubious morals who don't care how illegal it is to find and exploit them, who will eagerly take the biggest payday. Combine no guarantee you'll get paid, poor treatment by authorities and employers and the (albeit low) risk of getting your shit kicked in, I'm not surprised people aren't lining up at the door to report vulnerabilities.


I agree completely, but the issue is that the vulnerability value is asymmetric. It's about $1m to get an iPhone no-click RCE. Up to about $4m for one with a seemingly long shelf life. Apple is not going to pay $Xm for their bug bounty.

That said, that there will be some that continue to engage in illegal activity doesn't mean we shouldn't make it illegal in the first place. I'd even be in favour of treating certain classes of vulnerability sale as an act of terrorism or treason or arms export violation.

I know it is hard, but we have to try to solve this.


Yeah, I'd rather not make security research any more taboo and frowned upon than it already is. Regulation should be put towards forcing companies to put bug bounty programs into place and forcing companies to put the necessary money into it, not disincentivizing the absolutely crucial and important work that researchers do. Apple can easily afford it.


I agree that regulation should be put into place, I've blogged about it in the past and I've argued that it should scale with number of affected users, but that doesn't mean we shouldn't make certain acts illegal. Selling a iOS 0day to the Saudis should be illegal.


Casinos have such a large attack surface that they should be thanking anyone and everyone who exposes any vuln.


So is this still a vulnerability? Time to do some more digging boys!


In the off chance that you're serious, this sounds like a great way to land yourself in federal prison.


As if blackhats in Vladivostok are particularly afraid of the FBI. Once the vulnerability is public, if that stuff is still connected to the public Internet, game over.


I'm pretty sure this article is all that was required for some enterprising people to do their own research and find some of the same vulnerabilities. I imagine we might see some interesting damages outlined in some lawsuits from casinos against Atrient.


> a great way to land yourself in federal prison.

For what? Checking shodan and seeing that people don't know how to write secure code.


Dude, just don't.

I get the excitement of knowing how easy it is to do this stuff. But US Federal Laws can be interpreted in creative ways to throw you in Federal Prison. And I think that will continue to be the case until American society (the Jury, in US) learns more about how these things work.


For actively exploiting a bug in a piece of software for personal gain, which is much less defensible than simply finding vulnerabilities.


Checking for vulnerabilities IMO shouldn't be considered a crime - it's not a clear malicious intent. Sure if somebody is trying to open car doors in the parking lot that may warrant investigation - but for all we know they were just trying to warn drivers they left it unlocked, no actual crime has yet been committed.

But after you have this data, I jokingly suggested "welp may as well capitalize on it". But missing with somebody elses money, especially a large fin-tech company will get a lot of people upset, people with money to sue, not to mention it's the FBI's job to go after you, especially at this scale.

You could certainly try just be aware the reaction will not be favorable for you at all.


Ask Weev how it worked out for him.


You and a lot of other people are doing some digging right now


Wouldn't the Nevada Gambling Commission be interested in this?


I mean, maybe, but do you really think they have some sort of well-staffed cyber-division that would 1. understand this and 2. know what to do with it? My guess is they're still operating like it's the 1980s. Hopefully I'm wrong!

Curious that the FBI now does vulnerability coordination. Haven't ever heard that before.


do you really think they have some sort of well-staffed cyber-division that would 1. understand this and 2. know what to do with it?

1. Yes. 2. Also yes.

The Nevada Gaming Commission, all of the big casino companies in its state, and the companies that make the gambling machines, are quite remarkable, technologically speaking.

Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.


> Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.

Captain Obvious says he'd imagine that the amount of money brought in from room reservations is a drop in the bucket to what is made on the casino floor, hence the comping of rooms for players. The money spent on reservations vs protecting the gaming would be in proportion to that.

Maybe Captain Obvious is being a bit simple minded, but makes sense. Everything about the hotel is geared to get you to lose your money in the casino.


Everything about the hotel is geared to get you to lose your money in the casino.

That's last century thinking. Gambling's influence on the bottom line domestically is waning.

These days it's all about entertainment, clubs, and restaurants. That's why every casino in Las Vegas is falling all over itself to build new sports and entertainment arenas, and paying huge bucks to put celebrity chef names on their restaurants.


That sounds like the mindset they must have used when they had the Vegas is family friendly ad campaign. That failed, and the What happens in Vegas campaign took over. I would have a hard time believing concerts, magic shows, celeb chefs generate the same kind of money that the casinos and sports betting brings in. However, if you have something that backs that up, I'd definitely be willing to read it and change my view.


There could be blanket clauses like reasonable efforts to secure private information, access controls, etc. They don't have to specify on the regulation what has to be done, just let prosecutors argue that it's not sufficient.


My guess would be yes, since so much of gambling is electronic. "Wire fraud" is pretty old.


I've not dealt with the NGC directly -- only other gaming commissions and some NGC partners -- but everyone I've dealt with in gambling has cared deeply about security. They often get it wrong, but they take this stuff very seriously.


> Because there is no SSL protection and because the API is wide open and vulnerable to abuse, it is possible to identify kiosks by their Mac address

Eh?


It should have said "MAC address" [0]. Nothing to do with Apple Macintoshes.

[0] https://en.wikipedia.org/wiki/MAC_address


That still doesn't make any sense to me in the context of the rest of the sentence.


Possibly, existing kiosks are registered by MAC address in the API. By querying the API for registered kiosks, you can pretend to be one by spoofing the MAC


I wonder if Casino's run their machines, etc on the same network as guests are on at the hotel, etc...

I'd think they'd at least isolate the networks to at least make things a bit harder... Maybe you could be sneaky and unplug an ethernet cable and plug in a device but apparently, the eye in the sky would catch you, and end up in serious trouble.

I know some probably have apps to check your rewards, etc but that probably would run on the public internet with some sort of proxy into their private databases.

I'm not really into gambling, the family took me once when I turned 21 and was kinda boring. I just waited around while everyone else played video pocket. Free Mt. Dew though...

Also, all the woman seem to wear something to show off their breasts more, I guess more tips... So stereotypical like you'd see on television.

At least they banned smoking in casinos, I guess in the old day's people would be smoking right next to you. Oh, Google'd it and it seems like they allow it in Vegas at the casino and bar, just not restaurants. Wow. I believe in my state it's a standard ban inside completely of any public building.

Also, reports of Atlantic City dying now since more and more states have allowed Casino's to open. I seem to associate gambling with Vegas though over any other city.

I wouldn't mind going to just play the slots someday again, but really not into wasting money right now.


I still don't understand it, TCP/IP doesn't transmit MAC addresses. Your knowledge of it ends at the next router... Therefore you definitely can't authenticate/authorize by MAC address.


> Therefore you definitely can't authenticate/authorize by MAC address.

I would be entirely unsurprised to see that the device is calling out to the API with it's MAC address as some kind of authenticator.

eg: http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx


I've used quite a few systems where the MAC address is used as a secondary password to verify that someone didn't just steal the hard drive out of a kiosk.


I thought of this. But the OP stated that the traffic is unprotected making this security measure moot.


Exactly, and then the stored MAC is exposed in its un/or-poorly-authenticated API

Such behavior needs to lead to jail time and not just a trivially payable fine so that the rich like the poor understand that wrongdoing has consequences.


We should not forget the 18 year's old Hungarian "hacker" that was arrested for opening Dev Tools and modified HTML values. https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-...


Wonderful man, this Jessie Gill.

https://www.leagle.com/decision/infdco20180828d81


Does anyone figure this guy is connected and the third party contractors hired to program the kiosks were some student working from home in his off time?


This one does deserve to be called vulnerability. It is a plain stupidity.


People are complaining a lot about GDPR here but such a case would definitely lead to a fine of 4% or 8% of atrients revenue.


Konami is at huge risk, too, as it sounds like they were the global distributors.


I think I'll submit a Subject Access Request, as I am sure I'm a member of the Caesars loyalty programme.


So open season on Atrient?


g’bye atrient. we hardly knew ye.


[flagged]


> Jessie suddenly lunged at the researcher and violently grabbed him by his clothes on his chest before then tearing his attendee badge away from him, telling the researcher that he didn't need it anymore and that he would keep hold of it.

That seems to meet the legal criteria for assault and possibly even battery. Quoting from https://www.nolo.com/legal-encyclopedia/assault-battery-aggr... :

"Assault is sometimes defined as any intentional act that causes another person to fear that she is about to suffer physical harm. This definition recognizes that placing another person in fear of imminent bodily harm is itself an act deserving of punishment, even if the victim of the assault is not physically harmed."

"Historically, battery and assault were considered separate crimes, with battery requiring that the aggressor physically strike or offensively touch the victim. In that way, a battery was a “completed” assault. Many modern statutes don't bother to distinguish between the two crimes, as evidenced by the fact that the phrase "assault and battery" has become as common as "salt and pepper." These days, statutes often refer to crimes of actual physical violence as assaults."


According to the article, this incident took place in London, not the US. The law is similar but slightly different. It would fall under "Common Assault":

https://www.sentencingcouncil.org.uk/blog/post/assault-offen...


I'm not saying it's not assault. I'm not arguing legal definitions either. I'm saying it didn't live up to the expectation that the title and first paragraph created, and that it was long winded, causing me to say it was not worth my time.


Grabbing someone by the clothes like that? That's assault. Plain and simple. I'm sorry that the assault wasn't more violent?


I'm not saying it's not assault. I'm saying that wasn't worth my time to read half a novel of backstory for.


Not in the UK the police only really get involved if blood is drawn aka GBH.


So you're saying that in the UK I can legally walk around shoving and slapping people at random?


No, thats not what he said.


> No, thats not what he said.

No, that's the implication of what they said. If the police don't get involved in bloodless physical assaults then who is going to intervene? Does one have to call out "no slapbacks"?

Or to put it another way, I'm very dubious that one could merrily slap their way down the Thames without the police showing up.


Actually I was assaulted and the police did nothing because no blood I was quite good as when some of my coworkers suggested that they put some people on "that system" we developed in our office I said no.


Physically threatening a security researcher for finding vulnerabilities in a product you sell is a big no-no, regardless of whether you find it to be "assault" or not. Personally, I found the background into the vulnerabilities the researcher found to be interesting.


Agreed, the "assault" was a big let down. But it did serve as a good hook to draw more attention to this company's awful security practices and apparent unwillingness to fix them.


If only he were brutally beaten to provide you a more stimulating story.


If only they hadn't put it on so thick, we wouldn't have had our time wasted with something that it turns out, after reading nearly to the end, we didn't want to read.


>... we...

Seems like a lot of other people in this thread found it interesting and enjoyed the read. Who's the "we" that you're speaking for here?


[flagged]


After getting ignored even when the FBI got involved? What would be the right way then?


Probably through your lawyers.


_their_ lawyers, I guess. Which would be paid out of their own pockets?


Anything else bothers you about this story? Because how they chose to contact Atrient seem like the very unimportant detail in all this.


I'm bothered by people being assaulted just as much as most of the commentators here. Just because I'm not parroting the same "wow Atrient is bad, security researchers good" message doesn't mean my comment is not valid.

Obviously a security researcher that has reported an issue wants to have a healthy dialogue with the company and see that the flaw is patched in a reasonable time frame. But lets not pretend that we have all the facts here. Were they in the middle of an internal investigation? If that investigation showed that there was nobody actively exploiting this issue, doesn't Atrient have the right to patch this vulnerability on their own timeline rather than the researchers?


> ...doesn't Atrient have the right to patch this vulnerability on their own timeline rather than the researchers?

Sure, but you can't expect a third party to just stay quiet on the subject for as long as you drag your heels.


> nobody actively exploiting this issue

No segmentation and plaintext communication literally means this would highly difficult to prove.


Don't these security researchers have the right to go to a conference and talk to other attendees?


It takes days to turn around an NDA. If months have passed, the vendor is obviously stalling.


Play stupid games with mafioso, win stupid prizes. (Pun intended.)


While the behavior of Atrient and specifically Jessie Gill is absurd in terms of working with the researchers to address the issues and pay the bounty, I am always skeptical of these captured videos. We don't have any context of what was said before and what the communication between the researchers and Atrient was like other than their accounts. Maybe I am just being cynical, but I've personally had interactions with security researchers who are extremely arrogant and on a vendetta to show how smart they are, and drift from white hat to grey or in some cases black hat territory.


Does it matter what happened before?

Is there _any_ circumstance under which that's appropriate or even justifiable behaviour for a CxO, no matter what had happened in the preceding few moments? If your CxO isn't capable of maintaining professional behaviour in front of arrogant researchers or blackhats boasting in public, I'd suggest it's well past time to be polishing up your resume and moving on...


I personally (and unfortunately) know Jessie Gill of Atrient. I have to, for work purposes. The way his interactions and comments/quotes were described in that article were exactly things that he would say and do. He's a pretty violent guy actually. And the way he's acting in that video, only saying, "I don't know you" and sitting down, he knows he needs to watch what he says because there are a lot of things that that video could tie to later. Anyway, I wasn't there so I can't be 100% sure of anything, but I have known Jessie for years, hell I've been to his house several times, and the behavior is spot on.


hello! thanks for this comment would you be able to contact me on twitter @me9187 (this account is mentioned in the secjuice article for verification) and tell us a little bit more about your experiences?


Unfortunately I can't risk being caught in Jessie's sights right now. He has a way of twisting things into his favor and always seems to get himself out of trouble by turning it on someone else. I have been following this story though and I may contact you in the future. Thanks, and sorry.

Seems like this guy has serious issues after reading this: https://www.leagle.com/decision/infdco20180828d81

I also know jessie gill personally and he don't deserve to be COO of the copy. I don't have any clue why Atrient CEO Sam don't take of this things well. Moreover he knows what jessie behavior is but he still won't bother to take action against him. And just to add it Jessie is pervert he has sexual harassment case going in case.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: