And to be fair even "happy drunk" can be unprofessional in the wrong context.
But I think anyone who judges someone for how they act in a bar, after dark, and the concern is they were too jovial (absent some kind of sexual harassment or belting out racist jokes) is not someone I'd want to work with anyways.
I spent the time figuring this out because I read exceptionally fast. When I've read a page in a few minutes and the timer forces me to sit there for an additional 13 minutes, I'm going to figure those things out. It was silly.
Though you probably would have done better to report the problem through the state authorities overseeing the contractor (or the general government oversight agency, like th Bureau of State Audits in California) rather than the contractor, to whom your report was a threat of revealing their poor performance.
If nothing else, a report to responsible state authorities would be less likely to meet with someone with an incentive to sweep it under the rug (especially a general oversight body) and would be more likely protected by whistleblower protections, which most states have in some form.
Atrient mostly handles affinity cards and such. So they have lots of info about customers, including drivers license scans, but not much of a connection into the casino's main systems. A basic break-in might get you a suite upgrade or free booze. A more ambitious attacker would obtain the casino's customer list, with enough info to identify big losers and big winners.
Going back a few years I was involved with a gaming organisation. We were advised that certain activities legally had to be air gapped (we are not in the US), and I raised an issue of how it is that servers could be accessed by VNC (single dictionary word password) over the Internet if that were the case.
I was advised that the server was installed in a rack with 1RU of space between it and the router connecting it to the internet, and that lawyers had reviewed it and considered that to meet the legal definition.
I strongly suspect you'll find core activities just as vulnerable.
"...and that you could enter casino cash prize draws with as many entries as you wanted in order to win them, ..."
He just asked the court to do some random stuff without arguing a case. The whole opinion is just, "Plaintiff didn't allege anything, so dismissed".
I know there are stories of casinos in Vegas breaking people's legs for cheating, but I guess that doesn't happen anymore since big corporations run them now with too much to lose. Plus if that ever happened and went viral, it would hurt their business.
Shodan is an awesome tool.
That said, that there will be some that continue to engage in illegal activity doesn't mean we shouldn't make it illegal in the first place. I'd even be in favour of treating certain classes of vulnerability sale as an act of terrorism or treason or arms export violation.
I know it is hard, but we have to try to solve this.
For what? Checking shodan and seeing that people don't know how to write secure code.
I get the excitement of knowing how easy it is to do this stuff. But US Federal Laws can be interpreted in creative ways to throw you in Federal Prison. And I think that will continue to be the case until American society (the Jury, in US) learns more about how these things work.
But after you have this data, I jokingly suggested "welp may as well capitalize on it". But missing with somebody elses money, especially a large fin-tech company will get a lot of people upset, people with money to sue, not to mention it's the FBI's job to go after you, especially at this scale.
You could certainly try just be aware the reaction will not be favorable for you at all.
Curious that the FBI now does vulnerability coordination. Haven't ever heard that before.
1. Yes. 2. Also yes.
The Nevada Gaming Commission, all of the big casino companies in its state, and the companies that make the gambling machines, are quite remarkable, technologically speaking.
Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.
Captain Obvious says he'd imagine that the amount of money brought in from room reservations is a drop in the bucket to what is made on the casino floor, hence the comping of rooms for players. The money spent on reservations vs protecting the gaming would be in proportion to that.
Maybe Captain Obvious is being a bit simple minded, but makes sense. Everything about the hotel is geared to get you to lose your money in the casino.
That's last century thinking. Gambling's influence on the bottom line domestically is waning.
These days it's all about entertainment, clubs, and restaurants. That's why every casino in Las Vegas is falling all over itself to build new sports and entertainment arenas, and paying huge bucks to put celebrity chef names on their restaurants.
I'd think they'd at least isolate the networks to at least make things a bit harder... Maybe you could be sneaky and unplug an ethernet cable and plug in a device but apparently, the eye in the sky would catch you, and end up in serious trouble.
I know some probably have apps to check your rewards, etc but that probably would run on the public internet with some sort of proxy into their private databases.
I'm not really into gambling, the family took me once when I turned 21 and was kinda boring. I just waited around while everyone else played video pocket. Free Mt. Dew though...
Also, all the woman seem to wear something to show off their breasts more, I guess more tips... So stereotypical like you'd see on television.
At least they banned smoking in casinos, I guess in the old day's people would be smoking right next to you. Oh, Google'd it and it seems like they allow it in Vegas at the casino and bar, just not restaurants. Wow. I believe in my state it's a standard ban inside completely of any public building.
Also, reports of Atlantic City dying now since more and more states have allowed Casino's to open. I seem to associate gambling with Vegas though over any other city.
I wouldn't mind going to just play the slots someday again, but really not into wasting money right now.
I would be entirely unsurprised to see that the device is calling out to the API with it's MAC address as some kind of authenticator.
That seems to meet the legal criteria for assault and possibly even battery. Quoting from https://www.nolo.com/legal-encyclopedia/assault-battery-aggr... :
"Assault is sometimes defined as any intentional act that causes another person to fear that she is about to suffer physical harm. This definition recognizes that placing another person in fear of imminent bodily harm is itself an act deserving of punishment, even if the victim of the assault is not physically harmed."
"Historically, battery and assault were considered separate crimes, with battery requiring that the aggressor physically strike or offensively touch the victim. In that way, a battery was a “completed” assault. Many modern statutes don't bother to distinguish between the two crimes, as evidenced by the fact that the phrase "assault and battery" has become as common as "salt and pepper." These days, statutes often refer to crimes of actual physical violence as assaults."
No, that's the implication of what they said. If the police don't get involved in bloodless physical assaults then who is going to intervene? Does one have to call out "no slapbacks"?
Or to put it another way, I'm very dubious that one could merrily slap their way down the Thames without the police showing up.
Seems like a lot of other people in this thread found it interesting and enjoyed the read. Who's the "we" that you're speaking for here?
Obviously a security researcher that has reported an issue wants to have a healthy dialogue with the company and see that the flaw is patched in a reasonable time frame. But lets not pretend that we have all the facts here. Were they in the middle of an internal investigation? If that investigation showed that there was nobody actively exploiting this issue, doesn't Atrient have the right to patch this vulnerability on their own timeline rather than the researchers?
Sure, but you can't expect a third party to just stay quiet on the subject for as long as you drag your heels.
No segmentation and plaintext communication literally means this would highly difficult to prove.
Is there _any_ circumstance under which that's appropriate or even justifiable behaviour for a CxO, no matter what had happened in the preceding few moments? If your CxO isn't capable of maintaining professional behaviour in front of arrogant researchers or blackhats boasting in public, I'd suggest it's well past time to be polishing up your resume and moving on...