The first security flaw I ever found was when the company I worked at used a cookie with an "encrypted" customer ID as sufficient to authenticate to their web app, which allowed you to access a lot of private details and run up substantial bills for the company via various phone services (e.g. you could easily use our API's to dial 30+ premium rate numbers and let the bills rack up...)
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.
I just updated a colleagues registration to a medical imaging professional body by working back from my own crap login/password which they chose. This was done to save him some time on a busy day. I noticed that his user ID was just a few digits different to mine so tried the same increment on the password. Surprise! I'm not sure how much damage one could really do, but deep frustration could easily be inflicted.
Randal is also a great example of someone who used adversity to become greater -- "oh, shit, my legal bills are hundreds of thousands of dollars" to he went out and did a lot of high-value consulting, becoming even more well known as one of the best Perl developers out there.
Once I decided to make my final.university assignment with Game Maker, and I.bought two copies for me and one for a teammate.
The thing started to refuse to launch after a update on Windows, and this started a long talk with their helpdesk and people in forums. Eventually I was convinced the bug was in their DRM, found a cracked.version, and indeed the cracked version worked just fine.
I told this finding to the helpdesk, hoping they would fix it, or at least say sorry...
Their reaction was call me a filthy pirate, delete all my support tickets, and after I wrote.the whole tale on.the forums they quickly hellbanned me, by removing all permissions.instead of.banning me, so other users.think.I left, not that I was banned.
Offtopic, but this is the second comment of yours where many space characters have been replaced by random periods. It really makes your posts more difficult to parse. Did you get a new keyboard or something? ;-)
I'm guessing they're typing comments on a mobile keyboard, where the period character and the spacebar are right next to each other. With the sort of keyboard software that doesn't auto-capitalise.
I am using a.android, the WiFi of the place I live broke, and thus I need to use mobile 3g, also HN behaves really badly on mobile, I have to type everything in one go, if I close the keyboard to see errors in the form, it does not open in correct place anymore.
Using HN on mobile means dealing with an unresizeable text field that is constantly more than half off of your screen. Even when editing, it's not possible to view the entire text box if you want to be able to interact with the text inside it.
Mobile HN has been a problem since we started accessing the site with our phones, but has never been addressed.
Discovered this by accident and it's great. Now I just wish for an Apple upgrade to the jailbreak go back/edit text thing where you can scroll back by sliding over the keys.
Wow, I knew that the forces behind Game Maker at some point stopped having their customers'/community's best interest at heart, but I didn't know it was this bad.
I used to play an online soccer manager game. One day I found out - essentially because I had copy/pasted a bit of buggy javascript into their homebrewed forum to help them spot the bug - that the forum itself would execute any javascript a user put into their posts.
Alarmed, I notified everyone I could think of. And waited. Knowing these guys were infamously non-responsive, and that this was a pretty bad issue, I then posted about it for everyone to read to raise an uproar and get their attention. Which it did. And we all waited.
Finally, I posted a small script that popped up an alert with "You've just been infected by a nasty bug", put it in a few places with "tasty" subject lines to get people to click & read it.
Oh, they fixed the bug. I also received from the non-technical Forum Moderators - real quotes, I kid you not:
-- one week forum ban for "taking advantage of a bug" because "someone had to be punished for this"
-- one week forum ban for "spamming the forum" (I had post I had a great player for sale to get clicks, then explained the security flaw instead in the post)
Users were outraged at the bug; moderators of the forum were outraged that I had caused such a PIA by causing all these popups when they were trying to browse the (insecure) forum
I'm going to go out on a limb and day that it sounds as though your behaviour wasn't very responsible. Fair enough - there was a bug, it needed to be fixed. Bringing it to the attention of everyone in the way you did doesn't sound very mature.
Obviously you thought it was urgent and maybe the admins weren't being responsive enough. You have to keep in mind that priorities vary. Always keep in mind, there are real people on the other end who have to deal with this. What if your actions dragged an unhappy parent away from a sick child to deal with a PITA who thought his issue was so important as to demand immediate attention?
> Bringing it to the attention of everyone in the way you did doesn't sound very mature.
It's how security disclosures work if the vendor is not cooperative enough to fix the broken stuff. It's better to get the bug fixed silently, but if you can't get that, then for users it's better to have the problem known widely to public and thus fixed on short notice than for it not to be fixed for a long time, risking exploiting by malicious individuals.
> What if your actions dragged an unhappy parent away from a sick child to deal with a PITA who thought his issue was so important as to demand immediate attention?
It's not OP's problem. One can't take responsiblity for everything people will do because of a comment one wrote. Otherwise you'd have to bill me for the time you spent reading this comment instead of working.
I dated a girl for a while who I stayed friendly with after we split up. She posted an online dating profile (circa 2003?) with just enough information about herself to be Google-able. Some guy Google'd her, found her on her university website (she was doing a PhD), and emailed her telling her she should be a bit more careful, and, PS, did she want to go on a date?
She replied calling him a creep, and reported him to the dating site.
A couple of years ago I notified a female M&A lawyer that worked on the same deal as me, that her Outlook Connect picture was a very sexy lingerie photo that, even though she was very pretty herself, didn't really look like her. One thing led to another and she offered to show me the real thing.
I think there are some people that can't help themselves. They crave the attention ("Look everyone, I found a bug!"). For those souls, quiet professionalism isn't satisfying enough.
Amusingly, I had almost this exact experience in middle school.
I'd figured out that the barcodes used on our school lunch cards were just plaintext for our ID numbers. With minor cooperation from a nice lunchlady, I discovered that there were a couple very low numbers (e.g. 00000001) that had effectively infinite funds. Presumably they had been used for testing or something.
I brought this to the attention of the schools tech guy, who thought it was very cool and said he'd go tell the administration so he could get permission to fix the issue.
Of course, being a middle schooler with access to a card printer, I also took this opportunity to reprint my lunch card with an identical design and barcode... And a Chuck Norris photo.
The administration asked to speak to me and I assumed I'd be thanked for finding an easy vulnerability that could have been losing them funds.
Instead I was told I would be expelled or at the very least suspended for a month, and that they thought this constituted a felony and identity theft. Ridiculousness of those claims aside... I ended up getting a away with weekend detention after my parents and the tech guy stood up for me.
Personally I am convinced that the purpose of the US educational system is to prevent kids from having a single creative though, at least until they are adults and can be bullied into being average.
Not sure how you get this. There are plenty of people, like the others mentioned in these comments, who simply do not know how to react when presented with a security problem.
This is basically the entire reason our public schools are in trouble in a nutshell. I honestly believe many school administrators would be happier teaching parrots because curiosity and problem solving are crimes.
During college I interned in a lab for a physical security device company that I will not name. They had state of the art magstripe readers/encoders, motion detectors, and all kinds of really cool stuff. One slow day we all decided to have a bit of fun with the magstripe encoder, and I changed my Wegmans Shoppers Club card to show the name 'DANNY WEGMAN' on the till whenever it was swiped. Aside from being admired by my younger brother that I had such powers, not once did a cashier notice.
We had a very similar situation at my college. ID cards with mag stripes were used for a lot of stuff-meal plans, restricted access academic areas, and housing. I had an inkling that these were pretty insecure, so I read mine and found that the mag stripe had a zero padded ID number, issue number, and a single digit XOR checksum. Through a separate issue, I was able to learn most student's IDs in the student intranet system. Also, all this info was printed on the front of the cards, which students did not secure well.
The lead IT guy was cool (we had a friendship from my first day there), asked me to read his card and we went and opened the server room. He escalated it up the chain. Not sure if it was ever replaced with something more secure (doubtful).
We ought to recognize that others may not understand how to respond to security vulnerability reports. We can use this knowledge to be a little bit more wise in our own behavior.
The best approach may be if you are unsure as to what the response will be when you feel like you need to disclose a security vulnerability is to do so anonymously.
I was once contracting at a company which developed software for the police and other emergency services. The server rooms all had electronic card readers on the doors so that only people with the right security clearance could get in.
One day there was a power cut which meant that all the card readers stopped working and we couldn't open the server room doors. After ten minutes of scratching our heads and worrying about the UPS batteries running out, someone had the bright idea of dragging a desk next to the door, moving a couple of ceiling tiles and climbing over the partition wall.
The guy didn't get fired but I'm not sure if that particular vulnerability was ever fixed.
This seemingly makes no sense and yet it is far from the only case I have come across.
If ever you find yourself discovering a security flaw then just pretend you never discovered it and tell no one. If you really want to be a concerned citizen - report it anonymously.
This is my position as well. History is replete with examples of people being punished harshly for reporting security problems. In the Randal Schwartz case, discussed in a link above, he was working for Intel and doing routine best practices security testing there that got him arrested and convicted. So even if you are working with complete authorization, if you have political enemies or just clueless people around, they can make the argument that you are the bad guy.
So stay quiet and let the real bad guys figure it out.
There are also many who make reasonable incomes selling exploits on the black market.
This is the same reason why credit card skimming still works in the US (no chip + pin here).
I got a magstripe reader for a project and had some fun swiping various cards and seeing what was contained. My drivers license had the number and my address which was interesting. The only cards I came across that weren't obvious plain text were hotel keys.
I am still surprised there is no chip & pin in the US, plus now they're rolling out "insecure by design" RFID chips so you can steal from someone without having to touch them...
Even their ATMs are defective by design, they spit out the cash before the card so a LOT of people leave their cards behind at the ATM, when this issue was solved like 20 years ago in the UK by spitting out the card first and beeping until you took it.
I would have to say the last one is solved, but don't get me wrong, the rest is a joke in the US. My "fake" bitcoins are more secure than my USD in Wells Fargo.
I didn't get a writer since the project required only a reader (the cards were written elsewhere). Readers are pretty cheap, writers are surprisingly expensive.
The main things you have to look out for are coercivity and tracks. Magnetic stripe cards come in both high-coercivity and low-coercivity (HiCo and LoCo). This is a bigger issue if you're doing writing, I believe most readers are compatible with both. There are typically 3 tracks of data available, so you'll also want a reader (or writer!) that can access all three.
The model I got could be programmed through a Windows only utility and that seemed pretty standard, so at least make sure you have a virtual machine with Windows on it. You'll need to program it to tell how to interact (as a keyboard is easiest) and if you want to fiddle with the tracks.
Here's a crazy idea. What would be the legal realities of putting the disclosure details under copyright, with a license (similar to a software license) that prohibits retaliation? Would it be possible? Would it work? I suspect that it would run into the same problems as shrink-wrap licensing, plus conflict with employment contracts which would deny the right to place such information under one's own choice of license, but maybe someone else can think of an angle that at least provides some benefit.
Unfortunately there still are persons that view those that find security flaws in products, and report them, as a threat to the stability of the world, like if the problem is an insult to them. Never got to understand them.
I wonder if they read it as blackmail. Like imagine you received a phonecall from a stranger saying 'Your house alarm is insecure. Someone could break in at night if they wanted to. You might want to think about that.'
This, or somebody is making a lot of money selling flawed security infrastructure and doesn't want anyone to find out.
But yeah, Do... Not... Report... security issues unless-
1) The company has a history of being "chill" with that kinda thing: e.g., Facebook, Mozilla, Google, etc.
2) You do it super-anonymously. Like, drive 3+ hrs away to a college campus you've never been at. Go into their computer lab when it's really busy. Create a new yahoo email account with a name that is opposite from any hobbies you have, through a proxy in another country. Send them an email not using your regular grammar style. Stay in the lab for 3 hours, send the email during the 2nd hour. That way, if there are any cameras in the room they won't just see one person walk in and walk out within the 5mins the email was sent. Then leave the lab and never return, never log into that email account again.... ever.
That depends on what internal rules apply to the said university. For example the university that I've attended forced us to log in on Windows via LDAP but you could connect on linux without any problem without any account.
A much milder version of this happened to me once. I accidentally discovered a rootkit on the server of one of my customers and reported it. Their initial knee-jerk was to ask me why I thought I had the right to put a rootkit on their server.
This is pretty much what working in university IT is like, yeah.
The less work you do, the more you'll keep everyone happy, and the higher your job security. If you try actually getting anything done, you will make people mad and lower your job security.
I suspect this is true in many/most large organizations, not just universities, yeah?
A straw man is typically used to indicate that you think someone has misrepresented your position, and then attacked the misrepresentation rather than the real position you hold.
For example:
A: The world looks flat because you cannot see over the horizon.
B: THE WORLD IS NOT FLAT! THIS HAS BEEN PROVEN TIME AND TIME AGAIN! I mean if the world was flat how would satellites work? Idiot.
A: I never said the world is flat. I said the world LOOKS flat.
B: Are you an idiot? The world is NOT flat. This has been proven time and time again, you can literally sail around the world on a cruise ship...
A: That's a nice straw man you have there. Let me know when you win the argument with yourself about the flatness of the world...
on the other hand there are people who will accuse you of hmm... "straw manning" them even though you are not.
There are situations where instead of facing argument that makes sense your partner in discussion will accuse you of using 'straw man' tactics.
Now if you combine this with your oponent being a woman (I'm a victim of a brute male now!), you are done.
If the straw man accusation is true, it's really simple to prove you were manouvered into that using quotes from the thread. It'll just become clear and obvious.
Just hysterically yelling there : "Straw Man! Straw Man!" doesn't look serious. You take the response apart and show the dirty tacts not just call names and cry. That's weak.
Of course things like pirating people's software or publicly posting an exploit is going to result in some sort of ban, if not worse! Has human nature and its long history of overreaction just escaped everyone lately?
It's not great, but it's reality. If the only fix available to you is piracy, pirate and go about your business... if they're ignoring the exploit you've reported, making it public isn't nearly as likely to help anyone as it is to turn you into a whipping boy.
Of course, if you don't mind these consequences, go for it. But I don't see how you could possibly fail to foresee the potential backlash.
> Of course things like pirating people's software or publicly posting an exploit is going to result in some sort of ban, if not worse! Has human nature and its long history of overreaction just escaped everyone lately?
Did you read the article? He told his boss that he thinks the security badge system had a big flaw. His boss agreed but then fired him. No software was pirated and nothing was publicly posted.
I dunno, I did interpret: "There was the 16 core workstation that he installed “borrowed” copies of several computer games on" as installing pirated games.
He definitely didn't make the security flaw public though.
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.