Slashdot Mirror
Approaching Lost Clients About Security?
mgkimsal2 asks: "As a development shop, we win some bids and we lose some bids for
various reasons. What we've found when following up with some prospects which we didn't win is that the development shop they went with has them on ASP/NT servers, with security holes up the wazoo (visible source code, passwords, etc) exposing these clients to massive risk. Example: I just saw a company with 500+ employee records accessible to anyone who feels like connecting to them with SQL Server Enterprise manager. Hire dates, fire dates, SSNs, the works. Should we show these companies how easy it is to get in, and try to win them over as a client? Or just walk away? I've read some heated debates about this - if you break in, even as a demonstration, you're a criminal. But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers! We can't be the only people going through this sort of dilemma." The key here is approaching the company in a way that lets them know you are serious and not trying to spread lies about your competitors. If anyone here has been in this position, your thoughts would be appreciated.
You need to be *absurdly* careful how you handle this, as you can get your ass sued in two seconds flat.
Do not probe the security of your competitor; if they notice, they can sic the FBI on you. Probably the best you can do is to analyze the PUBLIC information on their solution (eg: View Source, and nothing else), write up a whitepaper that has been *sterilized* and use it as a client-recruitment tool.
Once you've lost a client, let 'em go. Certainly don't try to chase after them. Just be polite, thank 'em for their time, make sure they've got your business card, and move on.
When the NEXT client rolls around, start talking about security on day one.
But do not *ever* name names. Don't speak about your lost client, don't speak about the miserable security at your competition, and don't try to change the world. If they wanna get hacked, let them get hacked -- but you don't want to be anywhere near them when that happens, or they'll go after you out of mere vindictiveness.
I have been a professional "Security Consultant" for some years... read that "Locksmith."
One pretty effective tactic we use is the free "Security Audit." This is where we show the importance of deadbolts and window locks... we dont break in, but we list the vulnerable spots.
This same tactic can work for you. Offer a "Security Evaluation" to the people, free of charge. Sure, some of them will take your list of defects and go back to the people that sold them the defective product before. But if you are professional, and can show restraint at "digging" at the competitors, and simply SHOW the weaknesses in a "content neutral" way... you will impress the heck out of many. These will be your repeat customers.
The ones that DON'T call you in to fix things--- these people will reap their own reward at the hands of a script kiddie...
Three principles: take the high road; use the new york times test; always generate good will. You could call the company who won but that would reveal you were rooting around on their server -- bad idea. Act is if your actions will be printed on the front page of the New York Times -- how would that look? The best you can do is put the lost client on the list for your Security Times newsletter, then be sure to mention in the next issue the particular security holes they should check for, but only in general. Good luck!
Try to make the tests show the problems clearly -- such as by showing the first five lines of database tables or any data which looks like social security numbers.
Incidentally, give the tests generic IDs -- do not label any of the tests with identifiable exploit names. This prevents a random employee from using your test to learn that a certain exploit will work...then using a script kiddie tool to attack independently. It also encourages clients to come to you to have problem "CA114" fixed, and your internal documentationw will tell you what exploit is used by script "CA114".
You may also want to use a secured page to present test results, to prevent intruders from listening in and getting more ideas.
The fuzzy line comment is exactly right. On many instances I have been talking with techie friends and they often get into these debates over extremely nitpicking reductio ad absurdum interpretations of the law.
Face it: the legal system is quite subjective, quit fuzzy and quite dependent on the "common sense" of the judge and jury. It's the only way it CAN work, but in new unclear areas in can be scary.
But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers!
There are plenty of ways to approach this issue in a non-confrontational, non-blame placing way.
Unfortunately, you seem to have already turned it into a pissing match. You may want to assess the mode in which you communicated the information to your former client's webmasters. Depending on the relationship that you have with others at the client, you may want to make an appology to the webmasters in question for starting on the wrong foot and give them a clear path that they can take to see the exploit and correct it themselves. Let them know that if they want to talk to you about the situation further, to give you a ring, but you felt it necessary to make sure that they were informed, because you want them to be successful, regardless of who does the work, etc, etc. Be meek. Be understated. Be humble
If I were in your situation, I would have approached it from an oblique angle. I would have told them that I had come across the information while doing work for another client, recalled that they had a system with a similar configuration in place and given them a tool to verify the problem, and instructions on how to correct it. Point them to a security site with more information about other exploits and told them that if they wanted to talk further about this, to call my office and we could set something up. I would then wish them well and express my interest in working with them in the future, should the opportunity arise.
Then I would wait a while, and send another note to the manager that I worked for at the client, letting them know that I had come across some security issues at another client with a similiar set up and that you wanted to give them a heads up, even though I was sure their system folks would be aware of it and have it taken care of. Again, wish them luck and express my eagerness to work with them again in the future.
This way, you give the system guys at the client a way to look good without taking any credit for it. Everyone will remember that you were ontop of the situation and if they choose not to follow your advice and are burned, they can at least remember that you gave them good advice.
Instead of giving them instructions/specifics, you can do something totally ruthless. Hire your competitor to do a meaningless setup for you, and give them a trash database. Specify in the contract with your competitor that you want their best quality work and will be probing it for security, and that there is no NDA, implied or otherwise. Set up a meeting with the company whose job you're bidding for. Tell them: "Our competitor is offering you a highly insecure non-solution. We'll show you why." Proceed to h4xx0r the crap out of your own site through one of their own tech guys on one of their computers (with permission, of course). Show them the contract specifying that you wanted your competitor's "best quality" work. You better damn well be the best if you want employ that tactic, however, and you should never do that to a deservedly reputable company, only one that uses the client's ignorance to overcharge for crap. Stuff like leaving SQL servers with confidential data open to queries from anyone on the net is just plain ridiculous. Somebody should start a corporate Darwin Awards for companies like that.
Instead of giving them instructions/specifics, you can do something totally ruthless. Hire your competitor to do a setup for you, and give them a trash database to work with. Specify in the contract with your competitor that you want quality work and will be probing it for security, and that there is no NDA, implied or otherwise. Set up a meeting with the company whose job you're bidding for. Tell them: "Our competitor is offering you a highly insecure non-solution. We'll show you why." Proceed to h4xx0r the crap out of your own site through one of their own tech guys on one of their computers (with permission, of course). Show them the contract specifying that you wanted your competitor's "best quality" work.
It should cost you approx $2,000, $5,000 max to do this (around $800 to form a sub-corporation to hire your competitor, the rest for the job, which would be a one-time set up, of course). It may be also be well worth it to use this tactic as a "preemtive strike" (hire your competitor before the bidding process starts) for a big upcoming contract. If your competitor refuses such a deal, just point out to the prospective client that they refuse to have their setup undergo a security audit. The implications of that are obvious.
You better damn well be the best if you want employ that tactic, however, and you should never do that to a deservedly reputable company, only one that uses the client's ignorance to overcharge for crap. Stuff like leaving SQL servers with confidential data open to queries from anyone on the net is just plain ridiculous. Somebody should start a corporate Darwin Awards for companies like that.
1) Put out an information packet and present it as a list of common security problems (be sure to list some of the problems they are having but dont make it personal). Present it in a 'Commonly noticed problems in the industry' format.
2) List step by step instructions on how they can determine if they have some of the problems mentioned above.
3) Discuss why this is/could be a problem for them.
4) Suggest some solutions to these problems (if they have them).
It is important to make this a simple "I care" information packet and not a sales pitch (or it will fall on deaf ears).
What exactly is an aspint server? I have never heard of this.
I can't belive /. responses have ignored this important point: There are many things that can be done, some of which are right, and some of which are legal. A few are both.
Don't touch this situation without a lawyer who knows this area of law. Most likely you will be told to keep your mouth shut as even if you can win the law suits, the cost isn't worth it.
There is also a possibility that you could find a lawyer willing to do a class action law suit against your compititor if you can prove several customers have been left open like that. This is again dangerious gorund, but you can potentially pull it off. Don't bad mouth any compitition who doesn't misconfigure things like that.
Whatever you do, make sure your lawyer is informed. their job is to save your rear end, but they can't do that if you don't tell them what is going on.
That's like a free brake inspection -- places that give those are usually dishonest, and the results of the inspection are always suspect. I'd assume the same with a computer consultant. And just like with cars, most of the people paying the money don't actually understand what they are really paying for. So it requires a lot of trust. Being sneaky isn't the way to get people to trust you.
No, more like him leaning up against your car, and having a panel fall off or collapse as he does so. Even though I think the person who submitted the Ask /. was earnest, I agree with what others have said - if they're really vulnerable, someone will break into it eventually, and the lost client will find out about it on their own. Just be as far away from scene of said crime as possible, and don't do anything that's going to tie you (or appear to tie you) to said crime.
_____
Sam: "That was needlessly cryptic."
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
I'm assuming you live in the USA...
If you haven't already done so, burn the machines you performed the exploits from, change your name, move to another state, stop looking at slashdot, and tell no one anything. The United States is absolutely insane about computer intrusion.
If you are caught, you will be charged with computer intrusion which carries a maximum sentence of 15 years per count. Plus you will have to pay for all of the security consultants the insulted company brought in to examine everything. They can count virtually anything as damages. If the media gets ahold of it and it say, lowers their stock price, they will claim this as damage!! This is scary stuff. How many of you tried the IIS5 exploit on a random site? That little 'dir' you did before logging out could easily cost you 15 years of freedom and $50,000 in damages.
I have a friend sitting in jail right now (he got a 1 year sentence off of a plea bargain) for doing something like this. If the FBI hasn't knocked down your door yet, be thankful and don't say another damned thing on the subject.
Your intentions may be completely pro bono, but when dollars are concerned, that just doesn't matter.
You run the risk of hitting people in their IT department that don't know better and think they do, at which point they'll be even more pissed at you. Granted they probably would not have had you as a client at that point anyways.
:) The key will be to find people at the company who will be accepting of your position- usually middle to upper management types, where some soft scare tactics can really make a big difference.
This approach will definitely be hit and miss- it's sort of like the vacuum cleaner salesman that dumps dirt on your floor and then shows you how he can clean it up- or tells you that your house looks like shit.
Here's how I would go about it:
-Work out a standard set of procedures for testing their servers. Probe but don't modify.
-Work out a standard report you can deliver to them. If you put lots of PHB-compliant pie charts and stuff like that in there, you're almost guaranteed to get in.
-Keep on top of bad vulerabilities, and perhaps deliver reports on that as well. It would be tough to keep this from being spamish, but you never know.
The biggest thing is to make sure you present yourself REALLY well. To most of your target audience the presentation you give is very important.
Okay, the problem here is you didn't get the contract, but some security-clueless developers (let's call them SCD, Ltd.) got it. Let's assume that their solution works, and that the security holes can be fixed. Is the answer to drop the entire solution? SCD probably got the contract because they were able to demonstrate that they can meet the functional requirements, but security somehow got left out of the picture. This is not necessarily reason for the client to break it off with SCD and go with you. Just because you have a clue about security doesn't mean that you are the best developer for their application.
However, you may be able to form a partnership with SCD as a security consultant. Find a way to communicate to SCD that their solution is full of security holes and that you know how to fix them. SCD is likely to be discreet about the whole thing because it looks very bad for them! If they are honest, they will want to contact the client themselves to explain the security issues. They will also want to be able to tell the client, in the same breath, that they already have a solution in the wings provided by an independent security consultant (i.e. hopefully you). So this way there is still some piece of the action for you.
If SCD instead decide to get a clue of their own and fix the problems themselves, at least the security are made known to the client and something is done about them (hopefully).
In the remaining possible scenario, SCD just keep quiet about the security holes. You have done the best you can; the entire moral obligation rests with SCD once they know about the holes. You should forget about the whole thing and not enter into any further communication with anyone at SCD---why get mixed up in a situation in which at least one of the parties is completely unethical? SCD, being capable of anything, is dangerous to any organization who comes in contact with them.
I suggest not using your approach of "showing the problem in a report."
But imagine how much worse off you would be right now if you had shown the problem by actually breaking in (rather than just reporting it)! Besides, threatening to publish their security holes was NOT the smartest way to apply pressure. In fact, I'll bet that it was that part that got you investigated. There is a very thin line in some peoples minds between what you did and blackmail/extortion. Remember that you are may be working with a "business", but it really just boils down to using some people skills.
-Derek
1) I walked into this store one day. They were clearly open for business. As I walked around I passed through an open door. Not long after it occurred to me that this place looked like a back room, not a display room.
2) I walked up to my friends house the other day. The front gate was open, which is normal, so I could walk up to his door and knock. I looked to my left, and lo and behold his garage door was open. Even without going inside I could see all sorts of stuff, including the bodies hanging from the rafters.
I do believe that in both of these cases you would not be arrested or, if you were, you would be let off quickly because there were no grounds. Want to try some better examples?
Ego, image and the ineffability of the Boss are absolute, in corporations. Challange these at your own risk.
On the other hand, you can use these as examples (anomymized, though!) in future bids. Especially if these companies -do- have their security breached. Companies are like sheep, in that they follow the leader. But they're totally unlike lemmings, in that if one plunges off the cliff, the others will =usually= hesitate.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Amazing thing is, Linux also has a horrible track record with regards to security problems. A new one is released at least once a week.
Personally I'm just alarmed at how much FUD you are trying to blow.
You should always keep up to date with the latest security patches and make sure they are applied. Part of developing a web site solution for a client could involve ongoing maintenance to help insure they are kept up to date.
Was it the competitors job to configure the server?
In many companies web applications are developed and deployed to an application server which is configured by the operational staff.
That is the way our environment works. As developers we do not concern ourselves with the security of the server itself, but rather of the applications architecture.
We have system administrators who follow up on patches and ensure they are applied.
If you really want to keep ever get business from that client again then let the security problems sit. I know it will grate on your conscience but this is like seeing your friend cheat on his wife. If you report it you will be called a lier.
How you proceed is to keep contact with all your clients ( including those you lost ) in a generic way. Offer them new services. Send them brochures for security audits etc... Let them know this is something you are selling to everyone.
I.e. Have a special. A demo of some security tool or other along with a discount if they are impressed and a full audit all for one low price. Do it that way and you might make more than you expect and maintain the respect of all involved.
Remember also to include the VAR you lost to in this mailing because they are a potential customer. If you really care about your lost clients not getting hurt then teaching the goy _they_ chose is not a bad idea.
--
Quidquid latine dictum sit, altum viditur.
Whatever is said in Latin sounds profound.
--= Isn't it surprising how badly I spell ?
First, IANAL, this is not legal advice, etc.
If self-preservation is an instinct you possess, you should not be probing any site that has not contracted you to do so. You are probably opening yourself and your company to liability when you do so. Most computer crime statutes criminalize "unauthorized access", where unauthorized simply means you didn't have permission from the owner to access the computer resources that you did.
Now, it may certainly be true that a company that has a published link on the front page of their website to a document X (where X is information that the company would prefer remain private) probably would see their case against an entity Y accused of accessing X without authorization dismissed almost immediately. But that doesn't mean that it hasn't cost Y anything, even though the case never went to trial.
Further, the vulnerabilities you are discussing require you to access your non-client's sites in... unconventional ways. Courts do not understand technology, but by now many judges understand that your average consumer is not going to be firing up SQL Server Enterprise manager to make authorized access to any given internet site that they have no contract or agreement with.
If you have already come forward to one of your lost clients and merely been called a sore loser, you're either lucky or have no significant assets. From a legal standpoint, you should not be making unauthorized access to any site, for any reason.
You already made unauthorized access to the site of at least one non-client, that you've mentioned. It sounds like your actions went beyond a simple portscan, which is probably ok, to retrieving database records (the hire dates, fire dates, ssns you mention), which in court would quite possibly be actionable - at the very least, you won't get a summary dismissal.
Unless you'd *LIKE* to get sued by a lost client with a grudge, you shouldn't be probing their sites.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
How long do you suppose it will be before we see this joker in the news?
Casca
Though I have had my hands in computers for over a score of years, databases were never my focus. Thus, I must also ask the embarrassing question: What are primary keys, and why are they needed?
Schwab
Editor, A1-AAA AmeriCaptions
I, like many here, agree with the "leave it alone" approach. You lost the bid, game over, insert quarter for new game.
Here is a little anecdote to let you know why I feel this way;
Federal Agency Dept of ABC runs a mostly Unix shop.
Federal Agency Dept of TUV and XYZ runs a mostly NT shop.
RDS hits and Federal Agency NOP and Federal Agency DEF (both mostly NT shops) get hit the very next day.
A young security engineer in Federal Agency ABC knows Federal Agency TUV and XYZ are both big NT shops and thinks to himself - "Geeze, I bet they are vulnerable - I'll give them a heads up." - Then thinks "Hmmm, I don't want to look like an ass, and be told 'Duh - we patched that the same day it was made public'." So young security engineer runs test code to see if default databases are accessable. They are. Young security engineer writes a paper describing the situation and how to solve the problem both agencies public web servers suffer from and mails them off to his director and the security directors of Federal Agency TUV and XYZ.
Federal Agency TUV thanks young security engineer.
Federal Agency XYZ makes a "federal case" out of the whole thing. And attempts to get young security engineer fired.
Now. This guy didn't end up getting fired. I'm one of the many who went to bat for him when the two agencies met regarding the issue. However, he very easily could have been - were he not exceedingly bright - and had he not done everything correctly after the huge mistake he made in testing his theory.
http://windows.scares.us
To do a Free Audit of thier security of thier site. After it is done explain to them you know all about these security risks and would have never put your company at risk like this. I think this is the best approach do not talk to the webmaster(s) go directly to the top guys.
If all you care about is fixing the problems and aren't really trying to drum up business for yourself, anonymously contact some of the individuals whose information is being exposed. Sure, technically your breaking the law getting the information, but I imagine that a couple employees getting seriously pissed about their personal information being wide open might solve the real problem pretty quickly.
c.
Log in or piss off.
This is the same question as: "Should I probe people's networks and then offer to fix their security holes?" The business about lost bids is irrelevant.
You're asking whether you should let stupid people know that they are leaving their SUV parked with the keys in the ignition and the engine running and the kids sitting in the back. Well, it's probably a righteous idea to try to help them, but if you're not careful, like if it looks like you're jumping in the car and driving off, you could get into some trouble.
Think of a safe and discreet way of letting them know, and I think it would be ok. For instance, probe for some benign problem and offer to help them out with a simple security audit, telling them that "the sorts of systems they use" are quite prone to problems, etc.
Instead of trying to solicit companies that chose against you in the past, concentrate upon future potential customers. When you negotiate with your potential customers, advise them to think about their security requirements and to ask tough questions of you and of your competition. Advise them to layout those security requirements in writing, in the contract. They are responsible for their own security and their own decision making, not you.
I'm not sure about stealing garbage, but stealing materials put out for recycling is.
..... isn't that the definition of recycling? :)
Hmmm
- Chuq
How did you become aware that these compromises existed? Did you audit their site? If so, why? Did you have any business auditing their site? Did you port scan them or take other such action? How do you know SSNs, fire dates etc. are available if you haven't already looked at them or come damn close to it? Bottom line: Unless they retain you, evaluating their security is not your concern and you may already be liable...
I can't believe you would even *think* of telling them that their competitors aren't using the best tools available. If they didn't pick you, anything that happens isn't your fault and you have *no* obligation to tell them what they are getting themselves into.
People need to find things out for themselves.
Only "probe" the site under their supervision while they are present.
Thank them for coming and tell them they can call your reps if they ever feel the need for security.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Unfortunately by doing this you are essentially admitting to poking around on their site. While this isn't necessarily evil, it could be misconstrued as something malicious. If at all, these things should be handled very delicately, otherwise if something bad does happen it is very easy to point a finger at you because you have information that could be used to damage their site, and a motivation to do so.
In other words it is probably best to steer clear from anything other than a casual look at your competitions work.
When I want your opinion I will beat it out of you.
Well, let me try to draw a parallel to normal criminal law. Burglary is forceful entry with the *intent* to commit a crime. Larson is taking something that isn't yours without the owner's permission.
I would make the argument that using a MSSQL client to connect to the server is considered "forceful entry" just like opening an unlocked door would be. If your *intent*, upon connecting to the server, is to try and "steal" db records (for nothing more than to prove it can be done), then this is effectively burglary since you *intend* to commit larson (taking someone else's, otherwise private, information), unless of course you can the owner's permission to do so.
Look at it like someone leaving their front door unlocked. You walk in and see their tax returns on a desk next to a photocopier. You make a copy of their tax returns and leave. I guarantee you that you would be convicted of larson and burglary, and what you've described is no different.
-- Grow up and use mutt.
(in response to:)
... is pretty much what you've done: point out the insecure setup. If they don't tighten things up they'll be the sore losers... when some customers or former employees sue their sorry butts for allowing that information to be divulged. Wouldn't it be fun to be called to testify against them? ``Yes. We informed XYZ, Inc. about the flaws in their security but they just laughed at us and called us sore losers.''
Wouldn't immediately help your problem in gaining new clients but it would be helpful if you could say that you have testified in court as a security expert.
The problem with the companies you've encountered is that you have to convince these people who know only Windows as an environment. I refer to this as the ``fly in the vinegar bottle'' syndrome. They like what they know and reject anything else. It's almost as though they'd rather be out of a job than switch from their comfortable little realm.
--
CUR ALLOC 20195.....5804M
You lost the bid. It isn't your problem. Anything you say to the company will be taken the wrong way.
Mea navis aericumbens anguillis abundat
One thing I'd add is that is why you review the site. Maybe a line like when we loose contracts we review what the winner did to see where we may have weakness so that in future business with the company we can better server there needs. I.E. It is a learning process for 'our' company.
Oh and don't spend all the effort on mentioning money try mentioning it only once (not sure what the exact letter looks like). It may seem like you are making up these holes just to get some of their business. you can even give an example of what you think is a securty hole in the letter and what the result of that being exploited could potentially be. This is not to say that you need to hack in, but that you need to show that you are not making it up and that they can check it out on their own and say 'oh my you are right' then call you up.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
Well, an anonymous tip is one way, providing you are actually trying to help and NOT trying to make yourself look good by making the competition look bad.
I'm tempted to say that you really shouldn't do anything. They chose to go with the other guys, it's not really any of your problem or concern anymore.
Also, be very paranoid and careful. Do not send them "proof", as in lists of employees or any data obtained through hacks. You could quite easily be sued for anything like that, despite the fact that you're trying to be helpful.
--
In the land of the blind, the one-eyed man is kinky.
If you're seeing all these holes, it sounds like you're snooping around on your competitor. Not saying that there's anything good or bad about this, but why wait until you've already lost the sale? Point this out to the company you're trying to win over while you're making your pitch, not after it's all over. If you've already lost the sale, I'd suggest hunting for new customers instead of badgering old ones. If there are holes you know about, I would (and have) call the client up, ask to speak with their main tech guy, and give him the scoop. Unless you're desperate for customers, I wouldn't try to turn it into a sales pitch. Just leave your email address in case he needs to ask you any questions about how you found the holes, if he needs any help patching it up, etc. He might keep you in mind in the future, and now he knows how to get hold of you.
As a side note, your mentioning of NT/ASP also seems to point to some sour grapes, since they can be locked down quite nicely — if your own company has any competency, you guys already know this.
Cheers,
I work in the security industry... while it would be illegal for you to take some information from their database and show it to them, if you can setup a 20 minute meeting, demonstrate the hole to them, and tell them how to fix it in the meeting, more than likely, they will come aboard at least for security services. We used to use Vunerability scans, offer customers one free scan, and show them the holes they had, and next thing we know, we got the contract. Shock tactics work the best when it comes to security, as soon as they know they have a hole, they will fall over themselves to get it fixed.
Unfortuantly, I've also seen security vendors with masive holes in their system as well. A well known Managed Security Provider in Korea was vunerable to at least 5 exploits on their webserver. Their website proclaimed how good they were at security, yet, even after numerous emails from anonomous hotmail accounts, they still didn't fix their own problems. It was only after a script kiddie found it and "owned" the site did they wise up, so sometimes you just can not win, but at least you can put your mind at ease, and know that you at least tried to warn them of the problems.
Read "An Introduction to Database Systems" by C J Date. The author is the source of much of the theory of relational databases. He worked in research at IBM when they were producing the very first relational databases, and very much 'wrote the book' on relational databases, and this is that book.
So very very often on Slashdot I see these sorts of questions and answers and I just want take everyone into a room on Slashdot and talk about customer and end-user dilenmias created by all knowing IT folks. Now that I am working as a Business Analyst my job is to sit between the End-Users and IT personnel. It pains me to here stories like the one described above about dumb technology and vendors, but it also pains me to see good people get dumped because they were not looking at what the customer wanted but rather the most technically sound solution.
If the customer wants pretty buttons, give them pretty buttons but make sure your still sound. While I was in school I saw some of the most interesting things done with Filemaker Pro by some of the most non-techies I had ever seen. Would I trust it in an enterprise setting running mission-critical data, HELL NO, but on the desktop its the most user friendly program database software there is. My school had an enterprise license for Access, but everyone used Filemaker Pro because it was easier.
Know when to balance the Yin and the Yang the technical soundness to the customer wants and needs. You can have the most technically superior product out there but if the client wants something neat to look at, easy to use, and donen't have to use a 700 page manual to figure out THEN DO IT! If you were bidding out against this other company, those sorts of things should have come out in a JAD or client consultations with end-users. Did yall do any of that before putting in your bid? Not being critical just curious.
I do commend you for going back and taking the right approach because in the end you did add value to the situation for both the client and yourself. Now the client can't feel like they were cheated because they knew what they were getting. Remember my brothers and sisters on the other side of the aisle, (Im still an Win2K user) if you want to make Linux pervasive you must come off your technical high horse and not make Grandma compile her own code, but give Grandma what she really wants, just to check her email and see pictures of her grandkids.
To the original poster of the question:
BTW, I so agree with one of the previous posts about the survey suggestion. After that you can gain a sense for what the client was really looking for and can tailor your response next time accordingly. And if it does turn out they were thinking about security more then you appreciated, then ABSOLUTELY FABULOUS, you can go in next time and create the game. Have benchmarks and rules set up before the bidding process begins. Maybe you could even "consult" the company on putting together a framework for measuring vendor security awareness. NOW you would be sitting in the catbird seat.
Laters,
Hangtime
Out here at Cal Poly Pomona, we have an Electrical Engineering Head who loves RAMBUS and Intel Pentium 4. What I've started to do is simply print out the articles that point out how the Pentium 4 is going to suck, and RAMBUS is going/in the process of going down. Slowly but surely, he is starting to come around. Tell him how his boxes are in danger if you see a security hole on their server that isn't fixed. Email what it would enable someone else to do. Explain to them that you are doing it because you still wish to maintain them as a prospective client, even though you lost the account. Be nice, not forceful. As if it were a friend you were helping out. When they come across enough of these "Anyone with a mouse and 30 seconds worth of time can gain root access to my entire box.", she'll turn around and ask about linux. It may take time. But be cheerful, helpful, and you'll win just about anyone over.
Then again, this is my prospective, I could be wrong.
Joe Carnes
Isn't it "Move every '.sig'" "For Great Justice"?
/. nitpicker.
Just another
JoeLinux
Randal Schwartz (co-author of Programming Perl) did just this thing and was taken to court and Convicted of three felony counts, with (deferred) jail time. Read all about it at
State of Oregon v. Randal Schwartz
I think the best way to play that is to set up a meeting with the client who turned you down. Get a couple business people and their best tech guy in a room with a computer. You sit at a table with your hands in front of you. Talk their tech guy through the "crack" and make it clear to the business guys that in place of their tech guy it could have been any 15 year old on the planet. If the competing company gets pissed because they lost business over the incident, you didn't actually do anything. The client company merely viewed their own data using a nonconventional access route. If the competing company tries to go after thier former client for "circumventing security", threaten to send a copy of the court papers to all of the rest of their clients, showing everyone what crappy security they have.
That should teach your competitors to bid against you.
-B
That's a clean way to do it without honking them off. And you might get a lot of business from other lost customers as a bonus.
John 17:20
1) Document their problems
2) Date the documents and get them notarized by a public notary
3) Send them a copy and offer to do some work for them for a reasonable price
4) When they get broken into or h4x0r3d, send them your documents again and offer to do some work for them for a much less reasonable price.
DrLunch.com The site that tells you what's for lunch!
Perhaps an *honest* approach might work?
What I have in mind, is approaching the client with a line something like "I've had a quick look at the site, and think that there might be some security holes there. I'm not going to look further without your permission, but I think you should get it looked into."
Be honest, admit that you think you could have done a better job, and say that you hope you'll be considered to either fix the existing one, or any future projects.... then just let it go.
You're doing the "right thing" and you're being honest with someone who might be a client in the future.... and, believe it or not, doing the right thing *can* be its own reward.
Chicks suck.
Guys are ugly.
Pass the kleenex.
Chicks suck.
Guys are ugly.
Pass the kleenex.
Why are you poking around on their site(s) looking for security problems? They aren't your client; you have no right (or duty) to attempt to exploit ANY problem that they have. Doing so may violate the company's rights, leaving you open to legal action.
We tendered for a [large recorded music seller]'s web site. In our tender, we pointed out that relying on plaintext, unsigned email for orders to the [large recorded music seller]'s suppliers would lead to people getting free CDs once they worked out all they had to do was send email to the right spot.
Our tender was rejected as "too complicated" because we designed something that would have been more secure.
The winners built the system; within a few weeks people were getting free CDs and the system was turned off.
The only good part was that the idiot who had run the tender evaluation was sacked...
Stephen
It might be entertaining to include on your company web page: "Clients Who Passed Our Weekly Security Scan: <counter> Potential Clients Who Failed Our Scan: <counter>".
Unfortunately you can't do that.
Get on #l33t or whatever on IRC. or AOL. AOL is probably better.
List the site in question and the vulnerability.
I guarantee you that the company will know the error of their ways within a couple days, max.
If you were me, you'd be good lookin'. - six string samurai
When you present your bid, set up a system with a configuration that you've seen competitors use, and show them right there how easy it is to access the data (fake stuff that you've setup) and then show them how much more secure yours is. Make security part of your sales pitch, because apparently your competitors aren't. When your competitors can't answer clients' questions about security that you've made them aware of, you'll have a much better chance of winning the bid.
If I were you, I'd leave it alone. You can't win: the client won't appreciate knowing that they made the wrong choice and the hosting company won't enjoy having their flaws pointed out to a customer. You'll catch shit from both sides and could well get sued out of the deal.
:)
Yeah, I know: it'd be great if you could just get them to fix their security holes. But in my opinion, you won't get that done and all you will end up with is a client who thinks you're a sore loser and a competitor who hates you. If the world were only rational...
Just because it is on the Internet, doesn't give you permission to browse through it. If I leave my doors unlocked (and even standing wide open), it does not give you the right to wander through my house -- that's tresspassing.
Computer Tresspass is similar. In Florida, unauthorized access to computer systems you don't have explicit permission to access is punishable by up to 20 years in prison.
You wouldn't get away with this in non-cyberspace, I don't know why you think you can *in* cyberspace.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
You are confusing "publically available" with "available to the public".
If a business (say a bank) does business "available to the public", that means you can do business with them. It doesn't mean if there is an open terminal you can browse other people's account information. They provide a PRIVATE service that is available to the public in general.
Unlike, say, a public water fountain in the park -- where anyone and everyone can use it.
Just because a company does business with the public doesn't mean that all the business itself is public.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Read it again. He was describing "common law burglary".
B & E has nothing to do with "intent to remove property"; nor is it restricted to "night" or "private dwellings". It does require some form of force -- pushing a door open; breaking a window; etc. Simply walking in an open door doesn't cut it.
There is a similar law in many jurisdictions called "unlawful entry" that is a bit looser (and not as severe as B&E). This can be applied in the "walk in the open door" case.
On the other hand, there are some interesting peculiarities with computer sites (FTP/WWW/SQL/Whatever) that start with "Welcome!".
When I was a SysAdmin at a big company, we had "greeting" messages that were written by the legal dept just for this purpose. They were warnings about unauthorized access.
Come to think of it, my laptop boots with one on the login screen -- as does the FTP "welcome" message when I am running a server off of the laptop (company property). I've seen it so often I tune it out.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Don't worry about the last one. In the FUTURE, make a solid point about your proactive security and examples of how you deal with everything.
Make it so THEY will approach other company about security concerns.
Point out the increased awareness in security in general; more hacks and vulnerabilities reported daily; and have a list of potential weak points of competitors systems.
Offer to let the customer probe your setup.
Be proactive.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
My point is the service isn't offered until you have an agreement with the bank.
Yes they DO have terminals that can browse everyone's account. They are for INTERNAL use, even though they may be sitting on someone's desk in the middile of a wall-less cube.
Just because I have an SQL server that is net accessable for convience, doesn't mean everyone is allowed to browse all the data. (Yes, it is a dumb idea, but that isn't the point.)
If I take a $20 bill and put it on the dash of my car, windows open and parked on a public street -- no one has the right to reach in and take it.
Okay, change that $20 to proprietary customer list (no cash value, but business data with business value). The list is upside down -- you can't read it without turning it over. Legally, you don't have the right to reach in and turn it over. If it was right-side up, you could read it to your heart's content.
Connecting an SQL client to a server doesn't spew data at you (like a web server does). You have to enter a query and ask for data (reach in and turn the paper over). That is ILLEGAL.
A web site is not the same thing, as it's intent is public information (unless it is on a private network) and it presents data simply by connecting -- you don't have to "ask".
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Logs == Cameras in this case -- they just aren't visible to the "naked eye".
Okay, I'll concede the bank analogy.
The simple fact remains that having an SQL server accesable by the Internet *doesn't* mean it is intended for the public. I can lease space in a strip mall and run a business by appointment only or only for my established clientel -- not for the browsing public even though my door is "open".
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
I'm familiar with a GET request.
It is not possible with a web client (other than maybe 'telnet') to connect to a web server and not get the "default" data. The default setting of a web server is to not require/request/respond to user authentication information. You have to enter it explicitly for the server.
Connecting to an SQL server with a client only establishes a connection -- no data is requested. The default actions of the server are to require a user and database name -- and unless explicitly turned off, a password. No records are sent across -- you have to ask for them (and know what you are asking for).
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Progressing any further then is prosecutable. They were explicitly warned (like in tresspassing) and logged.
The main defense of people (legitimate, and one that works is) "hey, I didn't know. I thought it was so-and-so's site."
With the warning, this doesn't fly.
Here, verbatim:
Background
The Warning Message is a notice to all users of a computer system that the use of the system is subject to certain restrictions:
The system is for authorized users for business purposes only
Unauthorized use will be punished
Use of the system may be monitored
Users must protect information
The wording of the message is actually dictated by the U.S. Department of Justice in cooperation with the Law Department. The warning has been carefully worded to help Lucent and the Government prosecute unauthorized users. If an intruder breaks into a computer system which does not display the warning message the case against the intruder is substantially weakened and may, in fact, be dismissed.
Message Formats
The Warning Message comes in two forms: the standard message and the short message. The standard message should be used in all cases except where physical limitations prevent its display. The standard message is as follows:
Warning Notice
This system is restricted solely to authorized users for legitimate business purposes only. The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited by . Unauthorized users are subject to Company disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system may be monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, may provide the evidence of such activity to law enforcement officials. All users must comply with Corporate Instructions regarding the protection of information assets.
The short message is as follows:
Warning: This system is restricted to authorized users for business purposes. Unauthorized access is a violation of the law. This service may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Oops, the "Plain Old Text" setting stripped out all of my [company] tags where I replaced the real name. [Lucent -- it seems I also missed one. :-)
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
You put your very personal information in an envelope marked "Very Personal Information, Don't Open Unless Your Name is XXX," and pinned it to a bulletin board in a public location....
What you should do is wait for the site to be up a while, (6 months to a year), and approach them as a "security consultant." Get permission to poke around, before you do it. Get paid consulting fees to do it.
In the end, they may be impressed and switch over to you. Don't suggest yourself as the company to switch to, though. This will come off as sour grapes. Suggest that they either revamp the site, or choose a different server type altogether.
Bottom line, if you impress them with the small amount of work you do for them, they will think of you as a 'good' company, and speak of you that way. If you upset them, they will never do business with you, and you risk losing other business as well.
trust me on this one -- its better to walk away. ive seen this situation numerous times and ive seen that the companies usually - [1] dont want to know and [2] management usually takes the blame so even if you *do* win them back the management guys will try and sabotage you.
wait for em to figure it out and contact you after they get hacked or let em go bankrupt. ive seen companies do both.
If you do see doing other business with them in the future, then "discover" their vulnerabilities on premises, with an offer of a fix.
If you are really afraid of them having a bad reaction, fuck'em, they'll get victimized eventually. Just make sure to express doubts about the other group's security.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
If you don't bring up important items like security until after you lose the contract, you'll be viewed as the sore loser, not as somebody concerned for their well being.
If they still go with the competing company with the poor security, they have only themselves to blame.
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
Oh please.
How much credibility would these guys give a free security review? Free == alterior motive. If they can't figure out your motive, they won't let you in the door (especially for a security review).
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Here are the laws of Texas, Massachusetts, and California for starters.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Go ahead and argue what should be legal, but don't pretend that you can't tell the difference between a website and an unintentional security hole. Tons of existing laws (like first- vs. second-degree murder) already use criteria as fuzzy as this.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
http://www.someserver.com/I/Guessed/This/Filename. html
Is that illegal?
I don't know what legal duristiction you are in, but here in the UK I would consider reporting them to the office of fair trading.
Those who choose inferior solutions will pay the price, and lose to competitors. Shouldn't try to prop them up with unsolicited help. Though the chance to make some money off them sure is tempting. Got any spare bridges you could throw into the deal?
--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
This just popped into my head, perhaps it's nonsense, perhaps it's workable (given somebody with a legal background to pull it off):
What if you asked them to sign a document that certified (1) you company did not do any work on the system(s) identified and (2) they have reviewed the list of security vulnerabilities attached and agree and certify that they are not the fault of your company and (3) that your company has provided due dilligence in notifying them of the gaping holes.
The idea is that you're approaching from a CYA angle instead of a "look at what those twits have done to you" angle.
Win98 appears to do this by default in some cases when you install ethernet drivers, hence the issue with a cable modem.
Let's say you pitch them, they're impressed, you fix it as best it can be fixed, they give you a wad of dough, and victory is achieved all around. Sounds good, eh?
Unfortunately, if anything goes wrong at that place ever again, it will now be Your Fault. Someone on your team will have to spend their precious time on this earth persuading them that you are not liable for fixing it free - after all, you took their money to make them secure, why shouldn't it be Your Fault if they're no longer secure because of next week's vulnerability?
Run. Flee. Screen out their incoming calls with caller ID. Be thankful. Move on.
If they valued what you were selling, they'd have bought it already.
(I'm having something of a cynical day here, obviously, but this could still be actual useful advice...)
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
This is what Mitnick used to say.. "I could transfer money out of any bank in the world into any account I want, but I dont, why are they after me?"
How we know is more important than what we know.
Surely they are breaking the law by publicizing these employee details (I know nothing about this part of law). Write a short letter containing all the details and send it anonymously to your local police. Or are you more interested in making money fixing their security bugs than just having a secure internet? Frankly I think there should be people who go around doing exactly this. Perhaps they should be police but if not, they would at least be taken seriously by the police and hopefully would not be accused of being "evil hackers".
How we know is more important than what we know.
once the contract is rejected, there's nothing you can do but plan for the next one. I'd suggest that you include security as part of your product pitch, emphasizing that you use such-and-such technology over asp/iis/sql server because [insert standard reasons here], or that your people are highly skilled, etc. you'll also need to present that you can develop in whatever you're using as fast as the visual bozos down the street .
whatever you do, *do not* probe their servers, databases, or anything else. you have no legitimate business reason for doing so (no matter how much the bastages deserve being called out for being dumbasses and going with someone else). also,, be nice to them, they may need your services in the future.
Karma only matters to me now and zen.
Always maintain your professionalism.
People who've never worked in a 'real world' situation might tellyou to 'hack their boxen' and show the client what a mistake they made not hiring you.
Forget about that.
I have always liked the 'Company Newsletter' idea.
Depending on who much time and $ you can put into it etc., consider a written bulletin that lauds your company under the guise of keeping clents informed about the horrible choices they made.
Pitch it at your best contact point (IT manager?) and keep it simple and direct. Reference news web sites, bugzilla, or security pages.
Make sure the bulletin sticks it to M$ products while using words and phrases like 'TCO'and 'compromised security'.
Then gouge them until they squeal...
I agree.
The poster had better have a goddamn good answer to the following question:
"Suppose I show up, give them the demo of the exploit, impress the hell out of them, walk out the door at 5:30 with their CTO for a beer to talk about how to fix it. How am I gonna explain it to them if some skr1pt k1dd13 wanders by and hax0rz the living shit out of them tonight?"
Of course, the client might not call you back at all, in which case you'll only have to explain it to the cops.
"Use of any computing resources is restricted to authorized personnel only. Are you authorized? If not, it's a crime."
I have pinged their machine. Dealing with the ping has used up some computing resources. I'm am not authorized. I am a criminal.
Life is not boolean.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
WTF are you talking about?
"maxed out the SQL zoom editor" WTF is a zoom editor in Filemaker? Yes I know filemaker inside and out and it's a different animal from anything else going. There are no "tables" per se, no variables they're called "global fields" and primary keys are refered to as indexing on/off. WTF are modules in Filemaker? They don't exist and this is not a bad thing. You're either clueless or blowing smoke about Filemaker. Filemaker is a wonderful environment to create database like software. I've written a number of large Filemaker Solutions (yes they call them solutions) and use Filemaker extensively to prototype and then recreate the finished product with php and mysql to get more reliabilty and work around some of the limitations of Filemaker and to avoid their ungodly expensive fees. 18 months of Filemaker will buy you a helluva thing if the developer knows something. To port a filemaker db to crashcess is just ludicris but you already knew that.
You obviously had no business auditing anything to do with your competition's Filemaker thingy. I've never tried to piss nyone off here before but just couldn't help myself this time.
G
If security isn't your main line of work then its sometimes better if you contacted a security company and had them speak to the other company after working out some sort of deal with the security company for the following reasons.
If you were doing some other work for the company, then was cut off they could think you were illegally looking for holes in their systems, or were pissed off at them, and helped yourself to take some form of actions by auditing them (think about what the company would see in this situation) to find ways of screwing them.
Contacting a security company could benefit you in other ways because if they know of something your company does, they'd likely turn to you for passing on business to them so you create a network for yourself. Now the security company on the other hand could present it in the following fashion to the primary place.
salesman of sec. co: "A previous vendor of yours contacted us out of concern for your company as they suspected you may have some vulnerabilities but they were unsure of this so they turned to us since we focus in security...."
As stated if security isn't your main field of work your better off (IMHO) going this route since it also saves face and doesn't seem like your fetching for bones. It may also help win back "brownie points" should the company have to reconsider vendors, and they're likely to remember your actions if they went ahead and had the security company audit them and fix their holes.
my two cents...
FreeBSD spoof
Want Root?
Breaking and Entering, Tresspassing, unauthorized use of other peoples computer systems (a/k/a Kevin Mitnick), it doesn't matter. There're all still illegal, and it's up to the company to decide if they want to press charges...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
This won't help you with customers you've already lost, but it seems to me that you should argue the merits of your platform vs. the security risks of others while you're bidding for the contract, rather than arguing them after you've already lost it.
--
"A dessert without cheese is like a beautiful woman who has lost an eye." -- Jean Anthelme Brillat-Savarin
I would not go near there with a 10-foot pole. There is really no way you can pull that off without generating a lot of ill will for your company from at least one of the parties involved. I also don't see how that will convince them to switch to your company immediately, no matter how right you are.
Let them reap the consequences of choosing a lame dev shop, and perhaps next time they will choose you instead, having learned their lesson. Think long term!
--
That's true. But on the flip side, why let it get to that point in the first place? You say these people choose companies who are using ASP/NT servers, which leads me to believe you're using something different (probably unix/php, eh? this is /. afterall:).
So, why don't you tell them why your solution is better?! There should *definitely* be a section in your bid that describes the technology you use and why it's better than ASP on NT. Maybe you can even include a section about how "other firms using ASP solutions will tell you how easy they are to use, but in fact these solutions are highly insecure and risky to your business, which is why WE use..." and then go into your spiel.
It's called "vaccinating" your potential client against the competitors' reasoning. Politicians use this technique all the time, when they say stuff like "my opponent is going to tell you..." Except they lie, and you'll be telling the truth :).
---
The analogy doesn't fit. It's being debated left and right here, but it doesn't fit at all.
It is ok to use http over tcp-ip to hit the machine, noone has a problem with that... But suddenly it isn't ok to use sql over tcp to hit that same machine?
As much as I hate the "breaking and entering" analogy (if the digital age has brought us anything, it's the persistent and accepted use of HORRIBLE analogies), this would be like saying that it's ok to take your friend's milk out of the fridge, but *don't* touch the fruit.
It's a fuzzy line. It's undefined.
I don't have explicit permission to access their web sites, either. I fire up a very similar client to view their website, and noone has invited me or forced me to sign agreements, or even presented me with notice that *this* access is ok but *that* access isn't.
Don't get me wrong, I'm not a hacker, I'm not interested in data stored in anyone's databases, I'm just playing devil's advocate here and pointing out that there are some serious holes in the law, as well as generic DB security.
If I fire up an MSSQL client and connect to someone's database which is sitting wide open on the internet, how am I breaking the law?
I'm using a client to access information which is publically available on the internet. How is it any different to use a DB client instead of an HTTP client?
But he will probably kick-you. No one, especially after telling their managment they just went with the "best" contractor is going to risk getting fired over what you are telling them.
You have obviously invested some time in getting up to speed on security analysis. Wait a few months and then notifiy the company (CIO, or someone higher up the food-chain) of you "new" security practice/business, and that a you will give them a two hour consultative session free.
In other words, take your talents, build a business and NEVER attack the winner in a bid process unless it is something that you can go to a court with (i.e. violation of process, etc.), otherwise you will be turning the client off. Do, request a de-brief where you ask them how you could have meet their needs better and they can explain deficiences in your proposal.(This is often done on government contracts but is only worth it if you want them as a client).
So what do you do if, while you are making them aware of this, someone else discovers this and
destroys their data?
You had the motive (you lost the contract).
You had the opportunity (you know how to break in).
Do you think the police will spend any time looking for the real culprits or just arrest
instead?
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
as an employee at a company that recommends that all of our clients use NT and M$ products, I resent the fact that you would actually approach MY clients and talk trash to them about the security holes which I didn't patch up because they didn't feel like paying me money to patch them.
Okay, so maybe we didn't code it the best way possible... and yea, you can see database records with an anonymous account, but do you think the client knows this? HELL NO! You know why? Because we know they're morons, because we know they'll never look at the code or pay $5 more towards development, and because if a hack happens and nobody is there to know about it, did the hack ever happen?
Yea, it's bad business. Yea, it happens all the time. But it's all about getting paid now, isn't it?
I agree with the sentiments here that "You lost the bid, so just move on."
If you want to find out WHY you've lost the bid, a questionnaire is a good idea. Give them some meaningful but neutral questions, and give them a chance to respond in their own words. Assume that you will get no results, but if you DO get feedback, consider it carefully in future bids.
- With regards to security, why did you find a competing product more valuable?
- CompetitorCo's track record for security seemed stronger.
- OurCo has not demonstrated suffient regard for security.
- Cost outweighed security concerns.
- CompetitorCo's products have a higher degree of interoperability with your other systems.
- OurCo's products have not demonstrated interoperability with established standards.
- Cost outweighed interoperability concerns.
And so on. If your questionnaire smacks of propaganda, and not of honest "how can we serve you better" fact-finding, then it will land in the recycle bin.With regards to interoperability, why did you find a competing product more valuable?
[
Seriously man, just forget about it. If they want to leave themselves with suck risk, so be it. They're the ones who will suffer in the end. Meanwhile, you guys have time to put towards more worthwhile customers and projects. Find the customers who do care. Make a better product, and show them by example.
Why are you wasting your time crying over spilled milk? This isn't a playground dick-measuring contest: telling everyone just how bad the other guy is won't win you any friends or business. Showing everyone just how good you are will at least win you the latter.
Furthermore, mind your own goddamned business. Show a little class. There's only so much money you can make from behind bars. If you pull an end-route on a competitor and hack their system "just to show their clients how much danger they're in" and the guy whose system you just busted into gets wind of it, you'd better hope he doesn't have a good lawyer, because it sounds like a pretty open-and-shut case of corporate espionage.
Concentrate on locking down your own systems and building good faith and solid products with your own clients and don't do anything but have yourself a chuckle when they show up on attrition.org.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Just use common sense. It's against the LAW to break into another site.
Send them a professional letter detailing how you're sorry that they didn't choose you but am glad to see that their business is progressing. Politely point out that they have a security flaw that's easily exploited. Tell them up front what data they have exposed and the basic steps to exploit the problem. Let them know that you felt it was important enough to tell them this even though they chose X company over you.
yadda yadda yadda... These problems are all alike: "I want to do the right thing but it's awkwards because of XYZ". If you're a grown up it's something you should have learned to deal with politely and courteously. If they reject you then it's their fault not yours. Certainly don't try to turn it into a flame.
One option that occurs to me is to report them to the Better Business Bureau or some other consumer agency. This approach should only be used when serious problems are ignored (exposing a million credit card numbers, etc). Just remember, unless you feel like it it's pretty hard to help everyone all the time.
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
How dare they try to keep their databases closed. Information wants to be free!
Currently I know of problems with three UK media companies web sites but there's no useful contact info on any of them so I've started sending the info to The Register and similar sites in the hope that being publically humiliated may have some effect :-)
I think the Golden Rule applies here. You would want someone to discretly tell you if you had a problem. If they other shop won't tell their client about the problem, tell them yourself. Don't try to make the other company look bad. You are doing your business a favor, you look like a helping, kind company. You are also helping the internet by altering poor admins to problems like this. Take the high ground, be the good samaritan, then pat yourself on the back.
Pair up in threes. - Yogi Berra
My advice, let them know of the security risk, but I would NOT use it as a vehicle for getting them as customers unless they make the first move.
If you say "hey, your security sucks, why not be my customer?" they might take it as a sales pitch, and not as friendly advice.
At the very least, I would send a sales guy over a couple weeks after you inform them of the problem. This will distance the "problem" from the "sales pitch" but still maintain the "These guys care, and can be trusted with my data" image.
DOS is dead, and no one cares...
DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there
I'm sure someone will find the time to point out their security vulnerabilities :P
2. Deface the company's external web page to say: "W3 0wN j00, b1y4tch." Make sure you mention that you're a sore loser, since if you weren't, you wouldn't have been poking around at their system when you lost the bid in the first place.
3. Repeat unprofessional conduct with all the other companies you submit losing bids to.
Problem solved.
-Legion
I am a security guru not a developer. Know your competition and know your customer...what your describing is really a *gasp* sales issue. When biding a on certain project you can usually figure out who your competitors will be by either the scope/type of project and the skills required or by scanning the lobby sign in sheet that most medium to large companies have looking for competitors names. Also, most of us at one time or another has been brought into a project to fix someone elses mistakes or have heard about the mistakes of our competitors...use this knowledge in the pre-bid discovery process to hammer the relevant points to the customer as it could relate to their environment. There is no need to mention the names of the competitors just say something like "I've had other customers where the consultant did (yada yada yada) and it created these security issues (remember always issues never problems)" and be sure it relates directly to their environment. Remember the more information you know about the clients environment before the first meeting; the more you can tailor your presentation to their specific needs. You should be in the business of building lasting relationships with clients...not just knocking out code to handle todays problem. Do this grasshopper and the bid process will just be a formality and not something to worry about. Most battles are won before the armies take the field...
People who bite the hand that feeds them usually lick the boot that kicks them
for a ten minute meeting in their own office, during which you will demonstrate to htem just how vulnerable the site is. Be sure to promise and deliver a brief but resounding follow-up addressing how you would elimnate the problem if you were employed by them. Deliver sales pitch to illustrate your positives even while demonstrating the competition's negative's right in front of the customer, with their permission.
You can laugh without eating a sandwhich, but you can do both if bring one.
Giving you the benefit of the doubt, it seems like security is an honest selfless concern and that anyone's vulnerability is more worrisome to you than losing a bid, as it should be...
So, why not add this to the bid in the first place:
Legalized, of course, but put a clause that states that acknowledged receipt of this bid grants our company the right to do a preliminary external secuirty audit in oh...6 months or something. With a simple report on any findings for free. You can of course attach offers to fix their problems for a nominal fee at that time.
I would think if you enveloped it in an honest slant of promoting a safer and securer internet, which is of course good for everyone then you would have minimal risk of anyone refusing to review your bids.
Probably not much you could do for the present case, but maybe in the future some kind of clause like that could be leverage to get all kinds of 2nd chance business whilst at the same time heavily tarnishing the reputaion of those firms who complete these jobs with such poor attention to security.
just my 2 cents...
Eric
Essentially, primary keys are things you index by. Take a dictionary, for example: it is a database containing pairs (word, meaning), and has word as its primary key.
If you want to look up something in your database and you have a primary key, you can just jump to the correct location in the database and find the data; if you want don't use primary keys, (eg, looking for a definition in a dictionary in order to find the word) you have to examine every element individually.
Basically, primary keys are obvious to anyone who has never taken a database course, so you've probably been using them all this time anyway.
Tarsnap: Online backups for the truly paranoid
I think you should aim to increase your focus on security during the bid process. Ask the customer to look at reference sites. If your customers are happy that will say quite a bit, but if the competitors old customers aren't happy that will say even more. Point out the holes in the other companies reference sites. You dont have to break in, just point out the holes that are there. If they are interested in getting the best product, they will think a lot harder about your solution, but in the end, tragically, often these decisions are made because someone has a friend somewhere.
Schedule a meeting. Show them the risks. Don't pitch them. Give em the info they need to call the other shop to task. Even if word does not spread, they will remember.
The thing to do is to go in and say "look: they've only done a cursory setup of your system. It looks like it's very insecure. We've tried to warn them about it and they just blew us off. Give me half an hour of your time and I can show you just how easy it is to break into your system as it's currently set up and get an indication of how much of your data is available to the general public".
Let them know that you're not willing to do anything without their permission. Remember that it's their problem and you're essentially doing them a favour (even if you do see the possibility of getting the contract from them). Remember that they may have a contract with your competition that isn't easy to break, so you may never get the full contract from them. I've seen some really nasty colocation/hosting contracts in my time. I have no idea as to what they've signed.
If they say 'yeah go for it', then you can show them how bad things are. If they blow you off, then there's not much you can do about it. It would be one of those 'you can lead a horse to water, but you can't make it drink' things. Worst case, you can offer to be an expert witness if they get badly hacked and it ends up going to court.
At some point, you do have to put your hands in your pockets and walk away. What you condider 'due dilligence' on your part is up to you. For me, I would definitely contact them and tell them that things look bad.
<rant>
I think we've all come across people who've taken an M$ MCSE and think that they know all that they need to know about setting up a good system. Your competition may be one of those. Whether or not your prospective client can be taught to discern that there's a difference between one of those and someone who understands cumputer systems (with or without MCSE training) is another question. People can only see what they're willing to see.
</rant>
--
Free Software: Like love, it grows best when given away.
If programs would be read like poetry, most programmers would be Vogons.
Perhaps, rather than laughing, you could pull an "I told you so." and offer to fix the problem. Assuming the kiddiez were smart and hid themselves well enough, they won't get in trouble, you'll get the job, and the company your working for will be better off for it.
kickin' science like no one else can,
my dick is twice as long as my attention span.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
how about letting the other shop know? they are likely to be grateful, the problem will be fixed so the innocent will be protected. and you might generate a little good will for non-ms shops.
if I had points I would mod this up dude
It isn't your problem, your not responsible for their security. Let them crash, it'll show other potential customers that your competitors suck.
-- MMMM...... Tomacco --
Well, D'uh. The question was how to make them understand that there is a serious problem without doing something illegal like that!!
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
If the client is at massive riska dn your business is security then dealing with these problems should be something that you dont' ignore just becasue you lost a contract. You might want to pick one particular example of their lacking security issue and point it out to them as well as some of the important details. if the problem is fixed in a week and you still haven't heard back from them they're obviously not interested in going with you; let them fend off the sharks themselves. If they're smart they'll realize whose the better pony and get back to you. -shpoffo
There is probably no way of getting into the management of that site and having them listen to you; this is the "sour grapes" problem. You will be better off, IMO, to contact a "neutral" third party and have them inform the company of the exposures that are maybe being run. If that third party company pitches a security solution, it's not your sour grapes.
I don't think you can get the business; if your concern is for the security of confidential information on the part of those whose data is likely to be leaked, take the high road in all ways: don't touch the site, and don't be involved in contacting them directly.
-dB
"It if was easy to do, we'd find someone cheaper than you to do it."
Say you give them a list of vulnerabilities and recommend that they employ you to fix them, but being fools (or just strapped for cash), they take no action. Six months later, an anonymous email hits every employee in the company with everybody's SSN, salary, performance reviews, etc. Finger-pointing ensues, and the IT managers look for somebody, anybody to pin the blame on besides themselves. "Maybe it was a disgruntled ex-employee," they say -- "or maybe it was that security guy who was trying to get our business! Look, he even gave us a list of what he could do to our machines!" Wham, lawsuit and criminal charges against you! Sure, you would know you didn't hack their site...but you'd have to prove it in court, which is expensive as hell, not to mention very hard on the reputation.
After running 150% past the delivery date with no deliverable in sight we asked the client for a meeting, which was granted, wherein we offered to audit their development up to that point and assess the situation. Permission was granted and we were given access to the development code.
What we found was a sham - nothing more than a few forms (no reports), basic tables and a couple queries. All the processing logic was contained in a couple queries (maxed out the SQL zoom editor). Oh, no modules. No, this wasn't a backend/frontend separation. 18 months and not much more than pretty buttons.
The kicker was discovered looking at the table definitions: no primary keys. Unbelievable.
We asked the other company for a meeting - alone - to discuss our findings, give them time for rebutal, etc., before we presented our findings to the client. In this meeting no facts were refuted, only one question was asked: "Why do you need primary keys?"
Then the three parties met and laid it on the line with the client. It was obvious that the other developers were in way over their heads and were going no where, yet slowly.
Resolution? The client stayed with the FileMaker people. Why? Too much time and money invested to change and prestiege. Yep, good old pride. The client would have to admit that he'd screwed up and he couldn't do that.
Moral: you lost the bid, forget about it. Sure, drop a note, but only out of conscience - then move on.
--
-- @rjamestaylor on Ello
When you're dealing with a company that you bid to and they went with somebody else, anything you say is going to be a little bit suspect to them, because as far as they're concerned you're just trying to wheedle your way into doing business with them by elbowing away your competition.
The key thing you should remember is, they're right. You are trying to wheedile your way into doing business with them by elbowing away the competition.
So, if you're going to do this, do it with dignity and class. Be honest and up-front about it, and tell them bluntly "we noticed that the company you hired used X and Y technolgies and we have some concerns about those technologies. Here's a list of known problems with those technologies. We think you might have some of these bugs, and we'd like to talk to you about how we can help you fix the problems." Don't go into specifics of their implementation, let them figure that out. If they don't care to look, or to ask you for help, then they just don't care and the argument is futile.
Of course, if you're really running into this multiple times, you should consider making it part of your sales pitch. "We use technologies X and Q. We believe they're safer and more secure for your business needs. Here are some of the problems we've observed with sites implemented with the other technology, Technology N. A site one of our (unnamed) competitors recently did for the XYZ Company with Technology N seems to have these problems..."
If the client cares about the security (and stability) issues you can bring up in the sales pitch, great, this could help you make the sale. Also, by bringing concrete recommendations to the client in the sales pitch, you show them that you're serious about helping them and make them feel that you're already on their side, which is important in managing their perceptions of the working relationship. Sometimes the potential client can come away from a meeting like that feeling that you're already working for them, so when you hand them a contract to sign they feel like it's just a formality.
Again, if they don't care about this stuff when you bring it up, that's their problem, and if in the future they hire one of your competitors and you discover that the competitor did a lousy job... well, you warned them, and it just becomes another case study of what not to do.
The only problem I see with this is that you admit to having hacked their web site/network. While White Hats make sense to many people, there are an awful lot of people who prefer the website-is-private-property viewpoint. I suppose the risk of being turned in for electronic trespass is pretty low, but I also imagine there are a lot of contracts to be had with zero risk of fines or jail time.
Read the anonymous post above; it's good.
Vintage computer games and RPG books available. Email me if you're interested.
Vintage computer games and RPG books available. Email me if you're interested.
Don't break their boxen, but give them step by step instructions of what a sample vulnerability is, how it can be exploited, what it exposes, and what it can be used to get from, or do something nasty to, the box/lan/company.
Vintage computer games and RPG books available. Email me if you're interested.
and use them as another Invite, Inc. then some poor russian idiot can hack it for you, thereby revealing the weakness in their database security.
More info...
The bank considered my request for using encryption as a "threat" instead of a precaution against interception of data.
The bank said I was guilty of extortion, even though I never asked for anything from the bank except to have them make sure they were protected against the vulnerabilities I reported one year prior.
The bank is trying to squish me from talking. In order to avoid a legal hassle, I must agree not to write about what bank it was and how stupid they were not to fix their problems immediately.
I detailed to the bank how to fix ONE of their problems, but mentioned there were more. They only fixed the one issue that I reported how to fix (they may have fixed the others months later... but I didn't check... its not my job).
The bank's CEO only cares about his bank's reputation... not about my rights to publish what I found. (thats why he has lawyers)
Ever need an online dictionary?
I did this recently and documented steps to show the intrusion technique (only one of many) and how to fix the problem. I submitted this information in a report to a bank...
Now, one year after the report was sent to the bank, I re-sent the report via PGP-crypted mail and said I wanted to publish the report publically.
They turned around and filed a report with the FBI which sparked an investigation into me (still going on).
Plus they started unleashing their lawyers on me.
Luckily I am a minor and it would look really bad for a bank to attack a kid who only wanted to exercise his first amendment rights to publish such information (none of which was illegal).
I suggest not using your approach of "showing the problem in a report." It has only caused troubles for me. Unless you have a ton of lawyers to protect you, this method isn't recommended.
Ever need an online dictionary?
People (clients) most often have to learn the hard way. No matter how many times you say the stove is hot, the real learning occurs when the finger gets burned.
I run a small SP shop in Vermont, and we had a sleazy developer roll into town. After encountering him, I did a little background checking, and found that he was buying up the domain names of all the local businesses. I started to put out the word, to warn locals that had been flirting with getting websites, but had not committed yet.
What happened? I was threatened with harm by the sleazoid, and the locals were not much interested in hearing my warnings. So I shut up, and let others learn on their own. Basically, the warnings were useless, and eventually the sleazoid left town (with the FBI investigating him).
After that, our qualities were better appreciated, and we gained from the contrast. We gained new clients from those who had been burned by the sleazoid, but NOT from any businesses we had warned!
For us, it was better to just do our jobs, take effort to point out in our sales/bids what we do better, and wait out any inferior challengers.
Some clients buy by price, and will always choose the lowest bid, no matter the downside. Others are interested in relations, and choose who they get along with or like. And some will actually evaluate apples with apples, and choose you due to your quality and expertise.
Over the years, I have later gotten jobs that I had earlier lost to other shops, largely due to how graciously we dealt with them, and having said nothing but positive things to them about their project and choices.
As covered in other posts, pointing out peoples mistakes will never get you their business in the future. The potential for you to be an "I told you so" will keep them away.
You're asking a bunch of geeks a business account management questions.
Here's the deal. Anytime an intangible value (like security) enters into a dollars-and-cents decision process, you have two sides: the geeks and the bean counters. Your people are the geeks.
Now wait---who decided that they should go with an insecure cheaper solution? Chances are the geeks bought into the process, or at least were forced to do due diligence and assent.
When you go to the company and expose the problem, who looks bad? The geeks! The geeks now have a professional investment in the bad solution.
Your best bet is to contact the technical people directly, create good will with them, and ALLOW THEM to take the issue to the bean-counters.
Premature optimization is the root of all evil
You might even demonstrate a security hole on your own system (open it up for testing) and then show them that you can (and do) close it. Then, perhaps, encourage them to try the same thing on the competing vendor's solution. Don't do it yourself, but get them to do it or get them to request the competing vendor perform the same test.
If they choose the other vendor, then you cannot feel guilty about not telling them about the security holes of their chosen vendor because you've already prodded them to the point that they should already be aware and concerned, and you can't feel bad about losing their business, either, since the ``additional'' security you provide was obviously not of enough concern to them.
Definitely don't press anyone in any way after you've lost the bid, though. There's nothing that leaves a worse taste in a customer's mouth than perceived sour grapes or even general pestering. If you don't bother them, then you leave yourself as a possible new vendor when the one they chose falls down on them. You already made it to their short list once.
Fuck 'im up, Tim! His views are invalid! -Pirate Corp$
Although I'm not an IT worker, I do have a couple suggestions.
First off, your primary issue: "SORE LOSERS". While you might want to protect this ill informed possible client, you dont want to generate a bad name for yourself in doing so. You don't want this label for yourself or your company. So this is my suggestion: accreditation/testing by an unrelated 3rd party. Similair to the (crappy) movie "sneakers" you're going to pay people to mess with your security to prove that you have a secure implementation, likewise recommend the same to this client. As others have suggested, contact your old client/almost client. Have a short meeting, mention that you notice that they have some serious security vunerabilities. Next, rather than you show them those vunerabilities, give them a list of the vunerabilities and some references for some TRUSTWORTHY sucurity firms that are not related to your company to test them out. That way, they're hearing the same message from somebody that has nothing to gain by pointing out the flaws of their implementation. You'll get around the sore loser issue, and hopefully they'll come back to you for buisness. Just my 2 cents...
"If we knew what we were doing, it wouldn't be called research, now would it?' -Albert Einstein-
When they see what kind of info is available, hopefully their horror will get them listening to you. At this point, offer up your suggestions of how *you* would go about fixing this. Don't put down thier system(s) saying ASP/NT sucks or whatever, because they probably put a lot of work into it, and the last thing they want to hear is how they made bad decisions.
if you play the good guy, hopefully they will drop thier current development house in favor of you. If not, at least you have made them aware of the problem, and they should do something to fix it, saving personal data of many many people.
Be the good guy and take the higher road, even if it dosen't directly benefit you, your actions will speak louder than words.
There are two things about this. On the one hand, I think it's important. Although most companies don't publish lists of bidders, if you've done any other contract work for them and your name is on the site, you might be pegged if the site gets cracked later for doing insecure work.
On the other hand, if the CYA approach is the ONLY approach you do, you're not going to be able to scare them into becoming your customers.
dada21's post above is the right answer. If they refuse any work from you, and it's clear that they're not going to hire you to do any other work in the near-term, the CYA approach is probably not only a good idea, but necessary.
The good news is he likely won't serve any time.
The bad news is quite bad though. As a felon he is legally barred from many rights full citizens (which he NO LONGER IS in the eyes of the law) have.
It is illegal for him to own a firearm ever again everywhere, (in some states, not his state of Oregon) to ever vote again, and of special interest to people in the I.T. field:
It is illegal for him to work in certain technical jobs ever again. Such as working for a certification authority in at least one State.
Also, a lot of people are under the impression that all felons are intrinsically untrustworthy individuals.
The above still applies even if the persons motives were pure.
P.S. Randal Schwartz would likely have not been convicted if he were in Nevada. The laws here provide for implied authorization of an employee to access employer's systems unless their is "clear and convincing" evidence to the contrary. He still could've been fired though (Nevada is an at will state).
The moral: Don't try to do any favors. If you want to break into systems as a good guy, find a way to do it LEGALLY.
Consult a lawyer for legal advice.
Just because it CAN be done, doesn't mean it should!
Consider this: what if your actions are construed as destructive or intrusive, just through some freak accident because someone's having a bad day, or there's an asshole or an idiot in the client's company or in the consulting firm that's leaving everything wide open?
Do you have the time or the money to explain yourself to some feds? Multiply some small but non-zero probability factor by several hundred thousand dollars plus whatever value you'd assign to a year in prison. That's how you should do the cost/benefit analysis.
I'm advocating a grim, "being nice gets you nowhere" sort of position, but the potential downside to the situation is horrible. There's an Assistant US Attorney somewhere itching to make a name for him or herself by prosecuting a "hacker" case. Don't put yourself in a position where you could make it onto their radar screen. The deck is stacked completely in their favor. Read a register article about the feds' tactics if you want get scared.
Watch your ass if you want to be nice.
circa75.com
The best thing to do would be to write up some sort of a form letter. Pay attention to the problems you have encountered and document them. Do not mention specifics, nor methodologies used, just state the problems such as Employee records vieable by the world, etc.
You may even include some examples on how to check the system. Of course, this letter should include the regular Thank you for the opportunity , yada yada yada..
This method will not only show that your company _IS_ aware of security measures, but will also demonstrate gracefullness and genuine concern.
Wouldn't you be better off courting new customers rather than spending any more time trying to win over lost customers? I mean, sure, point out the mistake, and leave your card; at that point, if they're willing to stick with a bad decision, let them learn the hard way.
At worst, it can lead to a criminal investigation; and somewhere in the middle is damage to the reputation of your company.
2) It makes your company look like a sore loser, if you complain about the other companies implementations.
If you lose a contract, maybe you should follow up with an offer to do independant verification and validation, a security audit, or maintenance -- which would allow you to scan the systems for exploits.
3) That said, you may be better off sending anonymous email to them, and notifying them of the problems, or otherwise forgetting about it.
That is the main item that has to proven in a civil court.
At least that's what I learned from taking 1/4 of a law clas... Take that however you'd like (I wouldn't trust me in this case...)
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Simple: Offer to perform a smallish security review. For free. No strings attached. If there are gaping holes, it will only cost you a few hours worth of work (and maybe a couple of hours of sales pitch), and has the potential for gaining the client as a customer. I'm not suggesting that you do a full security audit, or even that you hold yourselves out as such. Just that you offer to perform a small service for those customers that you've lost in the past, as a gesture of good will and to demonstrate the quality of the service that you can provide.
-bluebomber
The Daily Build
I've found that a standard 'form letter' has worked for me in the past. I've probably won back some lost clients because of security issues. Generally, my letters have been written to whomever accepted the bids for the original contract, along with a repeated thank you for allowing our company to bid on the project. We hope we can be of use in the future on similiar projects, and want to be kept abreast of any upcoming work that will be taking bids. On another note, we would like to mention that we review the your website as it currently stands, and have found some serious security issues and risks that go beyond being "potential problems." If you would be interested in hiring our security team to show you the current security breaches and issues, we would be happy to draft up a competitive bid package for the consulting time and documentation time needed to review all the security problems as your system currently stands. Then go on to say how security is as important to your firm as the end product, and that it is quite possible the reason your bid package on the original contract was higher than the winner was because of differences in opinions about Internet security. Don't be afraid to blast their price, not their service. If you get a follow call (I've gotten them more than 75% of the time!) you can explain that many websites on the Internet have security issues, that you are well versed with how to handle them, and many companies haven't taken the time because the chance of getting hacked SEEMS slim, while in reality it is not. I've lost some clients who have returned to the bid winner to clarify security issues and have gotten some of them fixed (without us telling them specifically what the problems are). Even if you don't get the contract, you may end up with more lucrative time and material work pointing out the bugs in the code. I prefer T&M at full rate rather than contract at discount rate anyway. Plus, there's no warranty involved in T&M consulting. Good luck!
Screw the client and the competing development shop, alert the people whose information is being exposed. If companies leave security holes, its the consumer who is at real danger. If the negligence is exposed publicly then the companies will act. Also, if something is viewable without authenticaion on a website, and you figure out how to see it, I don't think this can be classified as a criminal act. TWF
The problem is that while your suggestion seems to make sense, from a different point of view it could be considered extortion; you are trying to thumbscrew SCD into letting you in on the cash. In a way this is true. You really have to look at it from all perspectives. As many others have said, it's probably best just to walk away.
- Toby
Pretend it doesn't exist.
Exploit the security hole to prove the problem.
Draft a reasonable letter, cosigned by your company attorney, explaining the problem.
Option 3 is the only one that makes sense. IMHO you have an ethical obligation to inform the company of their security breach. That eliminates option 1. Breaking into their system as a demonstration opens you up to potential anger/hostility from the customer. That elimates option 2. Sending a letter, drafted by your company attorney, informs the customer of the problem. If they investigate the problem and conclude you were correct, you will win future business. If they ignore the problem and their system gets cracked, you will win future business. If they ignore the problem and never get cracked, that's just fine too. Your conscience will be clear.
--
"You've gotta be a spirit...Don't be no ghost."
From your article, it appears that you've already been looking round the servers owned by the lost client, which would imply that there is already a fair amount of information in their logs showing where you have been. Sooner or later that information is going to show up (maybe after thay get seriously hacked?) and it's not going to look good. However, the following may be a suitable way of getting around the situation:
Tell the customer that you regularly look at sites of lost clients to identify areas where you are losing to the competition - this is a normal business activity to improve your future performance. However, through this completely innocent investigation, you discovered information that you should not be able to see. As you are aware that this will appear in any logs, you are informing the client to firstly exclude yourself from any investigation of future events, and secondly in the hopes that they will close any gaps before something bad happens.
This is a very believable situation - if you're giving advice for free then the client will suspect other motives, but giving them information to keep yourself off the hook is quite understandable.
MG
Randomly distributing Karma whenever possible.
You say to them, we understand that you have your reasons for going with another shop, but we are still interested in your business. To show good faith and demonstrate some of our expertise we are going to give you, for free, the results of this mini-audit of your site's security." The report you give them for free provides step-by-step instructions to reproduce the exploit you noticed, and whatever easy advice you feel like giving away about how they might go about fixing it. That way you did something easy to help them out without making any decision makers lose face, and you demonstrated that you knew something the other guys didn't tell them. They'll remember.
Remember that most of these people honestly believe that a problem can be fixed if you throw enough money and/or lawyers at it. Sad as it is to say it, you can certainly -try- to make them aware of the problems, but most of the time, that flashy, slick, Microsoft promise of security is all they need. As said before, they still live in a world where they think you buy one thing and it fixes the problem. You can take them through a step by step process and show them the flaws in their purchase, and maybe prevail to become the supplier, but in the end, they may well have to have a breach and a few lawsuits to get the clue. Even then, to cover their asses as fast as possible, they may still choose to go for another quick fix and put a bigger padlock on the rotten shed door.
In space, no one can hear you moo.
the development shop they went with has them on ASP/NT servers, with security holes up the wazoo (visible source code, passwords, etc) exposing these clients to massive risk
Wow, someone said visible source code is a massive risk on Slashdot. I wonder if the usual gang of trolls here will start promoting IIS because it increases the visibility of your source code (the more eyes the better, you know... right?)
Just let lost clients go. But in the future, always include a preliminary security audit as part of your bidding process. Make sure you get written permission to conduct the preliminary security audit. Then if you lose the bid, you can call the company and sell them a full security audit. Again make sure you get written permission. Now you will be in a position to make your competitor look bad and yourself look like a hero. Provided you can find some nice big security problems. Preferably employee information, financial information or something involving the decision maker.
Frylock: That's not a toy!
Master Shake: You say that about everything you own. You should own toys. They're fun.
Using primary keys is optional in most database implementations. Not using them how ever, is generally considered a bad practice.
I am not familiar with Postgre Object id's, but in DB2, Informix and Sybase they implement rowids to uniquely identify every object in the DBMS.
This works fine for awhile but results in a number of potentially devastating problems:
- Primary keys are contraints which guarantee that each row of a table is unique. (They are also indexed, but that is not why they are present) Without guaranteed uniqueness, maintaining the integrity of your data sits with the application, which is not a good idea.
- Problems will occur when performing non-trivial maintainance tasks. Defragmenting a table, converting to a distributed table model, or initiating a fragmentation plan could destroy your data or not work effectively.
Remember, the primary concern in anything but the most trivial RDBMS is maintaining data integrity. Performance is useless is the data is junk!
I suggesting reading through "An Introduction to Database Systems" by CJ Date or any commercial DBMS vendor's 'Best Practices', Database Design or SQL guides.
Conformity is the jailer of freedom and enemy of growth. -JFK
does any body know where to get a freebsd build?
How about you list say all the vulnerabilities that M$ has reported and patched over the last 12 months regardless of whether they are vulnerable and maybe some reports of CGI/ASP programmes that don't check and validate user input before sending it off to the database.
Don't explicitly mention any vulnerability they have but try to cover them indirectly.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
finally - [START JOKE] post the company name to a hacker newsgroup as vulnerable. do this some months after giving them the warning. Then send a reporter around to them after about a month, "I am doing a story on hackers, and I am interviewing typical companies about their internet security" [END JOKE]
I do not, and I will never condone the abuse of a personal or corporate computer system for fun and or profit, etc.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
You observed that your competitor forgot to put brakes on the car that your would-be client bought from them. They are both in danger. Send a letter to both and move on.
This is not a sales opportunity -- you have a professional obligation to warn of catastrophe when you see it coming so clearly. You can stress your super brakes in your next bid if you want...
While I certainly do not want to bitch about every Slashdot posting that I find to be insensitive, I have to ask, what is the point of using the name José Esposito to your otherwise humorous post? Was a name really necessary when you were attacking script kiddies? While I'm not Latino, I must say that it makes you sound foolish and ignorant using crypto racist devices such as these. Just something to think about in the future!
Use your expertese upfront not afterwards. Why not make part of your sales pitch a 'common security mistakes' section? Describe the kind of thing your competitors do and show why it's insecure.
Then when you competitors make their pitch - hopefully alarm bells will start ringing, the client will be asking very awkward questions. Meanwhile you look real clever because you've predicted their approach. The client feels clever 'cos they get to make the other guys squirm with awkward questions - to which they have the answers (courtesy of you).
My only caution would be to make your examples all fictional.
Send them a follow-up with an offer for some sort of free review of their security. Just be nice and professional. That way there shouldn't be any bad feeling since they would have asked you to look at things. Maybe make some points about 3rd party reviews, point them to some articles or something.
so what's the tune?
sulli
RTFJ.
post the ip addys and exploits to related sites :)
like news groups alt.2600.* and other related
websites under anonymous users. Make sure it is not tracable. Let them suffer. Really most
companies are about maximisation of profits.
If you can convince their shitheads that float
atop of slary ranges, that they might make
a good peny on it, you will have more chance.
Pointing out people's failures will do no good,
unfortunately people don't like to hear like
it is. Difference between where they have to get
and where they are is big theirfor they will get
defensive because they will feel intimidated,
incapable - whatever. Good salesmen will see the
easy way through the bush(no pun intended
Actually, we did in fact notify the competition there was a problem. We did not get a reply until we contacted the client directly notifying them that they should contact their vendor.
creation science book
Never attack the site. Never badmouth the winner when you are the loser. Never "demonstrate" the lame security and security breaches to them, because they will know that you had to have tried it already (thus possibly breaking local or federal laws).
Better you send it a trusted third party, like the people you currently use to do your company's external audit. Tell them to approach the client on your behalf. They will know who to talk to at the appropriate management level in the food chain, and let them know what a lame choice they made for developers. The lost client can then be gently redirected to look back in your direction after the twerp who hired the dummies is called to account for their bad decision. The external consultant is then doing their job as "the messenger delivering the bad news", and you are seen as the company who can solve their BIG problem and do it properly, as it should have been done in the first place.
It should all look like a properly managed business decision, not a techno-shoot-out between rivals. Hope this helps...
"I figure you're here 'cause you need some whacko who's willing to stick his finger in the fan. So who are we helping?
I used to consult (who didn't?). And the occasion did arise from time to time when I would run into similar situations. What I chose to do was just show the company in danger. I'd sit down with the controller/CIO/President and take him through a 15 minute trip to show him how at risk he was. Sometimes I picked up the extra business and sometimes I didn't. The key was that I obtained the company's permission first.
---------
Launch all sig
Rather than tell them "You went with one of our competitors and look how
easy it is to break their security as opposed to ours" which is guaranteed
to make you look like a bad loser (not saying that IS your approach, btw!),
you may want to make it more of an advice thing.
E.g. ask them if they are aware that just by doing x, y, z (feed them
detailed instructions they can use themselves to see), any mallicious-minded
individual could gain access to a, b, c (give them details of what it means
to THEM).
Then, rather than end with, for example, "whereas our system has none of
those problems" which is a blatant sales pitch, you might want to consider
making it totally non-sales.
E.g. end by hinting to them that they may wish to take this matter up with
their existing SP immediately so as to minimise the risk to their data, or
they may wish to look around other suppliers, including yourselves, with
this additional concern in mind and see how those various SPs react and how
their services seem in light of these new concerns.
OK, some will still think it is just sour grapes, but at least you are
phrasing it more along the lines of "OK, you went elsewhere, that's no
problem. Just make sure your SP fixes blah blah blah" rather than "Ha! You
went with THEM and they are crap, you should come to us." iyswim.
Hope this helps!
--
People should not be afraid of their governments - Governments should be afraid of their people.
If you want ( and I am _not_ suggesting that) go and look closer. Leaving an SQL Server Port open can be just a simple error (and they can blame it on the sec guy at the hosting provider/internal IT dept.) of e.g. leaving a port open on the router. If there is nothing more than that you might look quite funny. But if you would find more go with the (numerous times suggested) free and later complete security assessment. Get consultant money for it. But make sure there is more open than just one hole!
You forget who's making this software.
sheesh!
I am currently not obliged to divulge that information as it might compromise the agents in the field
First, if you are competing with a place you feel is providing insecure solutions, then you should treat the entire matter with kid gloves. That is, don't go out publicly and accuse them of bad practices--that can lead to court battles and the like. And certainly, if there are specific vulnerabilities you know of you are obligated to report them to the developers privately (and don't just say "'cuz you're using NT.")
Second, clearly the organizations which are hiring these less-secure firms are less security-focused themselves. What can you do about that? Tattle-taling and bad-mouthing the competition doesn't work. If you have any other professional work you do for the organization, maybe promote a seminar or security newsletter. However, if the organization is unresponsive to security issues, and many are, then your concerns will fall on deaf ears. The market for developers, in other words, does not yet have strong support or understanding of 'security.'
I've been in the same boat as the poster and at times and it can be really disappointing for someone more attuned to security matters to see someone else ignore such problems. On the other hand, your disappointment is not unlike that of the annoying Fire Marshall, who, at your house for a family visit, is abhorred by how many loose wall hangings and covered lamps you have! Yes, they are right, your house is a fire trap, but on the other hand, that's how you like it!
But we -are- techincal people, and the results of bad security are arguably more likely or more disastrous than a fire, and certainly the criteria for safety in computing is less regulated.
Sadly, like with anything else, I think people, and by that businesses, will eventually learn to pay heed to issues of security, once they hear real stories of damage. Such cases are already in existence, but because no business wants their names associated with such a faux pas as a security breach, these stories rarely make the news.
Finally, to your questions, from a marketing standpoint, it's hard at this point to claim a better grasp of 'security' than anyone else--and to what degree that qualifies you for the rest of the work you are bidding on. I am even now skeptical of what you, as a developer, bring to the table if your very first concern is security. I absolutely agree that it is a baseline requirement, and that gives you an advantage over others, but it is hardly a trump card. Let's say the 'less-secure' firm gets hired. Were they cheaper? Did they have more resources? Do they deliver more inventive solutions? So in reply: How can your solutions top their solutions? (And don't just whine: 'security!')
The fact is that organizations that hire developers are often leaving out an important aspect of planning, which is security, and perhaps if that is your interest, you should focus on it and figure out how to market that to organizations. Maybe you run network-security audits for people. Maybe you establish intrusion detection systems. Either way, I agree that the industry should become more aware of actual risk--but that's separate from OS-bashing, or competitor-bashing.
Consider the situation where you usually will search a transaction database by date and time and name of the transactand(sp?). While it is highly likely there will be no two transaction at the same time, it is possible. So what do you do ? Introduce some id number which is simply counted up in a sequence.
I can see no theoretical merit at all in this practice. Ok, in practice it works, but in practice you can also work with oids.
It seems to me that FileMaker is a tool to easily do a quick and dirty database access. As such, it should be used in-house, not by a company you pay to work with databases.
It seems, sometimes clients just ask for bad code. If you do good code and documentation, make sure your client knows it and is willing to pay for the extra effort.
I'm still trying to figure out what people mean by 'social skills' here.
For your piece of mind, walk away.
Don't say anything; just very quietly turn
around and quickly away.
Don't touch anything; don't even look back
over your shoulder.
You allready had a bid in with these folks.
If something happens and things turn ugly, the
only thing they will have linking you is your
bid for the work.
You can be sure that the feds will be looking
at logs and correlating with who's recently
dealt with the company; especially those whom
they perceive would think that the company
dissed them.
They may even question you if things really
stink and they can't find the source.
Suggestion. Better get and keep an alabi for the
next X days. A spouse or co-worker or friend who
could say that you were playing soccar at 8 PM
while the conpany's computers were tickled.
Just stay far away from the place. It's a trap
waiting to spring shut!
Cleara
I've also had an experience along these lines. Several years back I was trying to get a web development company off the ground, and was in the running for a huge contract with a multinational wanting to share data publically, as well as design information over a VPN. Security was obviously paramount.
It came down to two proposals in the end, and the competitor figured out who I was, and attacked my proposal by going after me: they cited lack of experience, expertise, backup, and all the rest, basing their agument on the fact that they were a large ISP and I want representing a newly-formed corporation with few employees.
So six months later rumours were going around in the hacker community that a certain company had suffered a major hacking incident - possibly NOT a leet or script kiddie, meaning industrial espionage considering the data they apparently got hold of. Guess who ...?
Quite by chance I happened to meet with an IT representative of the company while visiting a client some weeks later. Although unofficially, they admitted that they had made a bad decision, and apologised - for what it was worth. Of course, they also made it clear that politically they couldn't change their minds.
This is unfortunately the mindset of many companies - live with a mistake and cover it up, rather than admit to a mistake and correct it. Heck - even MS is taking the latter route (bye Clippy!).
Once you've lost a contract, don't consider going after it anymore. If they come back to you, that's fine - but even that can lead to rumours flying from competitors, which is a Bad Idea (TM). My that's just my 2c worth...
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
Consider that perhaps you should offer "white hat" security services to potential clients before the contract is let. "If you do not select us for this task, consider us for a follow-on security audit of the system that is delivered to you". You might even find some existing clients who want you to perform audits as well.
Lose the die_spammer_die for email
It's been my experience that most managers lack the sense to admit that they made a bad decision in selecting a company/service/product. They will always find some way to rationalize it. IMHO, the only way for you to win this is to let them find out the hard way for themselves, and hope they seek you out to fix the problems. If you approach them, they'll be suspicious that you're up to something, or even that it was you that created the holes just to get business.
Well, you tried to help them and they were a$$holes about it, let your local script kiddies in on it.
- The Obvious: Breaking in to a System=Hacking=Illegal
- The Less Obvious: "I can break into your system. Give me $XXX,XXX.xx and I'll show you how to stop it!" Sounds vaugely like some protection scam
- Demonstrates Sour Grapes
- Somehow, it comes off as arrogant. I can't quite put my finger on why.
- On first read, it sounded like anti-MS bigottry. OTOH, like everything, if you don't keep up with your patches, you're screwed no matter what the platform
- At the end of the day, it is simply not the professional way to do it.
My advice would be to not do anything. Add "security audit" to your next presentation to your clients and move on.One more thing to keep in mind: Just because you show them the flaw doesn't mean that they have to do any business with you. You can run your "tests," and indicate this is where they are week. They can look at it, thank you for your input, and politely show you the door. Next thing you know, your competitor is performing a full security audit, and tightening down the ship.
Why would the do this? Any number of reasons. Mostly, I think it would be a lack of trust in a company that would engage in a practice that could, at best, be described as immature and irresponsible.
The issue you have is not with the competitor product but with the client.
The Managers who have decided to go with the competitor product invested their repuation in the competitors product. So if you do go to the Client with this information you are going to make them look like Clowns. Hence the comment sore loser when you told the webmasters.
This could harm you getting future business from this firm (which is really what your company's interested in)
The two choices you have are 1. Walk away
review the reasons why you lost the orginal tender
and when the next tender comes out for an upgrade on the website (and from what you say about the competitor product there will be one) go for it and sell your product.
Choice 2. Invite the Head of the Company or the department (generally the bosses of the people who made the decision to go with the competitor's product )on a social outing and find out what problems they are having on the web site project.
Then have a quite word with him/her off the record about the project and tell them your concerns and it will go no further than the two of you.
1) Can the client relationship be re-established?
2) Should the ex-client be informed of the security holes that you've discovered.
If you answer these questions separately it puts the whole thing into a different perspective.
Example 1: Its not worth the risk to inform them of the vulnerability when they might suspect us of wrong doing;
Informing a client of a vulnerability is part of the service.
Solution: inform them of the problem if the are willing to sign a contract.
Example 2: Too many employees of the client might be hurt if they got hacked;
It would be nice to have them as a client again but not too likely.
Solution: inform them of the problem and cope with the possible consequences.
Answering these two questions separately won't resolve the entire questions, but will help in looking at it from the perspective of risk assesment. Given the answers, here are the risks involved with the possible courses of action and risks x, y, and z are worth the risk.
Just say no. Sigs are bad for your health.
Unless you have a vested interest in pointing out the security to your almost-a-client, I wouldn't bother alerting them.
Rather, remember - and document to the extent the laws (yecch!) and ethics allow - then use it as ammo to take down the competitor in future competition.
Make sure you present the case as the competitor offering a shoddy product, rather than the competitors being a bunch of dorks. This is a diplomatic maneuver.
This is both cunning and doing future clients a favor.
The only thing that we learn from history is that nobody learns anything from history.
The thing to do is prepare a informative document during the bid process explaining the importance of security and what measures your company takes to insure it. By phrasing your presentation in the form of "whatever vendor you choose..." and recommending outside audits, attention to common security holes, good basic procedures, etc., you educate your customer. Even if they don't go with you, you've given them some things to think about, and you're being constructive and helpful. If they get hacked later at some other place, they may remember you and come back.
We've been through this exact same situation a number of times. We miss out on a contract for whatever reason, the client goes to another company and ends up with a website so full of holes its laughable. We will usually inform the client of the problems, detailing examples, highlighting the potential security problems etc. Their usual response? disinterest. In one instance the website was a local government site. The site designers had left everything wide open, username and passwords set as admin and admin, people involved with the development using their first name as login and password, backdoors into areas of the site that should have been protected. You could even send an email out as the Mayor of the town... their response when we told them the problems? 'thanks for your suggestions' six months later and the whole thing is still wide open..
First off, don't crack their servers. Don't break them or otherwise doink with them. In fact, my first instinct is to say just let them go gracefully. It doesn't matter what you say now, it's pretty likely that you're going to come off looking as a sore loser. If you point out specific exploits to their sysadmins and later someone uses those exploits then not only do you look like a sore loser, you look like a sore loser who was out for revenge. That could be even worse.
All in all you're probably best off to just shake hands and part ways with the customer. Keep in contect on a regular basis to see if they might be interested in your services (or switching to your services), but come to terms with the fact that they're someone else's customer.
If you have a strong business relationship with this company, you might vary your approach. You might take the CIO or whoever is in charge of this deal aside and tell them "as a friend" that there is potentially a problem, but even that's iffy. If you were going to say anything to begin with you would have been better off pointing out how important security is in the stage where you were pitching the product to the company. After you've lost the sale it's too late to worry about it. Even then it can be a double-edged sword though. Badmouthing your competitors, even if it is true, is still going to look like mudslinging. A prospective client should be doing some research on people bidding for the work before they make a decision. If they aren't, then they're just asking for trouble down the road. More than likely they wouldn't end up being that good of a customer anyway if they aren't willing to do due diligence.
Just use your head. The last thing that you want is for them to go with your competitor's services and then you end up constantly giving them free security consulting.
Just 'crack' into their system - leave some notes like: "all your personnel data belongs to us". Then if you could - back up their data on your computer/CD-Rom/Zip Drive and delete portions of it from their system.
The tricky thing is don't let them know you did it. If the other dev company is that lame you could always just cause some problems they won't be able to fix - but you will.
When you call the company a week later and see how their business is going with the other company and whammo! You fly in fix the problems, tell them the (restored from your backup) data wasn't lost, just misplaced and you are the cock of the walk.
But this is only if you want to play dirty - some people do. On the other hand you could just call and make routine checkups and try to sell other services. Warm calling is your safest bet since it's legal, and you have nothing to lose. If you sold them another service then you are free to suggest the other company is lax in securtiy.
I wouldn't just let it go if you want the job/customers - it's America, you have the right to pursue clients as much as you want.
Get your Unix fortune now!
Their security is their problem unless they're paying for it to be yours. Don't work for free. Also you probally don't want to get a reputation as a "poor sport" or a hacker (by the media's definition of hacker).
Has it occurred to you that you are pitching yourselves as a premium solution where the customer wants an 'economy' solution ? Are you telling me you never misconfigured anything ? Are you telling me that the OS you use has no exploits ?
It really does sound like sour grapes. Think of it as a learning experience about the quality that the marketplace demands. Bill Gates is famous for only delivering the absolute minimum quality that the customer will accept.
It sounds like you guys should do more quantity of work, with less of the quality. After all, in 3 years time, everyone will be working somewhere else, and noone will care.
My friend: "Mr. Smith, I'm not asking you to fire your current broker, I'm just asking you to invest through my company on this particular stock/bond/etc."
He tells me it works pretty well, but not all the time. I would think the same would work when telling companies why they have security holes:
"Company X, we don't want you to abandon your previous contracts and decisions. What we would like is to help you build a more secure system using some of our development talent. Here are security holes that the previous company has not fixed, and we would like to provide you with some solutions for fixing said holes."
If nothing else, it leaves a good impression with Company X because they know you want to help and get the job, but not at the expense of reworking their entire system of doing things.
I think you should not try to approach the company. They probably won't believe you, and you're not exactly a neutral voice on the matter. So, sign on AOL and go to my friends and my chat room. It's called private room "l33t" (I'm not sure what that means- my step-sister told me about it though). We'll approach the company from an outside standpoint and using our sophisticated Windows ME programs, can demonstrate the faults in their programs.
Please allow us to help; we are only in it for the greater security of everyone. Because last year my personal information got stolen from Burger King, where I work. It wasn't a computer problem, but my manager, José Esposito, left the filing cabinet open because he got grease stuck in the closing mechanism. It was so embarassing having my personal information (including details of my police record and photos of my sister) in the hands of whoever took it. I'm still shaken by the thoughts. Luckily America Online is there to help.
And we want to also help, so please come to our chat room today.
.
Moderator's cannot post to a topic that they have mod'ed... Read the moderators guidelines...
--- My Karma is bigger than your...
------ This sentence no verb
I'm tempted, like many of the other posts, to say "screw the bastards; they dissed you, so you can do the same back."
However, if there is a hack, it's not just the decision-makers who will feel the pain. You said a hacker has access to employee names, SSNs, fire dates...and most of these belong to people who had nothing to do with choosing or implementing this bad system. OK, probably the hack will come from some kid with no malicious plans for the compromised data...but what if this personal information lead to identity theft? What if information about a firing were leaked to a potential employer?
Forget the contract -- you lost it. But you have information about a serious potential threat to several hundred people. Isn't there some ethical obligation to the innocent employees whose privacy is on the line here?
There is one big advantage to the humble approach that coolgeek didn't mention.
Not only is the humble approach, where you merely ask questions potentially more tactful for the other party, it really pays off when it turns out that you are the one who is mistaken.If your questions help them discover flaws in the "great idea" you can both think of yourselves as smart members of a team. If it turns out that the confidence you felt that their idea is all wrong is misplaced and your response was tactful questioning you don't look like an idiot. They may appreciate the opportunity to show off how smart they were to have thought it all through. They may think of you as a brain, almost as smart as them, to have found the same question to which they figured out an answer.
And hey, you ended up learning something useful.
Being mistaken when you have shot off yout big mouth, and acted like a know-it-all (been there, done that) is a lot more embarrassing than merely asking questions.
You should release the details via someone else anyway. The public should know to avoid this bank and remove their funds if they currently use the bank.
On the other hand if business executives insist on displaying their general stupidity with the backing of the FBI moron-scum perhaps you should just leave these idiots to get hacked and pay the consequences.
1. Hack, take over, and copy their entire database
2. Tell them you have their passwords, their usernames, and full access to their servers.
3. Tell them, if they tell anyone, or ever use another vendor you'll destroy their business.
4. Retire
I think this should be fairly common sense. If somebody has a vulnerability on their system, notify them of it. You don't have to break into the box, obviously. Just tell them that you were following up on them as potential clients, and you found that no-brainer vulnerabilities were left unfixed on their machines. You don't have to do it as a sales pitch saying how much better you are, but rather that as former potential clients, you were looking at how they were doing. If they decide going with you would be a better idea, that's great, but if they merely get on their web masters' asses for being lazy, then oh well.
Once the hacker's get done with that site, call up the company. "Oh, I read about your security problems on (popular IT news site). Perhaps you would benefit from our services?"
If you really care about a company whether they are a client or not you should have submited them a list of reasons to choose your product over the competitions. If as an answer to their RFP you chose to highlight the various inconsistancies with microsoft products you could have already made your case to them instead of waitig until their judgement to cry foul. More times than not products are chosen because of what a support staff feels comfortable with rather than the best solution. If you made your case to them initially and they choose to ignore MS's lack of end-to-end security then there's nothing you can do.
I agree, there is some obligation. However, the threat is potential and they aren't your client.
If you know of an impending action based on this threat, then yes, drop them a line along with all the other people you are going to be notifying. Even that may be unwelcome, and they are big boys, able to look after themselves, at least niminally.
Reboot macht Frei.
How is using a SQL client to connect to a net connected box (with no passwords or defaults) any less authorizeed than using a http browser? I browse websites all the time, and the only authorization I have is an open port 80.
Reboot macht Frei.
Hmmm....to follow your logic, that's like a car salseman plowing into a lost prospect's new car with a cement truck then putting a flier about *his* vehicle's 5-star safety rating on whatever's left of the smoldering wreck.
Look you lost the bid. Nothing you do will get it back. The only thing you can do now is make yourself look like a fool. Besides even if they agree with you that there are security holes, they ain't gonna give the job back to you - they already turned you down and they have to save face. Let it go.
More important would be to look at your proposal strategy and come up with ideas that will help you get those jobs. If you are a security guru - emphasize that aspect in your bid. Remember, it is your proposal that will ultimately make or break you. How it looks and reads is the key - especially in a competitive bid situation.
Good luck - but for god's sake don't go back to those companies. You'll hate yourself in the morning.
support independent content producers - dammit
I have an opinions, the thing is my opinions get my @ss in a sling frequently so take them with a pinch of salt. What I would try is speaking with an executive, someone above the current webmaster of these insecure sites, and you'll be surely told "we already have someone who does that for us". Now comes my idea, challenge them, tell them you have seen *obvious* security holes, and get their permission to exploit them and show them exactly what is available to anybody with a little bit of nohow. Not only would you gain contracts but you would put one more dumbass out of a job who jumped into this industry just for the cash anyways (c-mon he called you sore loser for not getting the contract as apposed to actually listening to what his box's are doing). Anywho, just my 2 cents, I would approach it in a manner to challenge the company and get their permission to exploit away. Almost everybody has a hard time backing down from a challenge and it'd be the easiest way to get their consent and also show them exactly what you're talking about.
Beware blue cats moving at
This is an issue that needs to be addressed up front. Sell the security of your solutions up front and get the customer interested in it. If you can get interest from the customer in having a secure solution then they can make it an issue in taking bids. If your the only bidder who addresses this need you should win.
Now the fun part. How do you address it? I think you should be specific. In this case I would have sold the fact that the solution you were selling would protect the customer data from unintended exposure. On the other hand, what if you win the bid and fail in doing this? I don't think anyone intended to write bad code, but things happen. You need to work with a lawyer to understand the liability you might expose your self to and limit that as well.
--
Darthtuttle
Thought Architect
Darthtuttle
Thought Architect
Could you have reported these customers to some government or state agency? That would definitely be the thing to do if the deal was already lost and you took the customer on their word, and acted as a sore loser. At least revenge is sweeter than nothing.
-- Another senseless waste of fine bytes.
Trying to lure the customer back after you've lost the bid sounds like bad business advice to me. If I were the ignorant customer, I would figure you were throwing a tantrum and would think much less of your company.
The solution? Emphasize security in all of your future bids. Provide some sort of security guarantee, something that your competitors can't or won't do. You might even go so far as to list known vulnerabilities of competitor's systems (without going into too much detail). Make sure the customer knows exactly why your services cost more than everyone else's. In other words, position yourself as the Ferrari vs. the Pinto with a "you get what you pay for" attitude. Sure, you'll lose bids to cheap customers but are those the customers you want to keep? Would you like to be known as the Wal-Mart of your profession?
You may also consider sending a "Thank you for allowing us to bid" type of a notice to the lost client, along with a brochure that positions itself as "looking out for your (the client's) best interests." Fill it with difficult questions the client should ask of his new provider. Hand the same brochure out to future prospective clients. Eventually, smart clients will see the light. As for those who do not - just let them go.
-Ryan, with the unoriginal sig
The biggest reason why the average person doesn't pass this valuable information along to the administrator of the system is fear of persecution.
It is a valid fear.
As far as the account, I would thank them for allowing you to bid, and make sure that they know how to get in touch with the person who was assigned as their contact should they require your services at a later date.
As far as the vulnerabilities, I would let them know anonymously if the problem remains for more than a few days after the other company has finished.
Mark A.
This is the sensible approach, in the end. An old rule is if the client did not asked to be taught how to suck eggs, dont tell them. However careful you are, it will inevitably sound patronising or sour.
But, keep the client in mind, see if you can supply them with another service, and make sure they know where your expertise lies. Then, if trouble does occur, you could be in a position to advise without shoving it down their throat.
In the end, the client pays the piper. If their decisions are bewildering, so be it - it is their choice and their risk. Either way, respecting their balmy decisions, and repecting them generally will earn more points than pointing out they are foolish.
Wurm Online - the independent MMO - http://www.wurmonline.com