Slashdot Mirror
Approaching Lost Clients About Security?
mgkimsal2 asks: "As a development shop, we win some bids and we lose some bids for
various reasons. What we've found when following up with some prospects which we didn't win is that the development shop they went with has them on ASP/NT servers, with security holes up the wazoo (visible source code, passwords, etc) exposing these clients to massive risk. Example: I just saw a company with 500+ employee records accessible to anyone who feels like connecting to them with SQL Server Enterprise manager. Hire dates, fire dates, SSNs, the works. Should we show these companies how easy it is to get in, and try to win them over as a client? Or just walk away? I've read some heated debates about this - if you break in, even as a demonstration, you're a criminal. But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers! We can't be the only people going through this sort of dilemma." The key here is approaching the company in a way that lets them know you are serious and not trying to spread lies about your competitors. If anyone here has been in this position, your thoughts would be appreciated.
I can't belive /. responses have ignored this important point: There are many things that can be done, some of which are right, and some of which are legal. A few are both.
Don't touch this situation without a lawyer who knows this area of law. Most likely you will be told to keep your mouth shut as even if you can win the law suits, the cost isn't worth it.
There is also a possibility that you could find a lawyer willing to do a class action law suit against your compititor if you can prove several customers have been left open like that. This is again dangerious gorund, but you can potentially pull it off. Don't bad mouth any compitition who doesn't misconfigure things like that.
Whatever you do, make sure your lawyer is informed. their job is to save your rear end, but they can't do that if you don't tell them what is going on.
I'm assuming you live in the USA...
If you haven't already done so, burn the machines you performed the exploits from, change your name, move to another state, stop looking at slashdot, and tell no one anything. The United States is absolutely insane about computer intrusion.
If you are caught, you will be charged with computer intrusion which carries a maximum sentence of 15 years per count. Plus you will have to pay for all of the security consultants the insulted company brought in to examine everything. They can count virtually anything as damages. If the media gets ahold of it and it say, lowers their stock price, they will claim this as damage!! This is scary stuff. How many of you tried the IIS5 exploit on a random site? That little 'dir' you did before logging out could easily cost you 15 years of freedom and $50,000 in damages.
I have a friend sitting in jail right now (he got a 1 year sentence off of a plea bargain) for doing something like this. If the FBI hasn't knocked down your door yet, be thankful and don't say another damned thing on the subject.
Your intentions may be completely pro bono, but when dollars are concerned, that just doesn't matter.
Okay, the problem here is you didn't get the contract, but some security-clueless developers (let's call them SCD, Ltd.) got it. Let's assume that their solution works, and that the security holes can be fixed. Is the answer to drop the entire solution? SCD probably got the contract because they were able to demonstrate that they can meet the functional requirements, but security somehow got left out of the picture. This is not necessarily reason for the client to break it off with SCD and go with you. Just because you have a clue about security doesn't mean that you are the best developer for their application.
However, you may be able to form a partnership with SCD as a security consultant. Find a way to communicate to SCD that their solution is full of security holes and that you know how to fix them. SCD is likely to be discreet about the whole thing because it looks very bad for them! If they are honest, they will want to contact the client themselves to explain the security issues. They will also want to be able to tell the client, in the same breath, that they already have a solution in the wings provided by an independent security consultant (i.e. hopefully you). So this way there is still some piece of the action for you.
If SCD instead decide to get a clue of their own and fix the problems themselves, at least the security are made known to the client and something is done about them (hopefully).
In the remaining possible scenario, SCD just keep quiet about the security holes. You have done the best you can; the entire moral obligation rests with SCD once they know about the holes. You should forget about the whole thing and not enter into any further communication with anyone at SCD---why get mixed up in a situation in which at least one of the parties is completely unethical? SCD, being capable of anything, is dangerous to any organization who comes in contact with them.
Ego, image and the ineffability of the Boss are absolute, in corporations. Challange these at your own risk.
On the other hand, you can use these as examples (anomymized, though!) in future bids. Especially if these companies -do- have their security breached. Companies are like sheep, in that they follow the leader. But they're totally unlike lemmings, in that if one plunges off the cliff, the others will =usually= hesitate.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you really want to keep ever get business from that client again then let the security problems sit. I know it will grate on your conscience but this is like seeing your friend cheat on his wife. If you report it you will be called a lier.
How you proceed is to keep contact with all your clients ( including those you lost ) in a generic way. Offer them new services. Send them brochures for security audits etc... Let them know this is something you are selling to everyone.
I.e. Have a special. A demo of some security tool or other along with a discount if they are impressed and a full audit all for one low price. Do it that way and you might make more than you expect and maintain the respect of all involved.
Remember also to include the VAR you lost to in this mailing because they are a potential customer. If you really care about your lost clients not getting hurt then teaching the goy _they_ chose is not a bad idea.
--
Quidquid latine dictum sit, altum viditur.
Whatever is said in Latin sounds profound.
--= Isn't it surprising how badly I spell ?
First, IANAL, this is not legal advice, etc.
If self-preservation is an instinct you possess, you should not be probing any site that has not contracted you to do so. You are probably opening yourself and your company to liability when you do so. Most computer crime statutes criminalize "unauthorized access", where unauthorized simply means you didn't have permission from the owner to access the computer resources that you did.
Now, it may certainly be true that a company that has a published link on the front page of their website to a document X (where X is information that the company would prefer remain private) probably would see their case against an entity Y accused of accessing X without authorization dismissed almost immediately. But that doesn't mean that it hasn't cost Y anything, even though the case never went to trial.
Further, the vulnerabilities you are discussing require you to access your non-client's sites in... unconventional ways. Courts do not understand technology, but by now many judges understand that your average consumer is not going to be firing up SQL Server Enterprise manager to make authorized access to any given internet site that they have no contract or agreement with.
If you have already come forward to one of your lost clients and merely been called a sore loser, you're either lucky or have no significant assets. From a legal standpoint, you should not be making unauthorized access to any site, for any reason.
You already made unauthorized access to the site of at least one non-client, that you've mentioned. It sounds like your actions went beyond a simple portscan, which is probably ok, to retrieving database records (the hire dates, fire dates, ssns you mention), which in court would quite possibly be actionable - at the very least, you won't get a summary dismissal.
Unless you'd *LIKE* to get sued by a lost client with a grudge, you shouldn't be probing their sites.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
I, like many here, agree with the "leave it alone" approach. You lost the bid, game over, insert quarter for new game.
Here is a little anecdote to let you know why I feel this way;
Federal Agency Dept of ABC runs a mostly Unix shop.
Federal Agency Dept of TUV and XYZ runs a mostly NT shop.
RDS hits and Federal Agency NOP and Federal Agency DEF (both mostly NT shops) get hit the very next day.
A young security engineer in Federal Agency ABC knows Federal Agency TUV and XYZ are both big NT shops and thinks to himself - "Geeze, I bet they are vulnerable - I'll give them a heads up." - Then thinks "Hmmm, I don't want to look like an ass, and be told 'Duh - we patched that the same day it was made public'." So young security engineer runs test code to see if default databases are accessable. They are. Young security engineer writes a paper describing the situation and how to solve the problem both agencies public web servers suffer from and mails them off to his director and the security directors of Federal Agency TUV and XYZ.
Federal Agency TUV thanks young security engineer.
Federal Agency XYZ makes a "federal case" out of the whole thing. And attempts to get young security engineer fired.
Now. This guy didn't end up getting fired. I'm one of the many who went to bat for him when the two agencies met regarding the issue. However, he very easily could have been - were he not exceedingly bright - and had he not done everything correctly after the huge mistake he made in testing his theory.
http://windows.scares.us
(in response to:)
... is pretty much what you've done: point out the insecure setup. If they don't tighten things up they'll be the sore losers... when some customers or former employees sue their sorry butts for allowing that information to be divulged. Wouldn't it be fun to be called to testify against them? ``Yes. We informed XYZ, Inc. about the flaws in their security but they just laughed at us and called us sore losers.''
Wouldn't immediately help your problem in gaining new clients but it would be helpful if you could say that you have testified in court as a security expert.
The problem with the companies you've encountered is that you have to convince these people who know only Windows as an environment. I refer to this as the ``fly in the vinegar bottle'' syndrome. They like what they know and reject anything else. It's almost as though they'd rather be out of a job than switch from their comfortable little realm.
--
CUR ALLOC 20195.....5804M
Randal Schwartz (co-author of Programming Perl) did just this thing and was taken to court and Convicted of three felony counts, with (deferred) jail time. Read all about it at
State of Oregon v. Randal Schwartz
I think the best way to play that is to set up a meeting with the client who turned you down. Get a couple business people and their best tech guy in a room with a computer. You sit at a table with your hands in front of you. Talk their tech guy through the "crack" and make it clear to the business guys that in place of their tech guy it could have been any 15 year old on the planet. If the competing company gets pissed because they lost business over the incident, you didn't actually do anything. The client company merely viewed their own data using a nonconventional access route. If the competing company tries to go after thier former client for "circumventing security", threaten to send a copy of the court papers to all of the rest of their clients, showing everyone what crappy security they have.
That should teach your competitors to bid against you.
-B
1) Document their problems
2) Date the documents and get them notarized by a public notary
3) Send them a copy and offer to do some work for them for a reasonable price
4) When they get broken into or h4x0r3d, send them your documents again and offer to do some work for them for a much less reasonable price.
DrLunch.com The site that tells you what's for lunch!
We tendered for a [large recorded music seller]'s web site. In our tender, we pointed out that relying on plaintext, unsigned email for orders to the [large recorded music seller]'s suppliers would lead to people getting free CDs once they worked out all they had to do was send email to the right spot.
Our tender was rejected as "too complicated" because we designed something that would have been more secure.
The winners built the system; within a few weeks people were getting free CDs and the system was turned off.
The only good part was that the idiot who had run the tender evaluation was sacked...
Stephen
What you should do is wait for the site to be up a while, (6 months to a year), and approach them as a "security consultant." Get permission to poke around, before you do it. Get paid consulting fees to do it.
In the end, they may be impressed and switch over to you. Don't suggest yourself as the company to switch to, though. This will come off as sour grapes. Suggest that they either revamp the site, or choose a different server type altogether.
Bottom line, if you impress them with the small amount of work you do for them, they will think of you as a 'good' company, and speak of you that way. If you upset them, they will never do business with you, and you risk losing other business as well.
If you don't bring up important items like security until after you lose the contract, you'll be viewed as the sore loser, not as somebody concerned for their well being.
If they still go with the competing company with the poor security, they have only themselves to blame.
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
Here are the laws of Texas, Massachusetts, and California for starters.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Go ahead and argue what should be legal, but don't pretend that you can't tell the difference between a website and an unintentional security hole. Tons of existing laws (like first- vs. second-degree murder) already use criteria as fuzzy as this.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
This just popped into my head, perhaps it's nonsense, perhaps it's workable (given somebody with a legal background to pull it off):
What if you asked them to sign a document that certified (1) you company did not do any work on the system(s) identified and (2) they have reviewed the list of security vulnerabilities attached and agree and certify that they are not the fault of your company and (3) that your company has provided due dilligence in notifying them of the gaping holes.
The idea is that you're approaching from a CYA angle instead of a "look at what those twits have done to you" angle.
Surely they are breaking the law by publicizing these employee details (I know nothing about this part of law). Write a short letter containing all the details and send it anonymously to your local police. Or are you more interested in making money fixing their security bugs than just having a secure internet? Frankly I think there should be people who go around doing exactly this. Perhaps they should be police but if not, they would at least be taken seriously by the police and hopefully would not be accused of being "evil hackers".
How we know is more important than what we know.
I would not go near there with a 10-foot pole. There is really no way you can pull that off without generating a lot of ill will for your company from at least one of the parties involved. I also don't see how that will convince them to switch to your company immediately, no matter how right you are.
Let them reap the consequences of choosing a lame dev shop, and perhaps next time they will choose you instead, having learned their lesson. Think long term!
--
If I fire up an MSSQL client and connect to someone's database which is sitting wide open on the internet, how am I breaking the law?
I'm using a client to access information which is publically available on the internet. How is it any different to use a DB client instead of an HTTP client?
I agree with the sentiments here that "You lost the bid, so just move on."
If you want to find out WHY you've lost the bid, a questionnaire is a good idea. Give them some meaningful but neutral questions, and give them a chance to respond in their own words. Assume that you will get no results, but if you DO get feedback, consider it carefully in future bids.
- With regards to security, why did you find a competing product more valuable?
- CompetitorCo's track record for security seemed stronger.
- OurCo has not demonstrated suffient regard for security.
- Cost outweighed security concerns.
- CompetitorCo's products have a higher degree of interoperability with your other systems.
- OurCo's products have not demonstrated interoperability with established standards.
- Cost outweighed interoperability concerns.
And so on. If your questionnaire smacks of propaganda, and not of honest "how can we serve you better" fact-finding, then it will land in the recycle bin.With regards to interoperability, why did you find a competing product more valuable?
[
Just use common sense. It's against the LAW to break into another site.
Send them a professional letter detailing how you're sorry that they didn't choose you but am glad to see that their business is progressing. Politely point out that they have a security flaw that's easily exploited. Tell them up front what data they have exposed and the basic steps to exploit the problem. Let them know that you felt it was important enough to tell them this even though they chose X company over you.
yadda yadda yadda... These problems are all alike: "I want to do the right thing but it's awkwards because of XYZ". If you're a grown up it's something you should have learned to deal with politely and courteously. If they reject you then it's their fault not yours. Certainly don't try to turn it into a flame.
One option that occurs to me is to report them to the Better Business Bureau or some other consumer agency. This approach should only be used when serious problems are ignored (exposing a million credit card numbers, etc). Just remember, unless you feel like it it's pretty hard to help everyone all the time.
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
After running 150% past the delivery date with no deliverable in sight we asked the client for a meeting, which was granted, wherein we offered to audit their development up to that point and assess the situation. Permission was granted and we were given access to the development code.
What we found was a sham - nothing more than a few forms (no reports), basic tables and a couple queries. All the processing logic was contained in a couple queries (maxed out the SQL zoom editor). Oh, no modules. No, this wasn't a backend/frontend separation. 18 months and not much more than pretty buttons.
The kicker was discovered looking at the table definitions: no primary keys. Unbelievable.
We asked the other company for a meeting - alone - to discuss our findings, give them time for rebutal, etc., before we presented our findings to the client. In this meeting no facts were refuted, only one question was asked: "Why do you need primary keys?"
Then the three parties met and laid it on the line with the client. It was obvious that the other developers were in way over their heads and were going no where, yet slowly.
Resolution? The client stayed with the FileMaker people. Why? Too much time and money invested to change and prestiege. Yep, good old pride. The client would have to admit that he'd screwed up and he couldn't do that.
Moral: you lost the bid, forget about it. Sure, drop a note, but only out of conscience - then move on.
--
-- @rjamestaylor on Ello
When you're dealing with a company that you bid to and they went with somebody else, anything you say is going to be a little bit suspect to them, because as far as they're concerned you're just trying to wheedle your way into doing business with them by elbowing away your competition.
The key thing you should remember is, they're right. You are trying to wheedile your way into doing business with them by elbowing away the competition.
So, if you're going to do this, do it with dignity and class. Be honest and up-front about it, and tell them bluntly "we noticed that the company you hired used X and Y technolgies and we have some concerns about those technologies. Here's a list of known problems with those technologies. We think you might have some of these bugs, and we'd like to talk to you about how we can help you fix the problems." Don't go into specifics of their implementation, let them figure that out. If they don't care to look, or to ask you for help, then they just don't care and the argument is futile.
Of course, if you're really running into this multiple times, you should consider making it part of your sales pitch. "We use technologies X and Q. We believe they're safer and more secure for your business needs. Here are some of the problems we've observed with sites implemented with the other technology, Technology N. A site one of our (unnamed) competitors recently did for the XYZ Company with Technology N seems to have these problems..."
If the client cares about the security (and stability) issues you can bring up in the sales pitch, great, this could help you make the sale. Also, by bringing concrete recommendations to the client in the sales pitch, you show them that you're serious about helping them and make them feel that you're already on their side, which is important in managing their perceptions of the working relationship. Sometimes the potential client can come away from a meeting like that feeling that you're already working for them, so when you hand them a contract to sign they feel like it's just a formality.
Again, if they don't care about this stuff when you bring it up, that's their problem, and if in the future they hire one of your competitors and you discover that the competitor did a lousy job... well, you warned them, and it just becomes another case study of what not to do.
Vintage computer games and RPG books available. Email me if you're interested.
Don't break their boxen, but give them step by step instructions of what a sample vulnerability is, how it can be exploited, what it exposes, and what it can be used to get from, or do something nasty to, the box/lan/company.
Vintage computer games and RPG books available. Email me if you're interested.
I did this recently and documented steps to show the intrusion technique (only one of many) and how to fix the problem. I submitted this information in a report to a bank...
Now, one year after the report was sent to the bank, I re-sent the report via PGP-crypted mail and said I wanted to publish the report publically.
They turned around and filed a report with the FBI which sparked an investigation into me (still going on).
Plus they started unleashing their lawyers on me.
Luckily I am a minor and it would look really bad for a bank to attack a kid who only wanted to exercise his first amendment rights to publish such information (none of which was illegal).
I suggest not using your approach of "showing the problem in a report." It has only caused troubles for me. Unless you have a ton of lawyers to protect you, this method isn't recommended.
Ever need an online dictionary?
The good news is he likely won't serve any time.
The bad news is quite bad though. As a felon he is legally barred from many rights full citizens (which he NO LONGER IS in the eyes of the law) have.
It is illegal for him to own a firearm ever again everywhere, (in some states, not his state of Oregon) to ever vote again, and of special interest to people in the I.T. field:
It is illegal for him to work in certain technical jobs ever again. Such as working for a certification authority in at least one State.
Also, a lot of people are under the impression that all felons are intrinsically untrustworthy individuals.
The above still applies even if the persons motives were pure.
P.S. Randal Schwartz would likely have not been convicted if he were in Nevada. The laws here provide for implied authorization of an employee to access employer's systems unless their is "clear and convincing" evidence to the contrary. He still could've been fired though (Nevada is an at will state).
The moral: Don't try to do any favors. If you want to break into systems as a good guy, find a way to do it LEGALLY.
Consult a lawyer for legal advice.
Just because it CAN be done, doesn't mean it should!
Consider this: what if your actions are construed as destructive or intrusive, just through some freak accident because someone's having a bad day, or there's an asshole or an idiot in the client's company or in the consulting firm that's leaving everything wide open?
Do you have the time or the money to explain yourself to some feds? Multiply some small but non-zero probability factor by several hundred thousand dollars plus whatever value you'd assign to a year in prison. That's how you should do the cost/benefit analysis.
I'm advocating a grim, "being nice gets you nowhere" sort of position, but the potential downside to the situation is horrible. There's an Assistant US Attorney somewhere itching to make a name for him or herself by prosecuting a "hacker" case. Don't put yourself in a position where you could make it onto their radar screen. The deck is stacked completely in their favor. Read a register article about the feds' tactics if you want get scared.
Watch your ass if you want to be nice.
circa75.com
Simple: Offer to perform a smallish security review. For free. No strings attached. If there are gaping holes, it will only cost you a few hours worth of work (and maybe a couple of hours of sales pitch), and has the potential for gaining the client as a customer. I'm not suggesting that you do a full security audit, or even that you hold yourselves out as such. Just that you offer to perform a small service for those customers that you've lost in the past, as a gesture of good will and to demonstrate the quality of the service that you can provide.
-bluebomber
The Daily Build
I've found that a standard 'form letter' has worked for me in the past. I've probably won back some lost clients because of security issues. Generally, my letters have been written to whomever accepted the bids for the original contract, along with a repeated thank you for allowing our company to bid on the project. We hope we can be of use in the future on similiar projects, and want to be kept abreast of any upcoming work that will be taking bids. On another note, we would like to mention that we review the your website as it currently stands, and have found some serious security issues and risks that go beyond being "potential problems." If you would be interested in hiring our security team to show you the current security breaches and issues, we would be happy to draft up a competitive bid package for the consulting time and documentation time needed to review all the security problems as your system currently stands. Then go on to say how security is as important to your firm as the end product, and that it is quite possible the reason your bid package on the original contract was higher than the winner was because of differences in opinions about Internet security. Don't be afraid to blast their price, not their service. If you get a follow call (I've gotten them more than 75% of the time!) you can explain that many websites on the Internet have security issues, that you are well versed with how to handle them, and many companies haven't taken the time because the chance of getting hacked SEEMS slim, while in reality it is not. I've lost some clients who have returned to the bid winner to clarify security issues and have gotten some of them fixed (without us telling them specifically what the problems are). Even if you don't get the contract, you may end up with more lucrative time and material work pointing out the bugs in the code. I prefer T&M at full rate rather than contract at discount rate anyway. Plus, there's no warranty involved in T&M consulting. Good luck!
Yes we do know this - the NT/ASP issue was that there are some extremely well-known OLD (>1 year old) hacks known against this configuration, which require about 5 seconds of 'hacking' (if you can call it that). The deeper story in this situation is that we weren't directly following up on a lost bid - we were following up on something else, stumbled on this security hole, and found that a lost bid was affected. So we weren't directly probing them right after the fact, it was somewhat incidental to some other stuff that we were doing.
creation science book
I think you should not try to approach the company. They probably won't believe you, and you're not exactly a neutral voice on the matter. So, sign on AOL and go to my friends and my chat room. It's called private room "l33t" (I'm not sure what that means- my step-sister told me about it though). We'll approach the company from an outside standpoint and using our sophisticated Windows ME programs, can demonstrate the faults in their programs.
Please allow us to help; we are only in it for the greater security of everyone. Because last year my personal information got stolen from Burger King, where I work. It wasn't a computer problem, but my manager, José Esposito, left the filing cabinet open because he got grease stuck in the closing mechanism. It was so embarassing having my personal information (including details of my police record and photos of my sister) in the hands of whoever took it. I'm still shaken by the thoughts. Luckily America Online is there to help.
And we want to also help, so please come to our chat room today.
.
I'm tempted, like many of the other posts, to say "screw the bastards; they dissed you, so you can do the same back."
However, if there is a hack, it's not just the decision-makers who will feel the pain. You said a hacker has access to employee names, SSNs, fire dates...and most of these belong to people who had nothing to do with choosing or implementing this bad system. OK, probably the hack will come from some kid with no malicious plans for the compromised data...but what if this personal information lead to identity theft? What if information about a firing were leaked to a potential employer?
Forget the contract -- you lost it. But you have information about a serious potential threat to several hundred people. Isn't there some ethical obligation to the innocent employees whose privacy is on the line here?
There is one big advantage to the humble approach that coolgeek didn't mention.
Not only is the humble approach, where you merely ask questions potentially more tactful for the other party, it really pays off when it turns out that you are the one who is mistaken.If your questions help them discover flaws in the "great idea" you can both think of yourselves as smart members of a team. If it turns out that the confidence you felt that their idea is all wrong is misplaced and your response was tactful questioning you don't look like an idiot. They may appreciate the opportunity to show off how smart they were to have thought it all through. They may think of you as a brain, almost as smart as them, to have found the same question to which they figured out an answer.
And hey, you ended up learning something useful.
Being mistaken when you have shot off yout big mouth, and acted like a know-it-all (been there, done that) is a lot more embarrassing than merely asking questions.
Trying to lure the customer back after you've lost the bid sounds like bad business advice to me. If I were the ignorant customer, I would figure you were throwing a tantrum and would think much less of your company.
The solution? Emphasize security in all of your future bids. Provide some sort of security guarantee, something that your competitors can't or won't do. You might even go so far as to list known vulnerabilities of competitor's systems (without going into too much detail). Make sure the customer knows exactly why your services cost more than everyone else's. In other words, position yourself as the Ferrari vs. the Pinto with a "you get what you pay for" attitude. Sure, you'll lose bids to cheap customers but are those the customers you want to keep? Would you like to be known as the Wal-Mart of your profession?
You may also consider sending a "Thank you for allowing us to bid" type of a notice to the lost client, along with a brochure that positions itself as "looking out for your (the client's) best interests." Fill it with difficult questions the client should ask of his new provider. Hand the same brochure out to future prospective clients. Eventually, smart clients will see the light. As for those who do not - just let them go.
-Ryan, with the unoriginal sig