Disclosure of Major Software Exploits by Students?

school-hacker asks: "I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide. Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code. Naturally, I want to share this information with their software engineers, and would even be nice enough and suggest a means to fixing it. However, with the state of current intellectual property and reverse-engineering laws, I hesitate to do so out of fear of litigation or academic disciplinary action. As an ethical geek, what do -you- do?" While the responses from an earlier story might prove useful, here, there is always the possibility of the university making things harder for the person reporting the problem. How can students avoid both legal and academic trouble, when trying to notify their university of security problems?

Anon

[Rosonowski]

Your best bet is to do something similar to what you have done here. Submit the information to them via an anyonymous channel, perhaps mailing a CD (which you handled using gloves, no less) with an explanation and machine-readable exploit code. You don't have to make it known that it was you, just that someone figured it out.

Give Yourself an A

[FreeUser]

... You've earned it. :-)

Seriously, I'd take this slow. Perhaps writing something up in printed form and submitting it via snail mail would be smarter than having executable code lying around on a computer you own or have access to.

Re:Give Yourself an A

[ShieldW0lf]

How much would ppl pay to change a D to a B? Can you find everyone who got a D?

Re:Give Yourself an A

[the_ed_dawg]

Congratulations! You've just committed a major academic honesty offense! Do not pass go. Do not collect $200... and for damn sure, do not collect your diploma.

Keep in mind that although you may not get caught, you might get even worse than caught. Any reputable college will likely set up an expulsion hearing for academic fraud. Even worse, in my home state (Arkansas), it is a class D felony to modify academic records at a higher institution. Actually, they busted a couple of people working in the transcript office for altering grades last fall at my college. w00t! H4x0r5 uN1T3!

Re:Give Yourself an A

[rf0]

I agree here. We know your heart is in the right place but other people might not see it like that. ASs long as yo udon't care about the fame and the glory just make them aware of it then move onto something else

Rus

Re:Give Yourself an A

[jbottero]

Ah yes, another Slashdot Lawyer. "I know of a security hole. If you pay me I'll fix it. If not, back to my classes." is extortion??? It's an offer to do work. Extortion is "Pay me or I'll post this shit all over campas".

Pull your head out.

Not willing to fight your own battles?

[GoofyBoy]

Find someone who will or is better able to the local student newspaper.

Grab a reporter, show him it, let him follow up.

What's in it for me?

[clovis]

Goto a prof with your suspicions (but you don't know yet, how could you?) and get assigned to find out for one of your papers. You've already done the work, so it should be an easy grade.

Don't Tell Them

I would advise not bothering,
since it is not worth your effort to help anyone
who would be such a "class-act" as to give you trouble for your efforts instead of praise.

If you wanted to, send them a very carefully worded letter, stating that you may have reason to belive there is an exploit, but you are not certain, and that you would have to know in detail how they would react to:
1. You having found an exploit
2. You having found a fix
3. You submitting the fix

And if they send a nice reply, get something in writing before helping them.

simple?

[jpellino]

print it out 4x, put each in an envelope, no retutn address, send it to the provost, the IT head and the CEO and chief engineer of the company that makes this thing. demand nothing and tell them it's simply fyi. hard for four peop[le to keep a secret - you'll get action somewhere. keep a copy in case nothing happens. no harm, no foul. it's just doing the right thing for no gain.

Consult your AUP

[rainmanjag]

Most universities have well published an Acceptable Use Policy. Before making any disclosures, become intimately familiar with this document. As long as you've done nothing to compromise this document, you should be on safe ground.

What would be their concern in punishing you? To dissuade every wanna-be cracker on campus from poking around the innards of the computer network. Though we all know security through obscurity does not work, your school does not want everybody trying to eliminate that obscurity.

When you compose your statement of disclosure, include a statement which argues for your concern and your compliance with the AUP. Cite it, quote it, and argue for your concern for staying within the published regulations of the University. So long as you have not used this exploit to your advantage and so long as you show concern for the things they are concerned about, you should be fine.

-jag

Re:Consult your AUP

Yeah right, who cares about getting in trouble with your school. It's the feds you have to worry about nowadays.

Actually you've started what's called a toolbox for computer scientists like us. Keep it to yourself, don't brag, you never know when you need it. If you tell someone they will use it against you to get a leg up.

I once showed my partner(my partner mind you) of one of my CS courses how to run X remotely(yadda yadda) ...you know trivial stuff. Well basically at the time I couldn't remember off the top of my head(sophomore...linux was new... Yggdrasil...Slackware... It was a wonderful time) and kept forgetting to get my notes at home. He kept asking and asking(over 15 times). Finally, I thought to myself "this guy is clueless, he won't figure it out for himself, it not that hard, I'll get the info just to get him to quite asking". I was on my Slackware box at home and sent him the information via email. Well, if you remember Slackware, it used to(maybe still does) used a default root finger name of "root of all evil".

Well the little sucker turned me in with an email to a sysadmin on campus(mind you I've only told him how to "export DISPLAY=... and xhost +..." He had this to say, "I think the person who sent me this is trying to be malicious". At that point in time he was working for the computer department on campus as a peon.

You also have to realize I've sent hime countless emails from this "root of all evil" account with classwork attached for weeks prior to this, signing every one with my initials(i.e. he knew it was me). I signed all my correspondence.

Needless to say, my accounts were locked and I had to go see the admin. To him "root of all evil" was just that, evil. I couldn't explain to him it was the default from the install and that I didn't intend to harm anyone, and that I just forgot to change it. He continued to show off his great admin skills by claiming I was "spoofing" my IP by using the 10.x.x.x series of numbers which were not "public" numbers to be used by anyone but companies who had paid for them. No amount of explaining helped here either.

Actually I didn't know it was my partner trying to get a leg up in the world until the admin showed me the email and asked me if this was the email I sent. Once I read it I knew what was going on but I just shut up at that point, agreed to be on probation for a semester and let it go.

I promptly went to my instructor, told him what was going on a had him removed from my team. Then I went and found my "partner", motioned for him to "come here", then... told him he was off my team. No mention of what was going on. Honestly, that the closest I've been to demolishing someone EVER.

Now I just laugh about it. The moral of the story is, there are too many people out there with power that don't understand technology. They will destroy you because they will never understand that technology which is so simple to us. They will destroy you because they know they are outdated and don't want the world to know it.

Three things

[Shoten]

One, don't notify the university directly. If you do, you create a political situation where they still have the ability to shut you up by putting pressure on you. Keep in mind, the university wouldn't make life hard for you because they're run by Darth Vader, they'd make life hard for you to keep you from disclosing.

Two, do notify the vendor, BUT use the disclosure guidelines provided by Rain Forest Puppy (called RFPolicy). This is the best template for fair and equitable disclosure I've ever seen, and I feel it's even a hair better than the policy put forth by @Stake (although theirs is pretty good too). Set up a hushmail account that cannot be traced back to you for this purpose, and proceed from there.

Three, do NOT disclose the proof-of-concept exploit code. Disclosing a vulnerability is enough, there is no reason to automate attacks that take advantage of it.

By the time the university knows anything, they will no longer be able to accomplish anything by making your life hard. Furthermore, you will be in a position of strength, having taken the high road in disclosure and given all parties every opportunity to protect themselves properly.

Had this problem with SUN

[burtonator]

I had this problem a while back with java.sun.com.

They were running a comment system that did server side includes. The URL pattern was

http://java.sun.com/foo.jsp?url=relative/path.in c

The obvious hack would be to enter a file: URL and see if it worked and sure enough I could browse through the whole file system as long as I knew the path.

Stupid Java engineers.

Anyway... I contacted a few VPs at SUN and just told them that I had discovered a severe security hole in their webserver and that because of the DMCA I couldn't report it.

They were quick to respond telling me that they WOULDN'T prosecute if i were to give them the security disclosure so they could fix the issue.

Most people won't care as long as you are white hat. If they freak out then don't reveal the information

Kevin

The conspiracies on slashdot...

[BelugaParty]

Maybe I'm completely nieve, but what the hell is going on?! Has everyone on slashdot hacked or cracked some 31337 prog/dbase/bank ... Why is anonymity supposedly the best policy?! As long as you haven't changed your grades or exploited code (your teachers/the school will be able to tell) then you'll be fine. Are you afraid of getting busted for something else? I mean, it seems completely rational to e-mail the company, print a copy, mail it to yourself (if you are as paranoid as everyone else) and then, if problems arise, mail the university.

Remember: The university cares about a student paying 20k+ a year to be there, the software company is costing the U money, who would they rather attack?

Anonymity is for spammers. You'll probably get some recognition in the CS department if you say something about it... unless your teachers are all secretly black hat, and hate your guts for exposing yourself .. :P rediculous

Re:Dude,

[dtfinch]

He does have a means to protect himself, the secrecy of the exploit.

* If they release a patch, the exploit remains a complete secret, he gets a pat on the back, and everyone is happy.

* If they refuse to release a patch, he can tarnish their reputation by posting of its existence, but without sharing the details of how to exploit it. Demonstrations available upon request to trustworthy security experts.

* If they threaten legal action, he can threaten the release of the exploit.

* If they pursue legal action, full details of the exploit plus the proof of concept appear on hundreds of websites, possibly including Slashdot.

Its called Full Disclosure...

[JRHelgeson]

This is a debate that has been taking place in the security industry for some time now. Does Full Disclosure hurt or help the industry. I am of the position that full disclosure helps.

If bugs are kept secret, the secrets get held in the hands of the few. The unethical hacker [cracker] will eventually exploit the code and use it to their advantage.

If it weren't for FD, we'd have more 0day exploits because companies would not feel the pressure to release timely updates. It chews up development cycles to go back and put an emergency fix in place for insecure code, test it, and release it. Do you think companies would do this voluntarily? I think not. Too expensive. They'll include it with their next major update and charge for the upgrade or some crap like that.

I say the medicine is bad, but the disease is worse. Full Disclosure is the Medicine, bad coding the disease.

We are going to continue down this road of FD debate until software vendors (M$ et al.) start writing secure code. I have said it many times; Requiring patches to achieve security is fundamentally flawed. Coders need to write secure code. The onus is on them. Don't blame the hackers/crackers for airing their dirty laundry. If M$ or whoever loses market share because they consistantly release insecure code that is repeatedly being compromised then that is their fault.

It was only after being repeatedly beat over the head with the proverbial lead pipe by the hacker community that good ole Bill Gates sent out a memo stating that Security is becoming Microsofts #1 priority. Do you really think he would have done that if we didn't have the Full Disclosure in place? We should not rely on 'security by obscurity' by keeping the exploits secret, or keeping the information reserved for the security elite.

Send a confidential email to the network administrators and to the company that created the software. State that you will give them adequate time to respond and to release a patch. State that the exploit will undergo full disclosure in two months, or if they request extra time, ask them what measures are being taken to insure the integrity of the information being stored on these computers. If you can hack into the system to raise your grades, others could hack in to lower the hard earned grades of others. Hell, at that point, they should start selling diplomas at the bookstore.

Re:Anonymously email the company

Whoa, there, tiger! Anonymous from a hotmail account? HAven't you ever tracked anyone through the "X-originating-ip" header that gets into every outgoing hotmail message? You have to be a little more careful than that.

If you post from behind a NAT firewall or HTTP proxy with tons of users, you're in better shape--the IP picked up by hotmail will be fairly anonymous. But that may or may not be enough, especially if it's at your own university--because the recipient might be able to persuade the firewall operator to check his logs for outbound hotmail access at the time of the initial SMTP transfer in the header. Even with thousands of users on one NAT'd IP address, the list of suspects will suddenly become single-digit. Then how safe are you? Did you tell them that you're a CS student at F.U.? That alone might nail you pretty good. Remember, this is a University, so there ain't no search warrants or subpoenas to worry about. And there isn't any presumption of innocence, either.

Having recently been assigned to (and failed to) track down an anonymous emailer, your best bet is to post to hotmail from an AOL account, or (better yet) from an anonymizing service that is owned an operated in another country. Either way, finding out who you are would require subpoenas, which means they'd have to find grounds for a lawsuit, first--this is unlikely. With a foreign anonymizer, even if they do get a subpoena, they have to endure a 6+ month process of paperwork to persuade a foreign government to honor a US subpoena--also unlikely.

But really, the worst part is that if you post anonymously, they'll probably ignore you. They don't give a fuck if one kid can hack their shitty grading software. They WOULD care if this vulnerability became public. You might want to consider a countdown to publicity: they have 30 days to figure out the vulns, patch the software, and get the word out to end users. At the end of 30 days, you'll post it to bugtraq and wherever else is appropriate.

As a university sysadmin....

[WasteOfAmmo]

I can understand wanting to cover your backside with this. Especially since you have 'tested' the exploit. Going to the university may mean the end of your academic career. Going to the company may result in the same in a round about way. The company may feel obligated to report you to the said university.

If you are serious about getting the expoit fixed then there are a lot of good points already made in the replies:

• Send it to the company anonymously.
• Send it to the university IT dept. anonymously.

Do both and that should get it where you want it to go.

Now for my take on this (if you were one of my students)...

You are supplying the source of the proof of concepts, right? I accept no binaries from unkown source, escpecially with your story. You have to convince me that you are not only legit. but being honest. If you approach me you had better be able to prove that you have not altered your grades. This is not due to my morals but due to my obligations to the university.

I have dealt with students bringing up exploits to me that they have found work in our system. First I have to verify their claim, second I have to consider the damage they may have done (purposefully or not). If this means a call to security then I am obligated to do that. After that I have to consider fixing my system and damage control.

Note about security: I need not bring security into it but I must document everything incase the incident becomes a concern in the future... Example, next year you suddenly become a honor student.

A comment by 'has' bothers me... if this is you then you could be in deeper then you want to be... I would suggest cleaning up your act, taking an ethics course and getting on with your degree. This type of un-ethical, and probably illegal (fraud?) activity will eventually catch up with you if continued. Enough preaching.

Take the suggestions regarding anonymous submissions if your serious about helping.

Merlin.

Re:What to do

[p2sam]

how about pulishing the exploit to your local student newspaper. It'd make a great story, and they can protect your identity.

A little late...

[JWhitlock]

I am a U.S. university student who has recently come across 2 remote exploits for a homework program used by colleges nationwide.

Come across? Like you woke up one morning and found them in your mailbox, between credit card offers?

Both vulnerabilities allow students to give themselves arbitrary scores, and possibly execute arbitrary code. To further emphasize the scope of this vulnerability, I have written and -selftested proof-of-concept exploit code.

Now I'm thinking - did you have a legal copy of the software you were "testing"? If not, do you know the person/entity who has the legal copy? Did you get their permission to poke around?

I would expect the litigation or academic discipline, if you pursued your experiment without a legal copy, or at least the permission of the person who owned the licensed copy. Or at least asked a professor to act as advisor for your experiments.

As an ethical geek, what do -you- do?

Ask permission from the target company before pursuing exploits.

I may be reading too much into the poster's brief notes (or maybe the poster's name), but I have a feeling that there are several illegal (and possibly unethical) things that have been done so far. The best way to avoid a situation like this is to plan to be ethical, legal, and open from the beginning. Get the company's permission, the schools permission, etc., and no one will be suprised when you get some results. Otherwise, they may say "Thank you, now please come to court in two weeks", and you have little recourse except to hire a lawyer.

Which the poster should probably do, anyway. It's a shame - with the proper authorization, this could have been an interesting senior project.

yo, is this blackboard???

[dallask]

Today I ran across 2-3 holes (cross site scripting with remote execution, sql injection with code exposure, and account hijacking) in the blackboard system which I am currently working to exploit... for a proof of concept. if this is the same system your talking about, I want to talk with you. maybe with enough amunition they will listen to the both of us more than they would listen to one.

email me.

Chaotic Good, my friend! Say nothing.

[Fantastic+Lad]

There has been a history of people being punished for doing the right thing.

Yes, this is insane, but it's also how it is.

--True, if you take the right approach, have the right kind of charisma, (ie, express honesty and even explain your concerns up front about how other people before you being punished for having done the right thing in the past,) you might be able to pull it off. I wouldn't count on it though. The sheep behind the glass are getting colder every day, and even a smooth talker like me has been really having to sweat in order to earn my best intentions. It's getting tough out there.

So in this instance, and others like it, I wouldn't bother.

And just to be clear, I wouldn't use the exploit either. --Chances are, if you do, you'll really end up in hot water. Indeed, I strongly suspect that some cases of these kinds of exploits are designed to discover those who are not sheep-like enough so that they can be flagged for later. . , uh, disposal. (Same goes for things like performing acts of geurilla advertising, and ad-defacement of particularly nasty posters and billboards around your town. That sort of thing is monitored.)

--Which, of course, means that if you try in earnest to bring the hole in the code to the attention of the 'masters of the universe', then somebody, somewhere will be all pissed off with you for ruining their entrapment scheme.

My advice? Sit tight. --The furthest you might want to go is to discuss it openly to anybody who cares to listen, saying you heard about it on the net from some anonymous coward. Wide open honesty is usually the best way to screw evil plans without bringing down reprisal and brimstone on your head. Works for me.

-FL

Been the coder

[phorm]

I accidentally left a hole like this on a server I was working with once. I'd actually had checks to ensure such a thing didn't happen, but disabled then when I was debugging and forgot to uncomment the code (dumb dumb dumb). Luckily, that particular server didn't have anything overly special, though the ability to view users in the passwd file (which contained fullnames) was annoying.

I must say that I greatly appreciated when somebody informed me of the hole, though I felt like an idiot afterwards. Not everybody is an asshole about such things. I'd expect also that there would be some form of sysadmin that you might be able to contact (anonymously or otherwise), and he might appreciate it more than perhaps an exec who has no clue about security.

Serious Suggestion

[Zork+the+Almighty]

This is a serious suggestion. Don't report it, just pick classes at random each semester and fail all the students in them. 10 or so should be enough. The administration will freak out, and they will get the company's attention for you. Use an anonymous remailer to tell the company where the problem is, but never release any exploit code.

The fact is, with this sort of thing, the squeaky wheel gets whacked with a sack of doorknobs.

Two Actual Cases: What worked, what didn't.

[da0g]

I ran into a similar situation some years back at Carnegie Mellon University. A friend of mine discovered a means of acquiring AFS authentication tokens belonging to other students. (The tokens were not being destroyed properly. The technique involved editing the boot image (vmunix) with emacs.)

This was a significant security hole. Every year, a couple of idiots try to cheat. With the ability to become any other user, well, Pandora's box was wide open.

My friend asked for my advice on how to proceed. Should he contact the administration? I told him, flat out, if he went to the administration, he could expect to have his computer accounts immediately terminated. Without them, he would receive a forced-fail in all his computer science classes. He could also expect to face a "rubber-stamp" academic review board, and either a suspension or outright expulsion from the school.

This is, unfortunately, not idle speculation. Some years earlier, my best friend at CMU (Jeff) had created a subdirectory. Well, several subdirectories, actually. Nested. The professor (Phil) was a complete loon who couldn't code his way out of a paper bag. He decided Jeff's subdirectories had crashed the system. We accessed the logfiles. Jeff didn't have anything to do with that system going down. That didn't stop the termination of all his computer accounts, the forced-fails, or the academic review board and suspension. My one big regret was that Jeff never filed a lawsuit against CMU.

So, getting back to the AFS hole: I'm a member of the local Alpha Phi Omega chapter. At that time, one of our advisors was an upper echelon hacker, an absolute wizard, who was responsible for a large chunk of the actual implementation on the systems involved. I arranged for a private meeting between the three of us. The details were discussed openly and frankly, along with possible solutions. A trivial fix was put into place.

To the best of my knowledge, no one else, and specifically no one in the administration, was ever notified. My friend continued his education uninterrupted, and eventually obtained his degree.

-D.

This is what I did when it happened to me

[micklweiss]

The last University that I attended in West Palm Beach FL (they can trace this back to me... see if I care) has some shitty network admins. Their network is anything but secure.

I found plenty of problems with their network security... I (as a regular user on their systems) had access to a lot of things that I shouldn't have had. I actually used one of these exploits to my advantage. We had a test that I didn't study for (all tests were handled by a CGI script on an insecure inhouse server). I shutdown the box, and ... vualla no test that day.

I sent an e-mail to the heads of the school,

I ended up talking to them and asking for a job, they wanted to give me $5 /hr so I told them that they can go f**k themselves (in a nice way). They wanted me to setup servers (SMTP, DNS, Webserver etc...), apply a security policy and write custom code for them.

I just ended up telling my teacher about the security vulnerabilities (he was real cool about it), he fixed the exploits that I knew off the top of my head. I corrected some of his code... now he sends me job oppertunities.

....

In a different situation in high school, I wrote a lot of code for my school, it was supposed to be a system where teachers and parents could view students grades and such securely... the school ended up expelling me for not going to detentions (I was working as a developer after school for a firm down here in FL). Every bit of code was encrypted with GnuPG so they didn't get one bit out of me.

BTW: if u found an exploit on a school's computer and u write a patch on the school's computer (ITS OWNED BY THE SCHOOL), they will try and screw u over, schools are just like that.

My advice is - they won't hire you or they will want to pay minimum wage, and just either talk to a teacher that you TRUST. They might appreciate it and send you work that comes their way :o)

oh ya, first change your grades though... ;o)

Regards,

- Mick

(o> Web developer / designer
( ) UNIX Systems Admin
--- ~ www.mickweiss.com ~

Only in America...

[Fizzl]

...can you make such a trivial thing as bug reporting a complex legal issue.

I would just contact the local admin, tell him whats wrong, hand out the proof-of-concept and let him sort it out with the developer company.

Do what Captain Kirk did!

[corebreech]

Remember the Kobayashi Maru? The no-win scenario?

Kirk cheated.

That's what I suggest be done here. If we can re-program the simulation to come out on top, I see no reason why we shouldn't get a commendation for original thinking.

Kirk didn't like to lose. Neither should we.

Re:Anonymous WHAT ?!?!

[acet]

Oh please, who in the hell moderated this post 'Insightful'? It's baseless paranoid raving. The Internet is *awash* in information, far more than it is remotely possible to manage, track, log, or process. If someone doesn't know how to be perfectly anonymous on the Internet, then they just haven't thought about it.

Think about it. You say every connection is logged.. rediculous. Assuming that were even true, logged for how long? A day? A week? When your ISP has 10Gigabits of information pumping through their routers each and every day, how many logs do you think *they're* able to keep? See many truckloads of archive-grade backup tape leaving your local dial-up ISP every week? Even if someone *is* logging everything, the simple fact is that nobody can afford to keep those sort of logs around for long.

Take this incredibly simple recipe and see how well *you'd* be able to defeat it.

1.) You have some random super-dangerous bit of information.. you'd like to get it to someone (say an editor at the NY Times), but don't want to be tracked.

2.) You take yourself to a coffee shop with free wireless access, or your public library, or school, or somewhere else where a lot of people share the same internet resources and aren't tracked.

3.) From this point of internet access, write up your killer nugget of informational goodness, and ship it off to any half-decent anonymous remailer, with the instructions to delay delivery for 30 days. Most of the decent ones will let you do this. They'd let you delay it for a year or more if you wanted.

4.) 30 days later, your email is sent, the sh*t hits the fan, and everybody is looking to see who sent it. So now what?

If they're *really* omnicient, perhaps they can identify from what ISP the email entered the anonymous remailer network. If the ISP is *really really* paranoid and keeps better logs than any single ISP I've ever known of, they *might* be able to identify the customer's link the email was sent from. But guess what, odds are that the little coffee shop you posted the email from probably didn't keep very good logs on it's little Apple Airport WAP and is having a hard time remembering just who was sitting in the coffee shop at 5:43pm 30 days ago.

You're home free.

And we haven't even started to get *sophisticated* yet.

No anonynimity on the internet? please.

Re:blackboard? not necessarily..

[WoTG]

FWIW, WebCT started out at as an in house development for one of UBC's faculties (I think it was Chem.). Anyway, it grew quickly and soon most of the University was on it. I think it's been commercialized by now, but I'm not sure.

Re:DO NOT GIVE OUT YOUR NAME

[buss_error]

Stay anonymous. Do the COST-BENEFIT analysis (seriously).
In this climate, you have everything to loose and very VERY LITTLE to gain no matter how cool you think it is.

I agree with Augustz's post 100%. Use a public library (not the school's library, but the public library) to send an email from a free email service, and make sure the service is not in the US.

Read about how Blackboard treated two students here and see if you think reporting the problem is safe or not. In view of BlackBoard's past actions, if I were the one with the information, I'd post it to a Usenet group for security. I wouldn't inform them and give them so many days to fix it. I'd release it immeditately.

You choose what you think is right.

It happened to me

[mcrbids]

Well, mostly.

I was working on a site for a client, and discovered a vulnerability that was easily exploitable in a Credit Card interface for a large, well-known company.

I sent details of the exploit, complete with working code samples to the company in a carefully written, detailed, email.

About 2 weeks later, I got a phone call from a *very* agitated man who kept saying over and over: "it's not really a problem". I simply listened; I had nothing to say since it'd already been said. I didn't say anything, and he eventually hung up on one of the weirdest phone calls I've ever had.

The vulnerability allows me to buy anything I want from any client site of said large, well-known company.

So, speak your piece. Send the details to the company/vendor, along with full details, exploit code, everything you know. Make it clear that you are not going to publish it, or at least make clear the conditions that would make you feel it necessary to publish, and put the onus on them.

I did, and I have a clear conscience.

Been There, Got Screwed

[wbav]

Okay, so two stories, one from Jr. High, one from Highschool.


In Jr. High, someone was giving out the admin password pass FoolProof (a mac protection software that was incredably simple to bypass at the time.) Anyways, I tried to inform the IT guy, and he blew me off, saying that I didn't really know the password. So I put on a little app that made the computer belch.

Someone snitched, and I ended up in the principal's office. I tried to plead my case, it wasn't like I hadn't tried to do the right thing, and when they wouldn't listen I gave them something they couldn't ignore. Detention 4 weeks.


I should have learned from my first experince but I didn't. In Highschool, the network was completely unsecure. You could print to any class room across the whole school district, and everything was named quite nicely. Once again, I was blown off when I tried to say this was a bad thing.

Not only were all the printers there, but a number of computers were open with read access to everything. So I opened a network connection to every shared disk along the network and started a find for everything. The IT guy in the lab looked over my shoulder and asked what I was doing. Detention again, this time for "Slowing the hard drives down."

If only more people got into trouble for changing the laws of phyics.