Slashdot Mirror
Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker' (arstechnica.com)
An anonymous reader quotes Ars Technica:
People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer.
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."
A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."
A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."
casino is run by all mafia
Just sell it and let the casino get robbed instead. Casinos are shitholes, addicts are the product as soon as they walk in the door.
Gee, it's not like we haven't seen casino orders try that one before, even trying to create fake evidence of 'machine malfunctions' or other fraudulent claims trying to get out of paying a jackpot.
It's a casino. Assume it's corrupt and run by criminals.
How will they know if you're trying to extort them or not?
I would suggest a clearinghouse - in which companies who wish to participate fund a bug bounty program to pay legitimate security researchers. Everyone who doesn't wish to register is probably in it for the fraud and can be reported to the authorities.
It is simple common sense. If a company does not adhere to its promise, release the bug and let them suffer the consequences.
There will always be people who try to screw you. Always make them pay.
If your'e legit, and you offer information, and the company declines, or turns nasty, as in the case described, I'd say fuck it and exploit it myself or sell it.
I can be a legit stock trader and see an "opportunity," I'm under no obligation to divulge what I know and I'm free to exploit it; i.e. trade in the market to my advantage, and to the disadvantage of others.
What's the difference?
Someone's going to jump in here and mod me down and say because it's theft.
I'd agree, one is theft, and the other is just hacking.
Caveat Emptor.
what are the labor laws on stuff like that?
"Once upon a time, there was a wonderful and profitable company that made perfect products that never failed, and were perfectly secure. They had an iron-clad confidentiality framework to protect the privacy and anonymity of their customers, and data breaches never happened to them. They made lots of money, and the investors lived happily ever after."
But Grandpa, what about that time when --
BILLY! WHAT DID I JUST SAY!? -- I said IRON CLAD, PERFECTLY SECURE, and BREACHES NEVER HAPPENED!
But Grandpa, that's not..
BILLY, GO TO YOUR ROOM!
[This is essentially what goes on with security disclosures, except instead of a senile patriarch insisting on an absurd bedtime story's plot, you have corporate leadership refusing to budge even an inch in the face of reality about their companies, their products, and their business practices-- Lest the investors get scared and withdraw their investments. They treat every bit of truth or fact that detracts from their carefully manicured narrative as a direct personal attack, because it is worth more to them than the losses incurred by the problem itself. A researcher asking when their bug bounty payment will be sent, is immediately 'EXTORTION!!', because "disclosing the dirty secret!" that their product actually is not fairytale perfectly secure, is a deadly thing to their corporate image, don't you know! Because lying to investors is an industry staple these days, apparently. They would rather send Billy to his room and keep him there forever, than admit that the fairytale is a fairytale.]
I guess the editors missed the part that this was NOT a casino bug bounty. It was a company that makes casino games.
Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.
Colloquially, it's called blackmail, though in federal law blackmail is only if you threaten to tell about a crime they committed.
To not commit the crime of extortion, one would need to be clear you WILL release a warning to customers so that customers can protect themselves - whether or not the company pays. The company would be paying for details of the problem, not paying to prevent information from being released. Alternatively, don't mention releasing the information at all. You don't want to give the impression that you'll release it unless you're paid, because that's extortion.
If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation. Is it extortion if the "victim" proposes it? Probably not at the federal level. At least if the communication accepting the NDA offer is kept short - "I accept your offer". You wouldn't want to restate the offer "if you pay me I won't release it", because that could be considered a threatening communication (extortion).
I haven't read the text of the law in every state. It could still violate state law if you accept an NDA in exchange for payment after you've already mentioned releasing it.
The proper way to profit from vulnerability research is by shorting the stock of the publicly traded company before publishing your results. The capital gains can be used to fund more research. https://arstechnica.com/inform...
How about this? I am going to start selling this information in one month, would you like to pay extra it and get it a month early?
What was confronting someone in public supposed to accomplish?
Seriously, is there nothing of real value to read, think, and talk about anymore?
Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.
No, no it fucking isn't. If what you say was true, there would be no way to expose an employer who was putting their workers at risk as then you would be extorting your employer for better treatment. Blackmail is when I know you are fucking your neighbors dog and unless you pay me I will post pictures of the act. This is more like an engineer knowing a bridge is defective and telling people not to use it. The fact that that same action also makes the casino more likely to be hacked is irrelevant because they could be hacked by someone else anyway and its unlikely that this researcher is the only one who knows about a specific type of flaw. Also, the bug bounty program is a contract and the casino failed to live up to their own contract. And the real world corrective action will be taken anyway. Now that the black hats know this specific security system is defective, how long till all the casinos that use this specific system get hacked? I'm guessing inside the year.
"Those that start by burning books, will end by burning men."
Don't do it. Let them find out the hard way - which serves them right.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
90 days to release. This could be delayed for 2 months if a reasonable bug bounty is paid for the efforts in helping your team understand the issue clearly.
> This is more like an engineer knowing a bridge is defective and telling people not to use it.
If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.
That's why I pointed out you'd either a) release the information regardless of whether they pay or b) don't mention anything about releasing the information.
Here's the federal statute, 18 U.S. Code $â875 (d) ... any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee
--
--
The "interstate commerce" part is there to give the feds jurisdiction. Email counts as communication via interstate commerce.
If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation.
Isn't that exactly the situation described in the article?
According to the article the original deal between the casino and the researchers did not include any monetary compensation, but neither did include any NDA: the researchers planned to disclose the vulnerabilities found in a security conference.
It's the casino which, without being prompted by the researchers, at some point initiated a negotiation to get a NDA from them. The researchers then provided a quote for it and things seemed to proceed toward a deal.
Now the casino apparently doesn't want to pay anymore for the NDA, but neither wants the researchers to disclose the vulnerabilities they have found, so they went with a C&D legal letter. On the other side the researchers are still not under any NDA and are IMHO pretty justified in stating that if the NDA deal never got finalised they are free to disclose the information as previously planned.
Did you get a better understanding after you read the statute I quoted, because it sounds like you're now saying something very different?
Your original comment:
>> Threatening to release it unless they pay you is extortion, a felony.
>> At the federal level it carries a prison sentence of up to three years.
> No, no it fucking isn't.
So you said that threatening to release embarrassing information unless someone pays isn't extortion. "No, no it fucking isn't", you said.
Now we know federal law defining extortion is almost exactly the words I used, the words you said "fucking isn't". Extortion is asking for money with "any threat to injure the property or reputation".
Do you still think the federal statute isn't law, so threatening to release embarrassing information unless you're paid "fucking isn't" extortion?
To say "A threat would be we'll steal all your money. Releasing publicly is the responsible behavior for security researchers". We know federal law defines extortion as "a threat to ... damage the reputation". Are you claiming federal law isn't law? Or are you saying "I wish that wasn't law"?
One more thing about "Releasing publicly is the responsible behavior for security researchers" -
Are you still unclear about warning customers, by releasing information, versus "I'll release embarrassing information *unless you pay me*"? That "unless you pay me" part is what changes it from a public service to a felony, extortion.
And yes, putting the public in danger by keeping quiet about a dangerous bridge *because you got paid off by extorting money from the construction company* would also be quite unlawful.
The article says that the vendor asked "we'd really like to own this information ... what will it take to make that happen?" The people who discovered the vulnerabilities then replied with the $60,000 figure.
It probably would have been better for them to not quote a price or even mention money, especially since the FBI was on the call. Instead they could ask "what do you have in mind?" The vendor brought up "own the information", let THEM make a cash offer if they choose to go that direction.
Quoting a security professional from the article:
--
"When you're performing Coordinating Disclosureâ"calling the vendor for the first timeâ"for me it's super important to really stress, 'Look I'm not trying to sell you anything. I'm not trying to extort you. I'm not trying to set this up as a future sales call for all of my wonderful products,'" said Rapid7's Beardsley. "I am very cognizant of that for a couple reasons. One, I don't want to go to jail. And two, it's an emotional thing for most people, especially people who've never had to deal with [disclosure] before."
--
Federal law says extortion is "a communication requesting money or other valuable thing ... threatening to damage ... the reputation of the addressee". Requesting $60,000 was probably a mistake.
If you want to possibly accept an offer of an NDA for money, maybe the best way to do that would be something like:
I'm not demanding anything. You mentioned an NDA. I'm sorry, I can't negotiate that with you; if you choose to make a specific offer I can only accept or decline.
I probably wouldn't do an NDA at all. I would be willing to do some consulting for them to help them understand and fix the problem before information is made public. Obviously, if I know they did a good job of fixing it, would would require that any disclosure I make acknowledge that they fixed it. If they choose not to get the information needed to fix it, full honest disclosure might need to include that fact. Either way I'm going to make an honest disclosure. They can affect what I disclose by changing the facts - either fixing it or not fixing it, and letting me see that it is fixed properly, or not communicating with me. Those are facts that could be part of an honest disclosure.
I wouldn't want to go to "if you pay me I won't disclose" - any way you do that, whether or not it's a federal crime will be up to the opinion of a judge or jury.
Company which makes money from exploiting the weakness in others accused of behaving unethically.
^_^
Requiem for the American Dream
Hacker 0
Mafia 1
Just sell it and let the casino get robbed instead
Hackers, by nature, are not street smart.
Did you also read UK law? Not everybody lives in the US you know, the security researchers are UK based.
The US inherited English law, then added the Bill for Rights, and that formula means in most areas of long-standing general law, law will be similar modulo Constitutional rights - meaning if it's unlawful in the US, it also probably unlawful in England and Wales.
That matters because by treaty a defendant can be extradited only if it's illegal in BOTH places. Hence, a US citizen can't be extradited to the UK for exercising their 1st amendment rights, a UK citizen who broke US law in this regard aomost certainly also broke UK law and can be extradited.
Of course it happened partly in Las Vegas.
Looking at the actual UK statutes, we see they follow the pattern. See section 21 of the Theft Act 1968 and sections 29 and 30 of the Larceny Act 1916. We find that what the US calls extortion is also illegal in the UK. The difference is switching the terms extortion and blackmail. The implied difference is that in the US, courts would have to balance first amendment rights - you're allowed to say mean things to people, so the threat has to be clear in the US.
Blackmail is when I know you are fucking your neighbors dog and unless you pay me I will post pictures of the act. This is more like an engineer knowing a bridge is defective and telling people not to use it.
You demonstrate that you don't understand what blackmail or extortion is. Even worse, you can't even distinguish both of them. The two examples you gave are not comparable to each other. Look at the wording carefully.
The former may or may not be a blackmail because it depends on whether what the person did is illegal. If it is simply an embarrassment and not illegal, it is not a blackmail but rather an extortion. The latter is neither blackmail nor extortion but rather a disclosure as a warning without monetary involved. However, if the situation becomes that the engineer goes to the bridge builder and said that "you built a defective bridge and must pay me for not disclosing the information, then it is an extortion.
If English is not your native tongue, then I could understand; otherwise, you are just a troll trying to stir things up by misleading people.
The problem in this case is that the casinos know exactly how to formulate the legal case. They tricked the researcher to say a number. It is a set up to create an extortion case. They were the one who initiates the contact, and then psychologically lured the researcher with greed (human nature) to fall into the trap. Sadly, the researcher fell for it...
Lol, casinos are constantly accused in my things. I don't even know if it is fair. I have learned lately about UK new gambling laws: is this the end of High street betting shops? and it makes me think, I suppose this is great changes in this sphere.