Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker'

An anonymous reader quotes Ars Technica: People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer.

What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.

The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."

A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."

Casinos are shitholes.

Just sell it and let the casino get robbed instead. Casinos are shitholes, addicts are the product as soon as they walk in the door.

Release it regardless, to avoid extortion/blackmai

[raymorris]

Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.

Colloquially, it's called blackmail, though in federal law blackmail is only if you threaten to tell about a crime they committed.

To not commit the crime of extortion, one would need to be clear you WILL release a warning to customers so that customers can protect themselves - whether or not the company pays. The company would be paying for details of the problem, not paying to prevent information from being released. Alternatively, don't mention releasing the information at all. You don't want to give the impression that you'll release it unless you're paid, because that's extortion.

If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation. Is it extortion if the "victim" proposes it? Probably not at the federal level. At least if the communication accepting the NDA offer is kept short - "I accept your offer". You wouldn't want to restate the offer "if you pay me I won't release it", because that could be considered a threatening communication (extortion).

I haven't read the text of the law in every state. It could still violate state law if you accept an NDA in exchange for payment after you've already mentioned releasing it.

Re:A casino refusing to pay out?

[sjames]

Funny thing about that. Back when the mob owned the casinos, if someone got carried away and was wiped out, the standard was to give them dinner and a flight home. Now that they're corporate owned, the standard is to have security throw them out, bodily if necessary.

Re:Unless they pay up

[sfcat]

If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.

Which is why I didn't say that. The bug information will get out. Its already in the hands of an independent entity. And that's the nature of information with financial value. The casino is paying for knowing earlier and before potential attackers. They didn't pay up. What do you expect to happen next?

Here's the federal statute, 18 U.S. Code $â875 (d) -- ... any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee

First, the researchers had already given the information to the casino, the casino was reneging on payment. The casino was a deadbeat who wasn't paying up. The researchers said, well we know about a bunch of other stuff and won't tell you before we release publicly since you are a deadbeat who doesn't pay their bills. And since you are a deadbeat who has exhausted their credit, we'll tell everyone else and nobody will tell you anything. That's not a threat, that's normal business practices. No pay, no play. A threat would be we'll steal all your money. Releasing publicly is the responsible behavior for security researchers. That this will open up the casino to every hacker on the planet is immaterial. And pointing that out isn't a threat. Pointing out that poking Mike Tyson in the chest while insulting his mother is likely to result in bodily harm isn't a threat. I think you are still confused as to what a threat is. The researchers have to release publicly, that's the responsible thing. If the casino doesn't pay all their security guards how long till they get robbed? Pointing that out isn't a threat. A threat is if you don't pay me, I'll rob you. Anything else is a gross twisting of the meaning of a threat.