• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Morale Dilema

L

luckybob83

Junior Member
O, bear with me on this. I was hired by a customer to install a network and a sales hardware suite. Well after installing I found a huge security hole that probably affects over 100 other customers of the sales hardware distributer. The problem is within their software. What do I do? I told them, but they ignore me and just say, "We knew about, but really do not care".

Do I tell all of their customers?
Do I go to the press?
Is there a law against knowingly distributing insecure software?
If there is, do I get Law Enforcement involved?
 
I would hack it, steal millions of dollars and then live life far away with hordes of beautiful women.

I would probbally be in jail too, so dont listen to me.

I would keep it in writting that you found such a thing, and that they claim to know about it, and that if anything happens its not your fault.
 
You might contact a security reporter at ZDNet / CNet.

You definitely should notify your customer in writing as well as giving them a copy of a letter you send to the vendor. Your letter to the customer should spell out the possible consequences of the bug and that you can't be held responsible for them.
 
find a solution... contact all other customers that may be affected by this problem... inform them of the situation, and chage then a one time nominal fee to get it corrected 🙂 make as much as you can 🙂


hehe j/k I agree with the ZDnet / Cnet security report I would also try securityfocus.com
 
There's no law against writing crappy software.

If you really want to make trouble for them, contact the editor of whatever the leading trade magazine is for their business and see if they would be interested in running a story on it.
 
There is nothing wrong with writing bad software. Look around, Im sure 99% of you have a piece of it on your machine.

Do not go to the press. WTF are they going to do? They dont know an ethernet port from their assholes.

BUGTRAQ will help you, but realize, but releasing information on this vulnerability you will be violating atleast one law in the United States. So be careful if this is a major company that has more lawyers than regular human employees.
 
You need to put your professional findings and recommendations in writing immediately,get them notarized and send em to the client via Express mail,signature required.

Protect thy contractor ass dude,nobody else will do it for you.
 
Originally posted by: n0cmonkey
There is nothing wrong with writing bad software. Look around, Im sure 99% of you have a piece of it on your machine.
Click to expand...

I don't think *that* many people run *nix 😉

What "hole" did you find? What constitutes, in your view, a "huge" security hole? Is it exploitable, or is it just information leakage?

A lot of companies have security holes: both physical and otherwise. Just because it's acknowledged as such doesn't mean that it's worth the cost to fix.

Keep that in mind...

[edit]the quote hosed my post... fixed[/edit]
 
Originally posted by: Descartes
Originally posted by: n0cmonkey
There is nothing wrong with writing bad software. Look around, Im sure 99% of you have a piece of it on your machine.
Click to expand...

I don't think *that* many people run *nix 😉

What "hole" did you find? What constitutes, in your view, a "huge" security hole? Is it exploitable, or is it just information leakage?

A lot of companies have security holes: both physical and otherwise. Just because it's acknowledged as such doesn't mean that it's worth the cost to fix.

Keep that in mind...

[edit]the quote hosed my post... fixed[/edit]
Click to expand...

This security hole would allow easy outside access to the database which contains the clients customer credit card database. The CC numbers are stored in the account.

 
Originally posted by: Descartes
Originally posted by: n0cmonkey
There is nothing wrong with writing bad software. Look around, Im sure 99% of you have a piece of it on your machine.
Click to expand...

I don't think *that* many people run *nix 😉
Click to expand...

I left that comment open enough that each person can interpret it how they want. 🙂
 
Originally posted by: luckybob83
Originally posted by: Descartes
Originally posted by: n0cmonkey
There is nothing wrong with writing bad software. Look around, Im sure 99% of you have a piece of it on your machine.
Click to expand...

I don't think *that* many people run *nix 😉

What "hole" did you find? What constitutes, in your view, a "huge" security hole? Is it exploitable, or is it just information leakage?

A lot of companies have security holes: both physical and otherwise. Just because it's acknowledged as such doesn't mean that it's worth the cost to fix.

Keep that in mind...

[edit]the quote hosed my post... fixed[/edit]
Click to expand...

This security hole would allow easy outside access to the database which contains the clients customer credit card database. The CC numbers are stored in the account.
Click to expand...

Look at the Security Focus page. They may have a way for you to give the information to them or to another security company to cover your own ass when it comes to the DMCA and releasing this information. But this is something you *definitely* should get out there (to encourage this company to fix their hole).
 
Definitely do what Geekbabe told you. COVER YOUR BUTT first and foremost!

Once you've done that, then you can worry about the customers. I would think with this sort of security hole would be something that they'd be more than willing to fix. Dumbfounds me that they aren't listening. Are these the type of ppl that are lucky to know how to turn their own computers on in the morning? Or do they have someone else do that for them, too?

*shakes head*

No matter what you do, be sure to write down times/places of everything you've done. If this caves in, you've got to have all your ducks lined up in a row so that you're not the patsy that gets squeezed.

Good luck (and good job on watching out for the customers!)
 
Originally posted by: FriedToast
Definitely do what Geekbabe told you. COVER YOUR BUTT first and foremost!

Once you've done that, then you can worry about the customers. I would think with this sort of security hole would be something that they'd be more than willing to fix. Dumbfounds me that they aren't listening. Are these the type of ppl that are lucky to know how to turn their own computers on in the morning? Or do they have someone else do that for them, too?

*shakes head*

No matter what you do, be sure to write down times/places of everything you've done. If this caves in, you've got to have all your ducks lined up in a row so that you're not the patsy that gets squeezed.

Good luck (and good job on watching out for the customers!)
Click to expand...

You would be surprised at how little many companies care about security, and how much others want to make money off of basic security (it is fixed in the new version, upgrade).
 
So the basic onsences if the following:

Tell my customer, have him sign a statement of understand that says I am not liable for anything. And then find the other customers that have this system installed and make money off of the all
 
Originally posted by: luckybob83
So the basic onsences if the following:

Tell my customer, have him sign a statement of understand that says I am not liable for anything. And then find the other customers that have this system installed and make money off of the all
Click to expand...

Making money off of all of these other customers is probably a bad idea legally. Even if there is nothing wrong with it technically, they could possibly get their lawyers involved which is typically a bad idea or the little people.

I would personally hesitate informing them, they may try legal crap just because they can or because they do not understand. Look at posting the information to BUGTRAQ or a similar place. I can give you a couple of places to send the information to that will inform the community or possibly persuade the company to fix their stuff if you want the information. Mostly security companies, but any "ethical" hacker group would really do.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top