Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
News

Security-Closing The Holes While Gagged? 16

Posted by Cliff from the when-contracts-and-conscious-collide dept.
This, wisely anonymous, Anonymous Coward asks: "I am a paid participant of a survey, and as part of my participation I am not allowed to disclose my role in the survey to anyone. This is stated in the documentation though I haven't agreed to any NDA or contract that specifically says so. As part of the survey, users install client software, which I have found to contain a rather significant security hole. I have explained the hole in detail to the company doing the survey, though they haven't responded or updated the client software. I would like to expose the fault publicly to put pressure on them to fix it, though I fear that doing such would constitute a breach of confidentiality for which I would be liable, despite the lack of an NDA."
This discussion has been archived. No new comments can be posted.

Security-Closing the Holes While Gagged? More

Security-Closing the Holes While Gagged?

Comments Filter:

  • What's the problem? (Score:1)

    by Anonymous Coward
    So post it here, you Anonymous Coward, and let Slashdot take the heat...or is the problem you want credit for finding it first?

    Get on http://www.fastmessage.co.uk/main.htm and send the hole to everyone you can think of and use a handle or something. Then if you ever try to join @Stake or something you can point to the handle and say "see? that's my work"

  • you're not alone (Score:1)

    by Anonymous Coward
    It seems this company is rude and will deserve what it gets - it could at least have thanked you for pointing out the problem.

    I had a similar issue. Whilst implementing, I found a rather interesting hole in a major credit card transaction processor's script implementation, and sent proof of the hack to them (in the form of compromised data).

    They didn't reply either.

    I was a bit pissed and wanted to share it with /. (but alas, big boss said no)

    What is the psychology of companies that don't acknowledge people who are actually helping them avoid disaster.

    .02

    e nonny mouse - eek

  • Sounds like an excellent idea. If they see that you are keeping records of your communication, it may alert them that you're up to something - in which case, they'll start paying attention.

    --

  • That sounds like all you can do. You've already told the survey company about the problem. If you're the only one who told them about it, you will be their prime suspect if they see the problem described in public.

    Even if the survey company does nothing, as the above reply points you, a victim of the problem might sue the survey company -- and your name may show in their records as knowing about the problem. You want to put them on notice that you feel that the problem is their problem, that you believe that their contract requires you to do nothing about the problem, and as you can not tell anyone about the problem then you are not responsible for any damages.

    Also tell them that you will have to remove the software from your computer before it can be used to damage you (if the problem can cause damage to you). Not only are they responsible for damages, but you have to take reasonable precautions to avoid damage to your property.

    Then file it all away in safe places and shut up. They made the problem, they don't provide tools for fixing it, so they have to deal with it.

  • contacts-and-concious? - ho hum

    contracts-and-concious I meant, talk about proving a point

  • For those of you who are interested, heres a ink to the story.

    <A href=http://www.eps.mcgill.ca/jargon/html/The-Mean ing-of-Hack.html>Robin Hood and Friar Tuck<A/>

    Scroll down to the bottem third of the page to see it, I don't know how to set-up the url to do this automaticly.
  • Hit the wrong butten, and it turns out that the externs appearing as text bug still hasn't been fixed.

    Here's the link again, only this time it's a link:
    Robin Hood and Friar Tuck [mcgill.ca]
  • This would definately be the way to go. Almost sounds like a shink wrap, though, doesn't it? "By not responding to this, you implicitly agree to release me from any and all obligations and agreements, explicity or implied, and also to pay me ONE MEEEELION DOLLARS!".
  • If you have never explicitly agreed to keep it secret, you didn't have to. Look at everything you've signed: does telling pepole violate anything there? If it doesn't, you're home free.
  • There is a big problem with trying to post it anonymously though, if you already reported it to them then they have a good chance of guessing who grassed them off, and the chances are that even if you don't think you have signed any NDA or contract then they have some comeback, even if it only consists of a couple of burly blokes with stout sticks.

    A lot would depend on what the client is, i.e. is it already publically released? how many testers are there? if there is a good chance that other people will have found the hole then you should be ok releasing it anonymously, otherwise . . .

    And of course if it isn't already released then you can wait till it is and then report it, suspect they will learn a much more profound lesson that way.

    contacts-and-concious? (and yeah I know I can't spell either :P)

  • IANAL but this is how I'd handle it...

    First review (preferably with legal assistance) everything you have agreed to either in writing or verbally - make sure that you cover in particular the agreement where they say they will pay you for participating, thsts where the biggest levers they want to use on you will be hidden :)

    Now document the hole as completely as you can and notify them by registered mail, including the information that a copy of the report is in the hands of a named third party, preferably your lawyer, and also give some indication of your expectation of a response within a suitable timeframe - be specific.

    If they fail to respond within that timeframe write to them again (again by registered mail so they cant deny receipt) urgently requesting a response to your previous mail and stating that if they do not respond within a given time (again be specific, and get your lawyers advice on what timeframes are "reasonable") you will have no choice but to discuss the matter in a reputable full-disclosure forum such as Bugtraq, and that you will take their non-response as releasing you from all obligations of confidentiality whether explicit or implied.

    If they respond and work on a fix, theres no need to worry. If they dont you can go public with a clear conscience.

    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • Read the story of Robin Hood and Friar Tuck in the Jargon File. I don't have it to hand at present, so some details may be incorrect.

    This relates to a system around 25 years ago, which had a severe security problem, which the vendors refused to fix. The security hole affected the monitor process, and made it possible to patch into it, IIRC.

    Some hackers, disgruntled over the laxness of security, decided to exploit the problem on one of the manufacturers own systems. This installed two processes, called Robin Hood and Friar Tuck, which had a number of nasty payloads, such as jamming the card reader with "lace cards". The other problem was that each process watched for the presence of the other, so that on terminating a process the other would immediatly restart it. The monitor being patched meant that these processes also restarted after a reboot.

    Suffice to say that as soon as the manufacturer was hit themselves by a security exploit, the hole got plugged really quick.

    I have also had experience of this mechanism myself. In the past I used to communicate with the manufacturers of a defunct email system using their own product. It was possible to create a message with particular properties which would confuse the server's mail process, causing it to crash. On restart the process would immediatly crash. Sending a faulty message to the manufacturer got them to fix it PDQ!

  • Protect yourself first (Score:3)

    by Shirotae ( 44882 ) on Monday June 19, 2000 @06:48AM (#993348)

    If the security problem causes someone a real loss, the last thing you want is to be in any way liable for having known about a problem that was not fixed.

    Send the company a written report by means of an independent courier who will get a receipt. In that report, say that there is another copy of the report on deposit with an independent holder who keeps a record of the date of deposit and really do that too.

    Make sure that there is evidence that you made them aware of the fault. If they fail to act, and someone sues them, you will have some evidence that you acted in good faith, and that the company were negligent rather than just incompetent.

    N.B. I Am Not A Lawyer so don't assume that this is good advice.

  • Use the Media (Score:3)

    by The-Bus ( 138060 ) on Monday June 19, 2000 @03:38AM (#993349)
    What if you alert 'the Media' (whoever that is), that there's such a security hole? If you give that information to a journalist willing to publish it, and you remain anonymous, it is up to the sites to consider whether they want to risk exposing this security hole or not.

    I remember a while back someone at The Register [theregister.co.uk] saying they would willingly take information of questionable (read: possibly illegal due to NDAs) content. Then, they would decide whether or not to publish it, and if any charges came, they would bear the responsiblity and less than 1% of the time would it ever get back to the source. Sorry, I don't have a link, but I remember it was posted around the time of the MacNN and Photoshop [slashdot.org] controversy. Now, I don't know if Slashdot is willing to take such a stance, nor do I know, since IANAL, if NDAs can still bring legal charges against the reporting organization, even if they never signed the NDA.

    The above message is probably muddled. Sorry.

  • Be Careful (Score:4)

    by Royster ( 16042 ) on Monday June 19, 2000 @11:31AM (#993350) Homepage
    There may be an implicit contract by virtue of the fact that you are being paid for the survey. For there to be a contract, there needs to be consideration, an agreement and indication of acceptance. You may already have implicitly agreed to abide whatever they have put in their documentation by your actions in filling out a survey, say. Ask yourself this, if they were to try to deny paying you, would you feel that they were obligated to based on what you've already done? If so, you are probably obligated not to disclose what you know.

    A truly conscientious stand would be to refuse your pay. Are you willing to do that?

  • send it to me at eWEEK (Score:4)

    by Timothy Dyck ( 16448 ) on Monday June 19, 2000 @01:09PM (#993351)
    We will publish this if we can repo it and it will affect enough people -- and we will keep your identity anonymous. You can even e-mail me anonymously if you want to go though a remailer (e.g. http://anon.xg.nu or https://www.privacyx.com).

    Regards,
    Tim Dyck
    Technical Director, eWEEK Labs
    timothy_dyck@ziffdavis.com

Slashdot Top Deals

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Close