Approaching Lost Clients About Security? 296
mgkimsal2 asks: "As a development shop, we win some bids and we lose some bids for
various reasons. What we've found when following up with some prospects which we didn't win is that the development shop they went with has them on ASP/NT servers, with security holes up the wazoo (visible source code, passwords, etc) exposing these clients to massive risk. Example: I just saw a company with 500+ employee records accessible to anyone who feels like connecting to them with SQL Server Enterprise manager. Hire dates, fire dates, SSNs, the works. Should we show these companies how easy it is to get in, and try to win them over as a client? Or just walk away? I've read some heated debates about this - if you break in, even as a demonstration, you're a criminal. But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers! We can't be the only people going through this sort of dilemma." The key here is approaching the company in a way that lets them know you are serious and not trying to spread lies about your competitors. If anyone here has been in this position, your thoughts would be appreciated.
Dont' touch this without a lawyer (Score:5)
I can't belive /. responses have ignored this important point: There are many things that can be done, some of which are right, and some of which are legal. A few are both.
Don't touch this situation without a lawyer who knows this area of law. Most likely you will be told to keep your mouth shut as even if you can win the law suits, the cost isn't worth it.
There is also a possibility that you could find a lawyer willing to do a class action law suit against your compititor if you can prove several customers have been left open like that. This is again dangerious gorund, but you can potentially pull it off. Don't bad mouth any compitition who doesn't misconfigure things like that.
Whatever you do, make sure your lawyer is informed. their job is to save your rear end, but they can't do that if you don't tell them what is going on.
Re:offer a free security review as a "teaser" (Score:2)
Don't take this lightly. (Score:5)
I'm assuming you live in the USA...
If you haven't already done so, burn the machines you performed the exploits from, change your name, move to another state, stop looking at slashdot, and tell no one anything. The United States is absolutely insane about computer intrusion.
If you are caught, you will be charged with computer intrusion which carries a maximum sentence of 15 years per count. Plus you will have to pay for all of the security consultants the insulted company brought in to examine everything. They can count virtually anything as damages. If the media gets ahold of it and it say, lowers their stock price, they will claim this as damage!! This is scary stuff. How many of you tried the IIS5 exploit on a random site? That little 'dir' you did before logging out could easily cost you 15 years of freedom and $50,000 in damages.
I have a friend sitting in jail right now (he got a 1 year sentence off of a plea bargain) for doing something like this. If the FBI hasn't knocked down your door yet, be thankful and don't say another damned thing on the subject.
Your intentions may be completely pro bono, but when dollars are concerned, that just doesn't matter.
How about consulting for the clueless developer? (Score:4)
However, you may be able to form a partnership with SCD as a security consultant. Find a way to communicate to SCD that their solution is full of security holes and that you know how to fix them. SCD is likely to be discreet about the whole thing because it looks very bad for them! If they are honest, they will want to contact the client themselves to explain the security issues. They will also want to be able to tell the client, in the same breath, that they already have a solution in the wings provided by an independent security consultant (i.e. hopefully you). So this way there is still some piece of the action for you.
If SCD instead decide to get a clue of their own and fix the problems themselves, at least the security are made known to the client and something is done about them (hopefully).
In the remaining possible scenario, SCD just keep quiet about the security holes. You have done the best you can; the entire moral obligation rests with SCD once they know about the holes. You should forget about the whole thing and not enter into any further communication with anyone at SCD---why get mixed up in a situation in which at least one of the parties is completely unethical? SCD, being capable of anything, is dangerous to any organization who comes in contact with them.
If they didn't want to listen before... (Score:3)
Ego, image and the ineffability of the Boss are absolute, in corporations. Challange these at your own risk.
On the other hand, you can use these as examples (anomymized, though!) in future bids. Especially if these companies -do- have their security breached. Companies are like sheep, in that they follow the leader. But they're totally unlike lemmings, in that if one plunges off the cliff, the others will =usually= hesitate.
Re:Well, it does sound like sour grapes (Score:2)
Personally I'm just alarmed at how much FUD you are trying to blow.
You should always keep up to date with the latest security patches and make sure they are applied. Part of developing a web site solution for a client could involve ongoing maintenance to help insure they are kept up to date.
Re:Well, it does sound like sour grapes (Score:2)
In many companies web applications are developed and deployed to an application server which is configured by the operational staff.
That is the way our environment works. As developers we do not concern ourselves with the security of the server itself, but rather of the applications architecture.
We have system administrators who follow up on patches and ensure they are applied.
pretend not to notice and market security like mad (Score:3)
How you proceed is to keep contact with all your clients ( including those you lost ) in a generic way. Offer them new services. Send them brochures for security audits etc... Let them know this is something you are selling to everyone.
I.e. Have a special. A demo of some security tool or other along with a discount if they are impressed and a full audit all for one low price. Do it that way and you might make more than you expect and maintain the respect of all involved.
Remember also to include the VAR you lost to in this mailing because they are a potential customer. If you really care about your lost clients not getting hurt then teaching the goy _they_ chose is not a bad idea.
--
Quidquid latine dictum sit, altum viditur.
Whatever is said in Latin sounds profound.
(in)security of non-clients is not your concern. (Score:3)
If self-preservation is an instinct you possess, you should not be probing any site that has not contracted you to do so. You are probably opening yourself and your company to liability when you do so. Most computer crime statutes criminalize "unauthorized access", where unauthorized simply means you didn't have permission from the owner to access the computer resources that you did.
Now, it may certainly be true that a company that has a published link on the front page of their website to a document X (where X is information that the company would prefer remain private) probably would see their case against an entity Y accused of accessing X without authorization dismissed almost immediately. But that doesn't mean that it hasn't cost Y anything, even though the case never went to trial.
Further, the vulnerabilities you are discussing require you to access your non-client's sites in... unconventional ways. Courts do not understand technology, but by now many judges understand that your average consumer is not going to be firing up SQL Server Enterprise manager to make authorized access to any given internet site that they have no contract or agreement with.
If you have already come forward to one of your lost clients and merely been called a sore loser, you're either lucky or have no significant assets. From a legal standpoint, you should not be making unauthorized access to any site, for any reason.
You already made unauthorized access to the site of at least one non-client, that you've mentioned. It sounds like your actions went beyond a simple portscan, which is probably ok, to retrieving database records (the hire dates, fire dates, ssns you mention), which in court would quite possibly be actionable - at the very least, you won't get a summary dismissal.
Unless you'd *LIKE* to get sued by a lost client with a grudge, you shouldn't be probing their sites.
-Isaac
Re:Been there, done that (Score:2)
Though I have had my hands in computers for over a score of years, databases were never my focus. Thus, I must also ask the embarrassing question: What are primary keys, and why are they needed?
Schwab
Leave it alone... (Score:3)
Here is a little anecdote to let you know why I feel this way;
Federal Agency Dept of ABC runs a mostly Unix shop.
Federal Agency Dept of TUV and XYZ runs a mostly NT shop.
RDS hits and Federal Agency NOP and Federal Agency DEF (both mostly NT shops) get hit the very next day.
A young security engineer in Federal Agency ABC knows Federal Agency TUV and XYZ are both big NT shops and thinks to himself - "Geeze, I bet they are vulnerable - I'll give them a heads up." - Then thinks "Hmmm, I don't want to look like an ass, and be told 'Duh - we patched that the same day it was made public'." So young security engineer runs test code to see if default databases are accessable. They are. Young security engineer writes a paper describing the situation and how to solve the problem both agencies public web servers suffer from and mails them off to his director and the security directors of Federal Agency TUV and XYZ.
Federal Agency TUV thanks young security engineer.
Federal Agency XYZ makes a "federal case" out of the whole thing. And attempts to get young security engineer fired.
Now. This guy didn't end up getting fired. I'm one of the many who went to bat for him when the two agencies met regarding the issue. However, he very easily could have been - were he not exceedingly bright - and had he not done everything correctly after the huge mistake he made in testing his theory.
what we found following up... (Score:2)
This is the same question as: "Should I probe people's networks and then offer to fix their security holes?" The business about lost bids is irrelevant.
You're asking whether you should let stupid people know that they are leaving their SUV parked with the keys in the ignition and the engine running and the kids sitting in the back. Well, it's probably a righteous idea to try to help them, but if you're not careful, like if it looks like you're jumping in the car and driving off, you could get into some trouble.
Think of a safe and discreet way of letting them know, and I think it would be ok. For instance, probe for some benign problem and offer to help them out with a simple security audit, telling them that "the sorts of systems they use" are quite prone to problems, etc.
Invite them for a demonstration (Score:2)
Thank them for coming and tell them they can call your reps if they ever feel the need for security.
What you could do... (Score:4)
(in response to:)
... is pretty much what you've done: point out the insecure setup. If they don't tighten things up they'll be the sore losers... when some customers or former employees sue their sorry butts for allowing that information to be divulged. Wouldn't it be fun to be called to testify against them? ``Yes. We informed XYZ, Inc. about the flaws in their security but they just laughed at us and called us sore losers.''
Wouldn't immediately help your problem in gaining new clients but it would be helpful if you could say that you have testified in court as a security expert.
The problem with the companies you've encountered is that you have to convince these people who know only Windows as an environment. I refer to this as the ``fly in the vinegar bottle'' syndrome. They like what they know and reject anything else. It's almost as though they'd rather be out of a job than switch from their comfortable little realm.
--
Forget about it (Score:2)
Re:Happens every day (Score:2)
One thing I'd add is that is why you review the site. Maybe a line like when we loose contracts we review what the winner did to see where we may have weakness so that in future business with the company we can better server there needs. I.E. It is a learning process for 'our' company.
Oh and don't spend all the effort on mentioning money try mentioning it only once (not sure what the exact letter looks like). It may seem like you are making up these holes just to get some of their business. you can even give an example of what you think is a securty hole in the letter and what the result of that being exploited could potentially be. This is not to say that you need to hack in, but that you need to show that you are not making it up and that they can check it out on their own and say 'oh my you are right' then call you up.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Anonymous tips (Score:2)
I'm tempted to say that you really shouldn't do anything. They chose to go with the other guys, it's not really any of your problem or concern anymore.
Also, be very paranoid and careful. Do not send them "proof", as in lists of employees or any data obtained through hacks. You could quite easily be sued for anything like that, despite the fact that you're trying to be helpful.
--
Talk to them about it (Score:2)
Unfortuantly, I've also seen security vendors with masive holes in their system as well. A well known Managed Security Provider in Korea was vunerable to at least 5 exploits on their webserver. Their website proclaimed how good they were at security, yet, even after numerous emails from anonomous hotmail accounts, they still didn't fix their own problems. It was only after a script kiddie found it and "owned" the site did they wise up, so sometimes you just can not win, but at least you can put your mind at ease, and know that you at least tried to warn them of the problems.
You can go to jail... (Score:5)
State of Oregon v. Randal Schwartz [lightlink.com]
Keep your hands clean (Score:5)
That should teach your competitors to bid against you.
-B
What to do.. (Score:3)
2) Date the documents and get them notarized by a public notary
3) Send them a copy and offer to do some work for them for a reasonable price
4) When they get broken into or h4x0r3d, send them your documents again and offer to do some work for them for a much less reasonable price.
Re:offer a free security review as a "teaser" (Score:2)
Perhaps an *honest* approach might work?
What I have in mind, is approaching the client with a line something like "I've had a quick look at the site, and think that there might be some security holes there. I'm not going to look further without your permission, but I think you should get it looked into."
Be honest, admit that you think you could have done a better job, and say that you hope you'll be considered to either fix the existing one, or any future projects.... then just let it go.
You're doing the "right thing" and you're being honest with someone who might be a client in the future.... and, believe it or not, doing the right thing *can* be its own reward.
Chicks suck.
Guys are ugly.
Pass the kleenex.
This happened to us once... (Score:4)
Our tender was rejected as "too complicated" because we designed something that would have been more secure.
The winners built the system; within a few weeks people were getting free CDs and the system was turned off.
The only good part was that the idiot who had run the tender evaluation was sacked...
Stephen
Re:Professionalism (Score:2)
It might be entertaining to include on your company web page: "Clients Who Passed Our Weekly Security Scan: <counter> Potential Clients Who Failed Our Scan: <counter>".
Unfortunately you can't do that.
For what it's worth... (Score:2)
Yeah, I know: it'd be great if you could just get them to fix their security holes. But in my opinion, you won't get that done and all you will end up with is a client who thinks you're a sore loser and a competitor who hates you. If the world were only rational...
Re:For what it's worth... (Score:2)
Get consultant fees... (Score:5)
What you should do is wait for the site to be up a while, (6 months to a year), and approach them as a "security consultant." Get permission to poke around, before you do it. Get paid consulting fees to do it.
In the end, they may be impressed and switch over to you. Don't suggest yourself as the company to switch to, though. This will come off as sour grapes. Suggest that they either revamp the site, or choose a different server type altogether.
Bottom line, if you impress them with the small amount of work you do for them, they will think of you as a 'good' company, and speak of you that way. If you upset them, they will never do business with you, and you risk losing other business as well.
Re:Ask the client (Score:2)
If you do see doing other business with them in the future, then "discover" their vulnerabilities on premises, with an offer of a fix.
If you are really afraid of them having a bad reaction, fuck'em, they'll get victimized eventually. Just make sure to express doubts about the other group's security.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Emphasize early and often (Score:3)
If you don't bring up important items like security until after you lose the contract, you'll be viewed as the sore loser, not as somebody concerned for their well being.
If they still go with the competing company with the poor security, they have only themselves to blame.
Re:offer a free security review as a "teaser" (Score:2)
How much credibility would these guys give a free security review? Free == alterior motive. If they can't figure out your motive, they won't let you in the door (especially for a security review).
--
Re:I don't understand how some of this is illegal. (Score:2)
--
Re:I don't understand how some of this is illegal. (Score:2)
--
Re:I don't understand how some of this is illegal. (Score:3)
Here are the laws of Texas [state.tx.us], Massachusetts [tufts.edu], and California [ucdavis.edu] for starters.
--
Re:I don't understand how some of this is illegal. (Score:5)
Go ahead and argue what should be legal, but don't pretend that you can't tell the difference between a website and an unintentional security hole. Tons of existing laws (like first- vs. second-degree murder) already use criteria as fuzzy as this.
--
The Free Market At Work (Score:2)
--
A whacky idea (Score:5)
What if you asked them to sign a document that certified (1) you company did not do any work on the system(s) identified and (2) they have reviewed the list of security vulnerabilities attached and agree and certify that they are not the fault of your company and (3) that your company has provided due dilligence in notifying them of the gaping holes.
The idea is that you're approaching from a CYA angle instead of a "look at what those twits have done to you" angle.
Errr.. Narq them in! (Score:5)
Re:Treading on very dangerous ground (Score:2)
I agree.
The poster had better have a goddamn good answer to the following question:
"Suppose I show up, give them the demo of the exploit, impress the hell out of them, walk out the door at 5:30 with their CTO for a beer to talk about how to fix it. How am I gonna explain it to them if some skr1pt k1dd13 wanders by and hax0rz the living shit out of them tonight?"
Of course, the client might not call you back at all, in which case you'll only have to explain it to the cops.
Re:Forget about it (Score:2)
Rather, when a NEW bid is made, this is the time to show off strong by pointing out that your solution is secure, compared to ASP/NT. If they read that and still don't pick you, then *gasp* perhaps security is not that big of a concern for them.
Whining after you lost is just bad.
Re:Emphasize early and often (Score:2)
Those guys would've made that mistake with any implementations I'm guessing. This is a blatant and gaping security hole that can be easily fixed.
Yo can't really know in advance that the competition going to be that stupid. At least not the first time around.
win lose win situation (Score:2)
If security isn't your main line of work then its sometimes better if you contacted a security company and had them speak to the other company after working out some sort of deal with the security company for the following reasons.
If you were doing some other work for the company, then was cut off they could think you were illegally looking for holes in their systems, or were pissed off at them, and helped yourself to take some form of actions by auditing them (think about what the company would see in this situation) to find ways of screwing them.
Contacting a security company could benefit you in other ways because if they know of something your company does, they'd likely turn to you for passing on business to them so you create a network for yourself. Now the security company on the other hand could present it in the following fashion to the primary place.
salesman of sec. co: "A previous vendor of yours contacted us out of concern for your company as they suspected you may have some vulnerabilities but they were unsure of this so they turned to us since we focus in security...."
As stated if security isn't your main field of work your better off (IMHO) going this route since it also saves face and doesn't seem like your fetching for bones. It may also help win back "brownie points" should the company have to reconsider vendors, and they're likely to remember your actions if they went ahead and had the security company audit them and fix their holes.
my two cents...
FreeBSD spoof [antioffline.com]
Re:I don't understand how some of this is illegal. (Score:2)
Treading on very dangerous ground (Score:5)
Let them reap the consequences of choosing a lame dev shop, and perhaps next time they will choose you instead, having learned their lesson. Think long term!
--
Ounce of prevention... (Score:2)
That's true. But on the flip side, why let it get to that point in the first place? You say these people choose companies who are using ASP/NT servers, which leads me to believe you're using something different (probably unix/php, eh? this is /. afterall:).
So, why don't you tell them why your solution is better?! There should *definitely* be a section in your bid that describes the technology you use and why it's better than ASP on NT. Maybe you can even include a section about how "other firms using ASP solutions will tell you how easy they are to use, but in fact these solutions are highly insecure and risky to your business, which is why WE use..." and then go into your spiel.
It's called "vaccinating" your potential client against the competitors' reasoning. Politicians use this technique all the time, when they say stuff like "my opponent is going to tell you..." Except they lie, and you'll be telling the truth :).
---
Re:I don't understand how some of this is illegal. (Score:2)
It is ok to use http over tcp-ip to hit the machine, noone has a problem with that... But suddenly it isn't ok to use sql over tcp to hit that same machine?
As much as I hate the "breaking and entering" analogy (if the digital age has brought us anything, it's the persistent and accepted use of HORRIBLE analogies), this would be like saying that it's ok to take your friend's milk out of the fridge, but *don't* touch the fruit.
It's a fuzzy line. It's undefined.
Re:I don't understand how some of this is illegal. (Score:2)
Don't get me wrong, I'm not a hacker, I'm not interested in data stored in anyone's databases, I'm just playing devil's advocate here and pointing out that there are some serious holes in the law, as well as generic DB security.
I don't understand how some of this is illegal. (Score:5)
I'm using a client to access information which is publically available on the internet. How is it any different to use a DB client instead of an HTTP client?
You lost the bid, ... (Score:5)
I agree with the sentiments here that "You lost the bid, so just move on."
If you want to find out WHY you've lost the bid, a questionnaire is a good idea. Give them some meaningful but neutral questions, and give them a chance to respond in their own words. Assume that you will get no results, but if you DO get feedback, consider it carefully in future bids.
- With regards to security, why did you find a competing product more valuable?
- CompetitorCo's track record for security seemed stronger.
- OurCo has not demonstrated suffient regard for security.
- Cost outweighed security concerns.
- CompetitorCo's products have a higher degree of interoperability with your other systems.
- OurCo's products have not demonstrated interoperability with established standards.
- Cost outweighed interoperability concerns.
And so on. If your questionnaire smacks of propaganda, and not of honest "how can we serve you better" fact-finding, then it will land in the recycle bin.With regards to interoperability, why did you find a competing product more valuable?
Do you lack all people and professional skills? (Score:3)
Send them a professional letter detailing how you're sorry that they didn't choose you but am glad to see that their business is progressing. Politely point out that they have a security flaw that's easily exploited. Tell them up front what data they have exposed and the basic steps to exploit the problem. Let them know that you felt it was important enough to tell them this even though they chose X company over you.
yadda yadda yadda... These problems are all alike: "I want to do the right thing but it's awkwards because of XYZ". If you're a grown up it's something you should have learned to deal with politely and courteously. If they reject you then it's their fault not yours. Certainly don't try to turn it into a flame.
One option that occurs to me is to report them to the Better Business Bureau or some other consumer agency. This approach should only be used when serious problems are ignored (exposing a million credit card numbers, etc). Just remember, unless you feel like it it's pretty hard to help everyone all the time.
Re:I don't understand how some of this is illegal. (Score:2)
I understand the analogy, but is it accurate? If the resource is not password protected, or uses a publically published password, can it claim "I didn't MEAN to make that available" as a legal defense when other internet resources use the same process for publically available info?
Re:Do you lack all people and professional skills? (Score:2)
waste of time? (Score:2)
Currently I know of problems with three UK media companies web sites but there's no useful contact info on any of them so I've started sending the info to The Register [theregister.co.uk] and similar sites in the hope that being publically humiliated may have some effect :-)
Post ip addresses to alt.2600? (Score:2)
Re:Treading on very dangerous ground (Score:4)
Dead right on center bull's eye.
This is a lose-lose proposition for your shop if you go anywhere near the fool that did not choose to become your client.
Most of these erstwhile would-have-been clients will think any or all of the below:
I think the best you can hope for here is to simply provide good brochures about how you're ready to do a good job, backed up with general references to all kinds of material on your web site about how careful you are to protect your clients' interests, testimonials from other clients about how rock-solid, high-performing etc. the work is that you've done for them. You can throw in examples of unnamed slapdash site builders who have exposed unnamed customers to all kinds of costs and liabilities in various ways using well known loopholes. Be sure to link to external references on those vulnerabilities, and keep your description stiff, formal and technical, giving your shop an air of authority and respectibility (eg, using tiny red gothic script on black pages to describe security vulnerabilities is not recommended).
I think that there are a lot of computer security firms that must walk this tightrope all the time, of having to balance business interests with
The moral highground is always where you want to be seen.
Re:I don't understand how some of this is illegal. (Score:2)
502 (c)(1) Access, Alter, Damage, Delete, destroy any data, computer, computer system or network.
502 (c)(2) Knowingly without permission access and copy or make use of any data.
502 (c)(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system or network.
which brings us back to the case of the web site. By this law, accessing a web site is illegal, so what is the difference? Does the fact that it's on port 80 give implicit permission to access?? The law doesn't address this. Why doesn't a db on the public internet also give this implicit permission? What other services give implicit permission (port 21 (FTP)? 6660-6670(IRC)?)
Of course, as with all U.S. laws, the letter of the law doesn't really matter: it's the decisions of the case law that define how a law is used. Even then, a judge may feel like overturning a prior decision.
Ask the client (Score:2)
Re:Been there, done that (OT) (Score:2)
If you want to look up something in your database and you have a primary key, you can just jump to the correct location in the database and find the data; if you want don't use primary keys, (eg, looking for a definition in a dictionary in order to find the word) you have to examine every element individually.
Basically, primary keys are obvious to anyone who has never taken a database course, so you've probably been using them all this time anyway.
Re:I don't understand how some of this is illegal. (Score:5)
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=
Take the high road... (Score:2)
Re:Give them instructions (Score:2)
The thing to do is to go in and say "look: they've only done a cursory setup of your system. It looks like it's very insecure. We've tried to warn them about it and they just blew us off. Give me half an hour of your time and I can show you just how easy it is to break into your system as it's currently set up and get an indication of how much of your data is available to the general public".
Let them know that you're not willing to do anything without their permission. Remember that it's their problem and you're essentially doing them a favour (even if you do see the possibility of getting the contract from them). Remember that they may have a contract with your competition that isn't easy to break, so you may never get the full contract from them. I've seen some really nasty colocation/hosting contracts in my time. I have no idea as to what they've signed.
If they say 'yeah go for it', then you can show them how bad things are. If they blow you off, then there's not much you can do about it. It would be one of those 'you can lead a horse to water, but you can't make it drink' things. Worst case, you can offer to be an expert witness if they get badly hacked and it ends up going to court.
At some point, you do have to put your hands in your pockets and walk away. What you condider 'due dilligence' on your part is up to you. For me, I would definitely contact them and tell them that things look bad.
<rant>
I think we've all come across people who've taken an M$ MCSE and think that they know all that they need to know about setting up a good system. Your competition may be one of those. Whether or not your prospective client can be taught to discern that there's a difference between one of those and someone who understands cumputer systems (with or without MCSE training) is another question. People can only see what they're willing to see.
</rant>
--
Professionalism (Score:2)
Re:BS (Score:2)
I obviously wasn't clear - I didn't touch FileMaker Pro (I've never even run the program). I audited their Access port of their FileMaker Pro prototype.
I'm not pissed off; I realized you didn't understand what I was doing - and that's my fault for not being clear.--
Been there, done that (Score:5)
After running 150% past the delivery date with no deliverable in sight we asked the client for a meeting, which was granted, wherein we offered to audit their development up to that point and assess the situation. Permission was granted and we were given access to the development code.
What we found was a sham - nothing more than a few forms (no reports), basic tables and a couple queries. All the processing logic was contained in a couple queries (maxed out the SQL zoom editor). Oh, no modules. No, this wasn't a backend/frontend separation. 18 months and not much more than pretty buttons.
The kicker was discovered looking at the table definitions: no primary keys. Unbelievable.
We asked the other company for a meeting - alone - to discuss our findings, give them time for rebutal, etc., before we presented our findings to the client. In this meeting no facts were refuted, only one question was asked: "Why do you need primary keys?"
Then the three parties met and laid it on the line with the client. It was obvious that the other developers were in way over their heads and were going no where, yet slowly.
Resolution? The client stayed with the FileMaker people. Why? Too much time and money invested to change and prestiege. Yep, good old pride. The client would have to admit that he'd screwed up and he couldn't do that.
Moral: you lost the bid, forget about it. Sure, drop a note, but only out of conscience - then move on.
--
Be businesslike, dignified, build confidence. (Score:4)
When you're dealing with a company that you bid to and they went with somebody else, anything you say is going to be a little bit suspect to them, because as far as they're concerned you're just trying to wheedle your way into doing business with them by elbowing away your competition.
The key thing you should remember is, they're right. You are trying to wheedile your way into doing business with them by elbowing away the competition.
So, if you're going to do this, do it with dignity and class. Be honest and up-front about it, and tell them bluntly "we noticed that the company you hired used X and Y technolgies and we have some concerns about those technologies. Here's a list of known problems with those technologies. We think you might have some of these bugs, and we'd like to talk to you about how we can help you fix the problems." Don't go into specifics of their implementation, let them figure that out. If they don't care to look, or to ask you for help, then they just don't care and the argument is futile.
Of course, if you're really running into this multiple times, you should consider making it part of your sales pitch. "We use technologies X and Q. We believe they're safer and more secure for your business needs. Here are some of the problems we've observed with sites implemented with the other technology, Technology N. A site one of our (unnamed) competitors recently did for the XYZ Company with Technology N seems to have these problems..."
If the client cares about the security (and stability) issues you can bring up in the sales pitch, great, this could help you make the sale. Also, by bringing concrete recommendations to the client in the sales pitch, you show them that you're serious about helping them and make them feel that you're already on their side, which is important in managing their perceptions of the working relationship. Sometimes the potential client can come away from a meeting like that feeling that you're already working for them, so when you hand them a contract to sign they feel like it's just a formality.
Again, if they don't care about this stuff when you bring it up, that's their problem, and if in the future they hire one of your competitors and you discover that the competitor did a lousy job... well, you warned them, and it just becomes another case study of what not to do.
Re:Give them instructions (Score:2)
Re:Give them instructions (Score:3)
Give them instructions (Score:4)
or you couldlearn a lesson from the FBI... (Score:2)
Re:Give them instructions - hacking banks (Score:2)
The bank considered my request for using encryption as a "threat" instead of a precaution against interception of data.
The bank said I was guilty of extortion, even though I never asked for anything from the bank except to have them make sure they were protected against the vulnerabilities I reported one year prior.
The bank is trying to squish me from talking. In order to avoid a legal hassle, I must agree not to write about what bank it was and how stupid they were not to fix their problems immediately.
I detailed to the bank how to fix ONE of their problems, but mentioned there were more. They only fixed the one issue that I reported how to fix (they may have fixed the others months later... but I didn't check... its not my job).
The bank's CEO only cares about his bank's reputation... not about my rights to publish what I found. (thats why he has lawyers)
Re:Give them instructions - hacking banks (Score:5)
Now, one year after the report was sent to the bank, I re-sent the report via PGP-crypted mail and said I wanted to publish the report publically.
They turned around and filed a report with the FBI which sparked an investigation into me (still going on).
Plus they started unleashing their lawyers on me.
Luckily I am a minor and it would look really bad for a bank to attack a kid who only wanted to exercise his first amendment rights to publish such information (none of which was illegal).
I suggest not using your approach of "showing the problem in a report." It has only caused troubles for me. Unless you have a ton of lawyers to protect you, this method isn't recommended.
Geeks Vs. Bean Counters (Score:2)
Here's the deal. Anytime an intangible value (like security) enters into a dollars-and-cents decision process, you have two sides: the geeks and the bean counters. Your people are the geeks.
Now wait---who decided that they should go with an insecure cheaper solution? Chances are the geeks bought into the process, or at least were forced to do due diligence and assent.
When you go to the company and expose the problem, who looks bad? The geeks! The geeks now have a professional investment in the bad solution.
Your best bet is to contact the technical people directly, create good will with them, and ALLOW THEM to take the issue to the bean-counters.
Re:Treading on very dangerous ground (Score:5)
Many a time my clients have come up with some Great Idea[tm]. My initial response is to agree with it, no matter how bad I know it is. Later I ask questions and present information, each of these really being another slice with the X-acto knife, until their Great Idea dies the death of a thousand cuts. I try to shy away from the "X is bad, so don't use X". Instead my focus is on affirming what I know the right solution to be. Most of the people I work for are smart enough to know that if all I can do is slam the other guys solution it is because I don't know how good my own solutions are. So, if you've already burned all your launch fuel telling these people how bad NT is, instead of how great Linux is, take your lessons and move along.
In any case, you will just look like a poor loser if you take a proactive stance here. This contacting their "webmaster"...What is that? Don't TELL THEM HOW TO FIX IT! When and if they come back to you, THEN you pull out all the Bugtraq messages the other guys should have known about.
Re:Treading on very dangerous ground (Score:2)
Then maybe they'll want to hire a different development firm.
---
More than Prison/Protecting yourself (Score:5)
The bad news is quite bad though. As a felon he is legally barred from many rights full citizens (which he NO LONGER IS in the eyes of the law) have.
It is illegal for him to own a firearm [cornell.edu] ever again everywhere, (in some states, not his state of Oregon) to ever vote [hrw.org] again, and of special interest to people in the I.T. field:
It is illegal for him to work in certain technical jobs ever again. Such as working for a certification authority in at least one State [jmls.edu].
Also, a lot of people are under the impression that all felons are intrinsically untrustworthy individuals.
The above still applies even if the persons motives were pure.
P.S. Randal Schwartz would likely have not been convicted if he were in Nevada [lightlink.com]. The laws here provide for implied authorization of an employee to access employer's systems unless their is "clear and convincing" evidence to the contrary. He still could've been fired though (Nevada is an at will state [attorneyguide.com]).
The moral: Don't try to do any favors. If you want to break into systems as a good guy, find a way to do it LEGALLY.
Consult a lawyer for legal advice.
Be careful... (Score:4)
Consider this: what if your actions are construed as destructive or intrusive, just through some freak accident because someone's having a bad day, or there's an asshole or an idiot in the client's company or in the consulting firm that's leaving everything wide open?
Do you have the time or the money to explain yourself to some feds? Multiply some small but non-zero probability factor by several hundred thousand dollars plus whatever value you'd assign to a year in prison. That's how you should do the cost/benefit analysis.
I'm advocating a grim, "being nice gets you nowhere" sort of position, but the potential downside to the situation is horrible. There's an Assistant US Attorney somewhere itching to make a name for him or herself by prosecuting a "hacker" case. Don't put yourself in a position where you could make it onto their radar screen. The deck is stacked completely in their favor. Read a register article about the feds' tactics [theregister.co.uk] if you want get scared.
Watch your ass if you want to be nice.
Help on evaluating the work... (Score:2)
You may even include some examples on how to check the system. Of course, this letter should include the regular Thank you for the opportunity , yada yada yada..
This method will not only show that your company _IS_ aware of security measures, but will also demonstrate gracefullness and genuine concern.
Re:I don't understand how some of this is illegal. (Score:2)
I didn't break in! I walked through the guys back door which he forgot to close.
"
If you come and park a tractor on my front lawn - which is not locked - is it tresspass?
offer a free security review as a "teaser" (Score:5)
-bluebomber
Happens every day (Score:5)
alert the people at risk (Score:2)
What ever happened to ethics? (Score:2)
Pretend it doesn't exist.
Exploit the security hole to prove the problem.
Draft a reasonable letter, cosigned by your company attorney, explaining the problem.
Option 3 is the only one that makes sense. IMHO you have an ethical obligation to inform the company of their security breach. That eliminates option 1. Breaking into their system as a demonstration opens you up to potential anger/hostility from the customer. That elimates option 2. Sending a letter, drafted by your company attorney, informs the customer of the problem. If they investigate the problem and conclude you were correct, you will win future business. If they ignore the problem and their system gets cracked, you will win future business. If they ignore the problem and never get cracked, that's just fine too. Your conscience will be clear.
--
"You've gotta be a spirit...Don't be no ghost."
Already in the Logs (Score:2)
Tell the customer that you regularly look at sites of lost clients to identify areas where you are losing to the competition - this is a normal business activity to improve your future performance. However, through this completely innocent investigation, you discovered information that you should not be able to see. As you are aware that this will appear in any logs, you are informing the client to firstly exclude yourself from any investigation of future events, and secondly in the hopes that they will close any gaps before something bad happens.
This is a very believable situation - if you're giving advice for free then the client will suspect other motives, but giving them information to keep yourself off the hook is quite understandable.
Re:Give them instructions (Score:3)
White papers (Score:2)
finally - [START JOKE] post the company name to a hacker newsgroup as vulnerable. do this some months after giving them the warning. Then send a reporter around to them after about a month, "I am doing a story on hackers, and I am interviewing typical companies about their internet security" [END JOKE]
I do not, and I will never condone the abuse of a personal or corporate computer system for fun and or profit, etc.
Check out the Vinny the Vampire [eplugz.com] comic strip
Re:For what it's worth... (Score:2)
Heh - I know of one company that has two computer shops - one side that has running the business on some multidimensional DBMS since the dawn of time, and the other newer MS shop. The MS shop has several dozen people, and the old shop has a small handful.
The MS shop is terribly mad at the old small shop, because the MS shop is producing substantially less than the old new shop. - Of course the old shop is run with just a handful of gurus, where the MS shop has lots of (fill in the blank)
Bottom line - sometimes it pays to know what you are doing. And when You don't it costs you money.
Check out the Vinny the Vampire [eplugz.com] comic strip
Re:If you were really serious, you'ld tell competi (Score:2)
Re:Well, it does sound like sour grapes (Score:4)
Easy. Don't make it a sales pitch. (Score:2)
easy it is to break their security as opposed to ours" which is guaranteed
to make you look like a bad loser (not saying that IS your approach, btw!),
you may want to make it more of an advice thing.
E.g. ask them if they are aware that just by doing x, y, z (feed them
detailed instructions they can use themselves to see), any mallicious-minded
individual could gain access to a, b, c (give them details of what it means
to THEM).
Then, rather than end with, for example, "whereas our system has none of
those problems" which is a blatant sales pitch, you might want to consider
making it totally non-sales.
E.g. end by hinting to them that they may wish to take this matter up with
their existing SP immediately so as to minimise the risk to their data, or
they may wish to look around other suppliers, including yourselves, with
this additional concern in mind and see how those various SPs react and how
their services seem in light of these new concerns.
OK, some will still think it is just sour grapes, but at least you are
phrasing it more along the lines of "OK, you went elsewhere, that's no
problem. Just make sure your SP fixes blah blah blah" rather than "Ha! You
went with THEM and they are crap, you should come to us." iyswim.
Hope this helps!
--
Re:I don't understand how some of this is illegal. (Score:2)
Although funny, its not relevent. I think leaving a DB wide open on the internet is akin to putting some very personal information in the garbage can outside your house, rather than in a locked safe as you meant. Then one day, you put that garbage on the side of the road (which is akin to turning on the computer and hooking it up to a very unprivate internet), and someone comes along and takes it. Well that information is no longer private and that person has broken no laws taking your garbage (there is no expectation of privacy when you put out your garbage).
Quietly leave (Score:2)
Don't say anything; just very quietly turn
around and quickly away.
Don't touch anything; don't even look back
over your shoulder.
You allready had a bid in with these folks.
If something happens and things turn ugly, the
only thing they will have linking you is your
bid for the work.
You can be sure that the feds will be looking
at logs and correlating with who's recently
dealt with the company; especially those whom
they perceive would think that the company
dissed them.
They may even question you if things really
stink and they can't find the source.
Suggestion. Better get and keep an alabi for the
next X days. A spouse or co-worker or friend who
could say that you were playing soccar at 8 PM
while the conpany's computers were tickled.
Just stay far away from the place. It's a trap
waiting to spring shut!
Re:Obligation to those whose privacy is threatened (Score:2)
I've also had an experience along these lines. Several years back I was trying to get a web development company off the ground, and was in the running for a huge contract with a multinational wanting to share data publically, as well as design information over a VPN. Security was obviously paramount.
It came down to two proposals in the end, and the competitor figured out who I was, and attacked my proposal by going after me: they cited lack of experience, expertise, backup, and all the rest, basing their agument on the fact that they were a large ISP and I want representing a newly-formed corporation with few employees.
So six months later rumours were going around in the hacker community that a certain company had suffered a major hacking incident - possibly NOT a leet or script kiddie, meaning industrial espionage considering the data they apparently got hold of. Guess who ...?
Quite by chance I happened to meet with an IT representative of the company while visiting a client some weeks later. Although unofficially, they admitted that they had made a bad decision, and apologised - for what it was worth. Of course, they also made it clear that politically they couldn't change their minds.
This is unfortunately the mindset of many companies - live with a mistake and cover it up, rather than admit to a mistake and correct it. Heck - even MS is taking the latter route (bye Clippy!).
Once you've lost a contract, don't consider going after it anymore. If they come back to you, that's fine - but even that can lead to rumours flying from competitors, which is a Bad Idea (TM). My that's just my 2c worth...
Just let it go. (Score:2)
Aim for the future clients (Score:2)
The thing to do is prepare a informative document during the bid process explaining the importance of security and what measures your company takes to insure it. By phrasing your presentation in the form of "whatever vendor you choose..." and recommending outside audits, attention to common security holes, good basic procedures, etc., you educate your customer. Even if they don't go with you, you've given them some things to think about, and you're being constructive and helpful. If they get hacked later at some other place, they may remember you and come back.
Wow...that's tough. (Score:2)
All in all you're probably best off to just shake hands and part ways with the customer. Keep in contect on a regular basis to see if they might be interested in your services (or switching to your services), but come to terms with the fact that they're someone else's customer.
If you have a strong business relationship with this company, you might vary your approach. You might take the CIO or whoever is in charge of this deal aside and tell them "as a friend" that there is potentially a problem, but even that's iffy. If you were going to say anything to begin with you would have been better off pointing out how important security is in the stage where you were pitching the product to the company. After you've lost the sale it's too late to worry about it. Even then it can be a double-edged sword though. Badmouthing your competitors, even if it is true, is still going to look like mudslinging. A prospective client should be doing some research on people bidding for the work before they make a decision. If they aren't, then they're just asking for trouble down the road. More than likely they wouldn't end up being that good of a customer anyway if they aren't willing to do due diligence.
Just use your head. The last thing that you want is for them to go with your competitor's services and then you end up constantly giving them free security consulting.
Re:Don't tell them what's vulnerable (Score:2)
Actually, they'd have to prove in court that you did it. Remember, innocent till proven guilty. Of course, by the time it gets that far you've already suffered a pretty substantial hit to your professional reputation to begin with...
Re:Don't tell them what's vulnerable (Score:2)
Yes, and hacking is a criminal offense.
Let us help. (Score:5)
Please allow us to help; we are only in it for the greater security of everyone. Because last year my personal information got stolen from Burger King, where I work. It wasn't a computer problem, but my manager, José Esposito, left the filing cabinet open because he got grease stuck in the closing mechanism. It was so embarassing having my personal information (including details of my police record and photos of my sister) in the hands of whoever took it. I'm still shaken by the thoughts. Luckily America Online is there to help.
And we want to also help, so please come to our chat room today.
.
Obligation to those whose privacy is threatened? (Score:5)
However, if there is a hack, it's not just the decision-makers who will feel the pain. You said a hacker has access to employee names, SSNs, fire dates...and most of these belong to people who had nothing to do with choosing or implementing this bad system. OK, probably the hack will come from some kid with no malicious plans for the compromised data...but what if this personal information lead to identity theft? What if information about a firing were leaked to a potential employer?
Forget the contract -- you lost it. But you have information about a serious potential threat to several hundred people. Isn't there some ethical obligation to the innocent employees whose privacy is on the line here?
Dissing the "Great Idea" (tm) (Score:5)
There is one big advantage to the humble approach that coolgeek didn't mention.
Not only is the humble approach, where you merely ask questions potentially more tactful for the other party, it really pays off when it turns out that you are the one who is mistaken.If your questions help them discover flaws in the "great idea" you can both think of yourselves as smart members of a team. If it turns out that the confidence you felt that their idea is all wrong is misplaced and your response was tactful questioning you don't look like an idiot. They may appreciate the opportunity to show off how smart they were to have thought it all through. They may think of you as a brain, almost as smart as them, to have found the same question to which they figured out an answer.
And hey, you ended up learning something useful.
Being mistaken when you have shot off yout big mouth, and acted like a know-it-all (been there, done that) is a lot more embarrassing than merely asking questions.
Use the information to gain future customers (Score:3)
The solution? Emphasize security in all of your future bids. Provide some sort of security guarantee, something that your competitors can't or won't do. You might even go so far as to list known vulnerabilities of competitor's systems (without going into too much detail). Make sure the customer knows exactly why your services cost more than everyone else's. In other words, position yourself as the Ferrari vs. the Pinto with a "you get what you pay for" attitude. Sure, you'll lose bids to cheap customers but are those the customers you want to keep? Would you like to be known as the Wal-Mart of your profession?
You may also consider sending a "Thank you for allowing us to bid" type of a notice to the lost client, along with a brochure that positions itself as "looking out for your (the client's) best interests." Fill it with difficult questions the client should ask of his new provider. Hand the same brochure out to future prospective clients. Eventually, smart clients will see the light. As for those who do not - just let them go.