Security-Closing The Holes While Gagged? 16
This, wisely anonymous, Anonymous Coward asks: "I am a paid participant of a survey, and as part of my participation I am not allowed to disclose my role in the survey to anyone. This is stated in the documentation though I haven't agreed to any NDA or contract that specifically says so. As part of the survey, users install client software, which I have found to contain a rather significant security hole. I have explained the hole in detail to the company doing the survey, though they haven't responded or updated the client software. I would like to expose the fault publicly to put pressure on them to fix it, though I fear that doing such would constitute a breach of confidentiality for which I would be liable, despite the lack of an NDA."
What's the problem? (Score:1)
Get on http://www.fastmessage.co.uk/main.htm and send the hole to everyone you can think of and use a handle or something. Then if you ever try to join @Stake or something you can point to the handle and say "see? that's my work"
you're not alone (Score:1)
I had a similar issue. Whilst implementing, I found a rather interesting hole in a major credit card transaction processor's script implementation, and sent proof of the hack to them (in the form of compromised data).
They didn't reply either.
I was a bit pissed and wanted to share it with /. (but alas, big boss said no)
What is the psychology of companies that don't acknowledge people who are actually helping them avoid disaster.
e nonny mouse - eek
Re:Protect yourself first (Score:1)
--
Re:Protect yourself first (Score:1)
Even if the survey company does nothing, as the above reply points you, a victim of the problem might sue the survey company -- and your name may show in their records as knowing about the problem. You want to put them on notice that you feel that the problem is their problem, that you believe that their contract requires you to do nothing about the problem, and as you can not tell anyone about the problem then you are not responsible for any damages.
Also tell them that you will have to remove the software from your computer before it can be used to damage you (if the problem can cause damage to you). Not only are they responsible for damages, but you have to take reasonable precautions to avoid damage to your property.
Then file it all away in safe places and shut up. They made the problem, they don't provide tools for fixing it, so they have to deal with it.
Re:Use the Media (Score:1)
contracts-and-concious I meant, talk about proving a point
Re:Robin Hood and Friar Tuck.-Link (Score:1)
<A href=http://www.eps.mcgill.ca/jargon/html/The-Mea
Scroll down to the bottem third of the page to see it, I don't know how to set-up the url to do this automaticly.
Woops (Score:1)
Here's the link again, only this time it's a link:
Robin Hood and Friar Tuck [mcgill.ca]
Re:One possible response... (Score:1)
Everything You've Signed (Score:1)
Re:Use the Media (Score:2)
A lot would depend on what the client is, i.e. is it already publically released? how many testers are there? if there is a good chance that other people will have found the hole then you should be ok releasing it anonymously, otherwise . . .
And of course if it isn't already released then you can wait till it is and then report it, suspect they will learn a much more profound lesson that way.
contacts-and-concious? (and yeah I know I can't spell either :P)
One possible response... (Score:2)
IANAL but this is how I'd handle it...
First review (preferably with legal assistance) everything you have agreed to either in writing or verbally - make sure that you cover in particular the agreement where they say they will pay you for participating, thsts where the biggest levers they want to use on you will be hidden :)
Now document the hole as completely as you can and notify them by registered mail, including the information that a copy of the report is in the hands of a named third party, preferably your lawyer, and also give some indication of your expectation of a response within a suitable timeframe - be specific.
If they fail to respond within that timeframe write to them again (again by registered mail so they cant deny receipt) urgently requesting a response to your previous mail and stating that if they do not respond within a given time (again be specific, and get your lawyers advice on what timeframes are "reasonable") you will have no choice but to discuss the matter in a reputable full-disclosure forum such as Bugtraq, and that you will take their non-response as releasing you from all obligations of confidentiality whether explicit or implied.
If they respond and work on a fix, theres no need to worry. If they dont you can go public with a clear conscience.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Robin Hood and Friar Tuck. (Score:2)
This relates to a system around 25 years ago, which had a severe security problem, which the vendors refused to fix. The security hole affected the monitor process, and made it possible to patch into it, IIRC.
Some hackers, disgruntled over the laxness of security, decided to exploit the problem on one of the manufacturers own systems. This installed two processes, called Robin Hood and Friar Tuck, which had a number of nasty payloads, such as jamming the card reader with "lace cards". The other problem was that each process watched for the presence of the other, so that on terminating a process the other would immediatly restart it. The monitor being patched meant that these processes also restarted after a reboot.
Suffice to say that as soon as the manufacturer was hit themselves by a security exploit, the hole got plugged really quick.
I have also had experience of this mechanism myself. In the past I used to communicate with the manufacturers of a defunct email system using their own product. It was possible to create a message with particular properties which would confuse the server's mail process, causing it to crash. On restart the process would immediatly crash. Sending a faulty message to the manufacturer got them to fix it PDQ!
Protect yourself first (Score:3)
If the security problem causes someone a real loss, the last thing you want is to be in any way liable for having known about a problem that was not fixed.
Send the company a written report by means of an independent courier who will get a receipt. In that report, say that there is another copy of the report on deposit with an independent holder who keeps a record of the date of deposit and really do that too.
Make sure that there is evidence that you made them aware of the fault. If they fail to act, and someone sues them, you will have some evidence that you acted in good faith, and that the company were negligent rather than just incompetent.
N.B. I Am Not A Lawyer so don't assume that this is good advice.
Use the Media (Score:3)
I remember a while back someone at The Register [theregister.co.uk] saying they would willingly take information of questionable (read: possibly illegal due to NDAs) content. Then, they would decide whether or not to publish it, and if any charges came, they would bear the responsiblity and less than 1% of the time would it ever get back to the source. Sorry, I don't have a link, but I remember it was posted around the time of the MacNN and Photoshop [slashdot.org] controversy. Now, I don't know if Slashdot is willing to take such a stance, nor do I know, since IANAL, if NDAs can still bring legal charges against the reporting organization, even if they never signed the NDA.
The above message is probably muddled. Sorry.
Be Careful (Score:4)
A truly conscientious stand would be to refuse your pay. Are you willing to do that?
send it to me at eWEEK (Score:4)
Regards,
Tim Dyck
Technical Director, eWEEK Labs
timothy_dyck@ziffdavis.com