'Impossible-to-hack' security turns out to be no security(jltee.substack.com) |
'Impossible-to-hack' security turns out to be no security(jltee.substack.com) |
DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email: "We will further investigate this matter internally and do not wish to entertain this matter with your website."
He really missed all the lessons in both manners, common sense and media training.
Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.
Reporter: "Hey, you dropped your wallet" Governor: "Thief!"
Could you expand on why not? I can't think of a good reason why this isn't a relatively quick fix. What's the blocker?
Imagine software that has been in production since the 80's, was written by a very inexperienced dev and has since been continually "organically" upgraded to handle any new promise that a nontechnical product manager feels is necessary to solve the immediate problem of an angry customer. It's a Jenga tower with a reset button.
> I can't think of a good reason why this isn't a quick fix.
What if there's some IoT product with no update mechanism and the access password to function is stored on all of them in plain text?
1. He discovers an unprotected database.
2. He mails the CEO of the company.
3. The database is fixed.
4. He mails the CEO again to say he's publishing.
5. The CEO replies and says there was no security breach.
6. He goes spelunking in the database tables to write a rebuttal?
How does step 6 happen? What has this person exfiltrated from the database, in advance of losing access to it in step 3?
So say the dumped data contained the URL of a file and you couldn't get the URL now (due to step 3) but you can still download the actual file.
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
Also I feel like I took the wrong path, trying to be a serious and responsible software developer - seems like all the money is in throwing shit together and making wild claims about it.
The CEO is surely coming off as a crazy guy but the author isn’t a white knight or good Samaritan either.
The company closed the database access and the guy says “now I will disclose it or you can do X” Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting?
I’d imagine there is 50%+ chance that any smaller company without a dedicated security team will take this disclosure as a threat and blackmail. Especially that on the first second and third thought it seems the disclosure would be a way for the author to boost their blog and content marketing for their consulting.
If there was a bug bounty or something on their site it would have been different.
A bog-standard responsible disclosure that any tech CEO should either be familiar with or have someone at hand that is, as is clearly communicated in that e-mail.
Both e-mails are OP reaching out to help this company out, the first fixing the vulnerability, the second giving them a chance for compliance / potential regulatory aspects they might want to follow. It's not on random people reporting security vulnerabilities to tutor random companies on this and both behaviors (non-responsiveness, then hostility) of this CEO, despite being sadly common, are actively harmful if you want to get productive security reports in the future. (And the company unilaterally signing up for bug bounty programs is rather irrelevant for independent researchers as well if they have no interest in participating in those.)
And I didn't say "I will disclose it or you can do X". I asked follow up questions as I always do. Related to intent on notifications to regulators or clients so I can delay my report until the company does their notifications if that is their intent. I've done this multiple times for multiple companies, some I delayed the post for 3-4 months.
I was actually trying to be nice to the company by not doing a disclosure before them, up until this point this was just like every other interaction I have. I sent the information, the server got closed and no one got back to me. None of my communications warranted the reply I got back from this.
In situations like this, it feels to me like the reaction is “how dare you think that I would need your help?!”
If I serve a file with info I didn't intend for the world to see at example.com/secret and you access it, did you commit a crime? Clearly no.
Given that, you have no way to even know if the data which was available publicly contained any private information. This guy is doing a fine public service, and any company he helps should pay him for saving their asses.
"he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door. The jury didn’t buy it, and neither did the Court in imposing sentence upon him today.”"
[1]: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...
Wants to be helpful but comes across as aggressive, names and shames them, insults and ridicules them... come on, you can do better.
Not sure if you read my 2 emails to the company but I would say I was polite to them and was met with accusations of harassment and straight up lies.
Don't expect me to pat you in the back if you come at me with such claims when I simply alerted you of a security issue.
It wasn't necessary to match tones with the person whom wanted to be uncharitable, but it definitely feels more human to me, which is who the writing is for: humans. I would have been fine with an info dump, but I enjoy turnabout as much as any other fan of fair play.
Professionalism minimizes the risk of derailing or devaluing your argument by you being rude, inappropriate, etc. and avoids aggravating your counterparty. If - as in this case - the goal is NOT Internet drama but rather an improvement in security - the best way to do that would be to remain professional.
It is a question for the author of the piece which angle they prefer - consider that keeping it cool calm and collected is the slow way to build an audience.. even if the audience it builds is more engaged.
He, in his own time, discovered a pretty serious exposure of information and politely informed them. They decided to not be polite in return. He responded in the same tone as them.
There was never any professional obligation, nor any obligation for the author to inform them of their breach at all, nor was there any obligation to give them time to notify clients before publication. Those are all courtesies.
This man didn't choose team troll, he responded to team troll in kind.
If someone who in theory is a professional (the company that left all of this in the open) responds in an unprofessional way from the start - you are done using professional tone. That tool isn't producing results. Stop using that tool.
The goal is not to model perfect manners - it is to bring attention to a breach so it can be remedied. The author understands this and has acted so to achieve this result.
A+ - And thanks for trying to keep folks like this honest!
I found the tone highly entertaining; don't let the haters wear you down
Imagine an alternate universe where "Sean" wasn't so aggressively stupid, and instead replied: "Thanks, JayeLTee, we took the database down while we do an audit. We don't think there were any access, and we would rather you not go public about the findings, but it will take us time to check. Please hold off on your publication until [DATE] and we will be in touch."
There. That didn't take much effort! But, no, "Sean" chose belligerence and threats rather than professionalism. I don't know what is wrong with people who just seem to default to "bad attitude" in their communications.
The company did reach out and said something similar, I held my publication for months months waiting for a reply which they said they would send and ended up finding out their were filing breach notifications to multiple states and never said anything back to me.
The point of the essay was to be disrespectful of the CEO. Slightly less disrespectful than the CEO was, so IMO he still holds onto the high ground of ethics.
Please do choose team troll. The correct response to someone being a shitter, is not always to kill them with kindness. A lot of the time it is, but this time, I'm clearly on the authors side. He tried twice to be kind, was ignored and then insulted. When really he was owed a thank you, not to be disrespected.
You only get the benefit of professionalism if you act like one.
https://missouriindependent.com/2022/02/11/prosecutor-isnt-p...
"This server contains over 3,8GB of data exposed including the logins for 16,500 of your users and a lot of PII and credentials, you need to secure access to the server as soon as possible."
After all that transpired after etc I believe it's possible someone downplayed the severity of this to the CEO and he took that as an opportunity to ignore everything I wrote on the emails and reply that way to me assuming I was some cybersecurity vendor working for "Proton" trying to push something for the company to buy.
Chill. I think you are the one overescalating, here.
Professional norms exist to support people in taking responsibility for the power they have. The CEO is manifestly failing in his responsibilities.
Need I respond to that?
I couldn't act ethically because I had to make money.
Well, the author wrote:
> Teammate App CEO, Sean Banayan, who has the reading comprehension and IT knowledge of a toddler
So it wasn't very nice, but deserved imo.
I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
someone tried to help him, he responded by making threats, and being rude. This is bully behavior. Why do you think responding to either email with a direct threat is reasonable?
> The researcher clearly has "power" in this situation over the CEO
You don't work in, or around information security do you? You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power. Without the context, if I told any of my security friends about researchers having power, I'd get a laugh about how absurd that idea is.
> he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings,
Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat. Because when you piss off a researcher, just like the cyclist and the car. We can *both* lose https://gr.ht/i/both-lose.png
> I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.
yeah, couldn't agree more... maybe you should raise your expectations for the CEO who's paid not to be a POS, and actually has a duty to protect users, instead of the random trying to stop bad things happening to people he doesn't know?
> I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
It's not his responsibility to do any of that, that's the CEOs. Across all your replies, you defend the CEO like he's your brother. Hold *THEM* to the higher standard.
My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
> You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power.
Having the entirety of their application database including customer PII, possibly the capability to encrypt the database and extort the company with it, not to mention the possibility of other potentially undisclosed vulnerabilities, decidedly IS significant power over a company. That's how bad actors are able to use any combination of these things to make money.
> Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat.
I agree whole-heartedly. As for the rest, we more or less agree, you just are putting the onus on the CEO. I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive to the audience here at HN.
There is a huge issue regarding publicly exposed data that no one seems to want to acknowledge or talk about, what you see online? It's 100 times worse.
I'm someone who is trying to raise awareness through my finds, nothing else.
Also I was initially polite to the company, not once but twice, as I am to anyone who I reach out, why wouldn't I be? I want them to fix the issues, not ignore me.
Don't expect the politeness to be infinite though, specially when you start accusing me of harassment and lying about the severity of the exposure that affects thousands of people, the ones I DO care about, not the companies.
Airing their shit out is a disclosure of a vulnerability, and it's important to do. Typically you reach out to say, "how would you prefer I do this?" And work through a common understanding. The company flipped the bird, so it got aired very publicly.
Their behavior when things don't go their way belies their initial "politeness". When the transaction didn't go how they wanted, they pulled the trigger on being a dick, publicly. That is a much worse offense that an impolite email. If this were a coworker or a contractor, it would color all of my interactions with them going forward.
brain dead take; the article was impolite, the email was an overt threat by an impotent exec *in response to someone trying to help*!
Dang it bobby, it's not worse to respond to respond to asshattery (the email) with irreverent sunlight (the article).
I also wouldn't call you a bicycle because you're not going anywhere with this attitude. The CEO got a gift, and the author got a middle finger. No matter what happens after, the CEO without a doubt shot first. And shot someone just trying to help. He can get fucked, and anyone defending him can join in too.
The information I had was from when the database was publicly exposed.
I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.
I would of probably skipped over this, but after their response I wondered if there was more to it.
The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).
That's a very common linguistical pattern.
I'm not telling you stealing bread so your family doesn't starve is unethical, I'm pointing out it's stealing.
No idea if you're the bad guy, but you're not the ~~good guy~~ hero, no.
Nah, it's clear to me that you're defending the CEO, and blaming the researcher. In a manner that's as you state is just my opinion, is inverse from what justice would be.
But seriously, it's not possible for me to frame how the researcher could improve future probability of success without framing it from the CEOs perspective. To do that I must recognize he is a human person with his own internal motivations for his behaviors, which likely are not so much monstrous as childish.
Your attempts to put any onus on the researcher are actively harmful. No one should point finger at the researchers trying to help. We should all point fingers at the primary person who's able to prevent bad things happening. You haven't once attempted to put any responsibility on the CEO. This is the first time. You asked in another reply if everyone else is being dense; but you're the one blaming the researcher, did you stop to consider if everyone disagrees with you, that maybe you're the problem?
edit:
> My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
Yeah, and doing that was gross negligence. There's a reason you're not allowed waive harms arising from gross negligence.
I would sleep ok too, until something bad happened and people I had a responsibility to protect got hurt. Then I wouldn't sleep so well... Turns out humans are really bad at risk calculations.
I read his email as a polite gesture, giving them a chance to request more time. I'm still confused as to what parts you're missing. Are you trying to imply something, or do you really not understand that people can lie and withhold information?
> The email was read by someone, I assume the CEO, and less than an hour after it was sent, I could not connect to the exposed server anymore.
This was after the author’s first email, and before the CEOs reply.
What tptacek was getting at is that the article is a bit unclear on when the review of DB contents occurred, since the author no longer had access. (But I think it’s just because the author reviewed the contents already before they reported the issue.)
People operating in bad faith give up or hide when they notice their position is weakening, people working in good faith respond, and acknowledge the weaknesses in their ideas. Like you are doing.