I remember coming across a serious bug in a site that belonged to a top multi-billion company. My brother also found what essentially an unrestricted privacy leak (and possibly editing access) in a top university (leaked data is sensitive personal information, not academic). Neither of us reported (or exploited) what we found.
Protection from this kind of blame-shifting and misdirected retaliation should be guaranteed by law. Until it is, bugs in critical and important infrastructure will go on unreported, and remain available for malicious actors to exploit.
I'm having trouble understanding what exactly an org's thought process is when they elect to prosecute someone for reporting a security issue.
Would they also prosecute a person who told them one of their doors was left unlocked after-hours?
A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.
EDIT:
Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.
I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.
In hindsight it was a huge risk and I was dangerously trusting.
Had a similar issue with Wolfram Alpha some years ago. I reported a dozen different XSS vulnerabilities to them and their answer was: "We forwarded this email to our legal department.".
So even technical companies can react in really silly ways.
I get where you coming from but I would still encourage people to report. Most companies will want to fix and hush it up.
I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.
Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.
I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.
Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:
"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."
Maybe they will panic strongly enough to actually do something about the issue.
I have read some advice in the past that one should report vulnerabilties via officially known independent security related group (white hat) or via a journalist. The point is to get some legal backing just in case.
Does anybody have an experience with such way?
I understand that it's good to have cover for this sort of thing.
I think the line is pretty grey though.
One analogy is telling a company that their front door is unlocked.
Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.
IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.
EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this
That's how the DMCA works. Remember the guy who gave a talk about Adobe's PDF creator which purported to produce "secure" documents (required a password) but the feature was easily bypassed.
Adobe had him arrested the day after he gave his talk.
A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.
They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:
I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.
At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.
Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.
I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"
In my country, the laws are draconian and totally against this kind of responsible disclosure. But being a good guy, whenever I find something I write a strongly worded email explaining why the company's IT department messed up, how to test said mess-up, and how they can hire my company to ensure these kinds of stupid things don't happen again.
I've reported several of these issues, sometimes all I get is single reply months later saying: "fixed".. mostly, nothing.
Once I found a SQL injection in a courier service's (very broken) web portal. This was very serious because any idiot could drop all the tables, so I sent an email to the most important worded member of their tiny, yet already bureaucratically structured team. I followed up several times because I knew someone saw my email (I embed beacons in my emails) but gave up after the sixth time. Three months later someone else replied saying "thanks Amin, we've fixed it"
On a separate occasion, a large government agency's emails routinely ended up in my spam folder. It was a huge problem, and they acknowledged it and said they couldn't figure out what was wrong. I took five minutes and found the problem to be a misconfigured server on the domain. The server sending the email thought it was `server-a.governmentdomain.com` but there were no DNS entries pointing the subdomain to the server.
I reported this problem with clear instructions to test and fix the issue, but I was called despite the instructions, multiple times, to explain the issue with my words over the phone. This was 2 years ago, last I checked, the issue was still present.
Two takeaways, one from this and one from my other past experience.
First, when testing whether you can change a price and have a transaction go through successfully, RAISE THE PRICE. If you lower the price the affected entity may come back and say "See??? He's STEALING from us! Lock him up!" If you've overpaid for something through their web interface that complaint and issue goes completely away.
Second, if you're going to suggest that they contact you for assistance in fixing it also suggest other options. My typical handling for this is with hacked websites, so I'll basically say "Your website has problems X, Y and Z. You should work with whoever you have working on your site to resolve these. If you don't have anyone I may be able to assist you, or I recommend talking with a firm like Sucuri.net which has dealing with and preventing issues like this as their primary business. (My only link with Sucuri is having seen some of their folks do presentations at trade shows.)"
> If you've overpaid for something through their web interface that complaint and issue goes completely away.
Or it doesn't, because you have still "hacked them". Doing it in a seemingly bizarre way may only raise more suspicions; obviously you must have maliciously cheated them, since who would give them money?
Please don't put people at risk by giving such "advice".
Using firefox too, I cannot replicate the behaviour. Could it be something from your side of things causing this ? Have you tried turning it off and on again ?
We've seen two[1] cases[2] of this in Denmark in the last couple of years surrounding systems that kindergartens are using. The second one is currently (still) being investigated, but the first one was rightfully concluded earlier this year with the "hacker" being acquitted.
In both cases, it was dads of children in the institution that noticed the bugs when they were rightfully using the system and were ignored when notifying the responsible party about it until they "shouted it so loudly" that they couldn't be ignored anymore, in which case they were reported to the police for hacking.
Links below are in danish, but they can probably be translated if needed.
"this outrageous move from the police brought about fierce reaction resulting in tens of thousands of 1-star reviews on the facebook pages of the companies involved"
In the old days, protesters used to physically go and picket in front of company offices. These days, protesters leave one-star reviews. I wonder which is more effective.
Although deeply unfair, this is not unusual, there have been many reported cases of companies shooting the messenger.
Unless the company concerned has a well documented and trusted bug bounty procedure, it can be very risky to report a bug in a system, if it involves any kind of hacking.
What happens is once the "bug" is reported, someone inside the company asks "How did this happen?". Now the person responsible has 2 options, admit it was their fault and the vulnerability exists and risk being accused of incompetence, or say that the system was hacked.
Human nature being what it is, one tends to complain of being hacked, thus snow-balling effects, which lead to the arrest of an 18 year old just trying to help.
My advice: Don't report these types of bugs at all, or if you really feel you must, report anonymously.
Also, if such behaviour is systemic, how should we bring about the paradigm shift in handling such events? Such incidents will happen more often across the world as e-governance becomes more predominant.
> We knew that they have been working on an NFC/smart card based system for around 4 years, without any visible result despite having spent over 4 million EURs.
The public procurement process for the current system called RIGO was indeed 2013 but the whole process is much, much older than that. A more than 300 page feasibility study was published in 2011 https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pd... And a completely different system, called Elektra was announced in 2004 with a 2006 deadline.
This whole clusterfuck with RIGO starting in less than a year was absolutely unnecessary since the 2011 study already suggested supporting contactless credit cards so once RIGO starts the only ones using this online ticket purchasing system will be those who have a credit card but not a contactless one. This is a (very) rapidly shrinking audience.
The list of bullet points of the egregious flaws in the software just get worse and worse. It's crazy how I thought the first one or two would be the worst since, but it just got worse.
It's 20 freaking 17. How can people release software with these totally elementary mistakes? Just one is bad enough, but... admin/admin?? This is easily worthy of a Daily WTF article to itself.
And this software was written by a professional contractor - pretty sure you'd get better quality from a kid fresh out of university, because on my course, it was drilled into me - NEVER TRUST THE CLIENT BROWSER!
Companies need to understand, if they want an internet presence, no matter how strong the laws are in their own country, laws don't stop a crime in progress, especially when all they need to do is send a fairly simple message to the website. Computers are dumb, they do what they're told. Giving anyone the loophole to tell them to do something you didn't intend is asking to have it exploited.
Going after the messenger will solve nothing. The guy who discovered the payment flaw could easily have kept quiet, letting others discover it, or quietly told his friends, who tell their friends, ad infinitum, and suddenly the whole country is buying valid passes for a penny, costing the company a hideous amount of money. Prosecuting the whistleblower will actually hurt their bottom line.
The software industry better start investing more in educating the general public/government officials about how web applications work, or this is only going to get worse with technologies like WebAssembly in the hands of similar companies. If anything, people need to understand that these endpoints can be accessed without a browser, and we can't be arresting people/hauling them in for questioning for sending bad data to such an endpoint. After all, what does "bad data" even mean in such a context ?
Also, a question: does the EU have the legal concept of "fair use" ? I would have thought that messing around with a web application would fall under fair use, given that the web application can, and probably will, be stored on a person's computer. A computer that they (also probably) personally own, I might add...
This sort of thing teaches people to exploit or ignore rather than report. Anyone who reports should be commended, even if they did real hacking (which using dev tools on a web browser is not.)
Someone's going to probe your system; you should be glad to hear about it in email rather than in the news or your accountants or from angry customers.
Someone pointed out to me the other day that just connecting to a poorly configured system is illegal in some places (Finland in his case). A form of trespass he said. This was a ship in international waters registered in Russia Federation so not sure whose law applies lol. Perhaps if there were more cases where full advantage was taken of such incompetence with spectacular newsworthy results then people would be more appreciative of the work we do and the laws changed to protect whistle-blowers and activists generally.
"if you just typed in the url (shop.bkk.hu), the site just wouldn't appear. At first I thought they've taken it offline, but it turns out that they just didn't set up the http -> https redirection. And it was left like that for days. If you just heard about it, you couldn't use it. You had to click a link (normal users won't figure out to put an https in front of the host name, even I didn't think of it)."
I'd really like to know which of these is the better solution.
It seems to me that if people go to the http address, they could be redirected to an attacker's address with a simple MITM attack. So there's an argument to be made for not using http at all, even for a legitimate redirect, because it can be so easily MITM'ed.
On the other hand, if the http address is left unused, then people who try it anyway and it fails will be confused. For this solution to work, it seems the users have to be educated to always and only use the https address.
For these reasons, the whole separate http/https scheme seems broken by design.
What's the consensus from the security community as to the right setup here? Am I missing something, or is there a better way?
When I was in Budapest a few weeks ago, I heard from multiple locals that the metro system was owned by some sort of mafia. I wonder if that explains the subpar security and overreaction to the bug report.
edit: a few weeks ago, not this past summer that is still occurring
I'm not aware of any actual mafia. They were almost certainly metaphorical and they must have been just bashing the local government. Because what they do is really a shame. One of the lines is de facto in a life threatening condition. Trains caught fire multiple times. Instead of being replaced, the 40 year old cars are being refurbished/modernized. This has something to do with the EU (they gave money for this, but not that). There was a tender, but miraculously it was the Russians who won it, despite their offer was quite a lot more expensive than that of the Estonians. And of course, as it happens with corruption, they failed to deliver a properly working version, so after a few weeks of testing, the first few trains were sent back.
About the security (or rather the extremely low quality) of the eTicket system: that was developed by a 3rd party that belongs to the Deutsche Telekom group, and that company is indeed quite a high profile system integrator working with a lot of large companies, banks, etc. So it's a bit of surprising (even if corruption is involved) that they released it in this form. Actually I'm surprised by these bugs even for a prototype that was forcefully pushed out of the door, because you just never do these things in the first place.
[+] [-] goodplay|8 years ago|reply
Protection from this kind of blame-shifting and misdirected retaliation should be guaranteed by law. Until it is, bugs in critical and important infrastructure will go on unreported, and remain available for malicious actors to exploit.
[+] [-] jogjayr|8 years ago|reply
Would they also prosecute a person who told them one of their doors was left unlocked after-hours?
A normal person's reaction upon being told "You left your keys in the lock" is usually gratitude, not calling the cops.
EDIT: Is it suspicion? "Hmm...this person found an unlocked door, which means they were clearly trying all the doors. Don't like that. Who knows what else they found but didn't report." Which is understandable, but clearly counter-productive. If the person was a malicious actor, they obviously wouldn't go to the trouble of reporting in the first place.
[+] [-] patryn20|8 years ago|reply
In hindsight it was a huge risk and I was dangerously trusting.
[+] [-] LunaSea|8 years ago|reply
So even technical companies can react in really silly ways.
[+] [-] Gustomaximus|8 years ago|reply
I have previously found a way to access very personal information in a large corporate billing system. When I contacted them I specifically used careful language that what I'd done was unintentional, and easy mistake that could lead others to this, that I kept zero data and exited the system as soon as I realised 'my mistake' and was very surprised. Basically enough that 1) If it should go to court the situation would be in my favour as much as it can be and 2) Given they were a well know public retailer I figured this would hit social media and make an uproar about the company should they act badly.
Initially I contact several people in IT and heard nothing. Six months later when I noticed this was still open. I then contacted the CEO. Expecting nothing or canned 'thanks', we was thankful had some followup contact about the issue.
I wont say there is no risk, but I think its the right thing to do and risk seems minimal. And you can always do it anonymously.
[+] [-] loup-vaillant|8 years ago|reply
"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."
Maybe they will panic strongly enough to actually do something about the issue.
[+] [-] imhoguy|8 years ago|reply
[+] [-] rtpg|8 years ago|reply
I think the line is pretty grey though.
One analogy is telling a company that their front door is unlocked.
Another analogy is going into an unlocked front door, and going deeper into the building, and then reporting to the company that you could, in fact, get to classified information from this door.
IRL Pentesters get permission before trying to sneak into buildings, so there's some argument for it being the same for these sorts of things.
EDIT: I 100% think that users that are acting in good faith shouldn't be thrown in prison. This case is a pretty good example of this
[+] [-] posterboy|8 years ago|reply
[+] [-] warrenm|8 years ago|reply
Seems somewhat negligent - at the very least from a Good Samaritan™ point of view
[+] [-] whatnotests|8 years ago|reply
Adobe had him arrested the day after he gave his talk.
Link to a Wired article here: https://www.google.com/amp/s/www.wired.com/2001/07/russian-a...
EDIT: I have a terrible memory-- thanks to the folks who replied to my comment with corrections.
[+] [-] lebowen|8 years ago|reply
They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:
http://demosoftware.com/reports/ajax.php?sql=SELECT * FROM debts
I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.
At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.
[+] [-] Rjevski|8 years ago|reply
[+] [-] snakeanus|8 years ago|reply
[+] [-] robtaylor|8 years ago|reply
[+] [-] lightedman|8 years ago|reply
[+] [-] amingilani|8 years ago|reply
I've reported several of these issues, sometimes all I get is single reply months later saying: "fixed".. mostly, nothing.
Once I found a SQL injection in a courier service's (very broken) web portal. This was very serious because any idiot could drop all the tables, so I sent an email to the most important worded member of their tiny, yet already bureaucratically structured team. I followed up several times because I knew someone saw my email (I embed beacons in my emails) but gave up after the sixth time. Three months later someone else replied saying "thanks Amin, we've fixed it"
On a separate occasion, a large government agency's emails routinely ended up in my spam folder. It was a huge problem, and they acknowledged it and said they couldn't figure out what was wrong. I took five minutes and found the problem to be a misconfigured server on the domain. The server sending the email thought it was `server-a.governmentdomain.com` but there were no DNS entries pointing the subdomain to the server. I reported this problem with clear instructions to test and fix the issue, but I was called despite the instructions, multiple times, to explain the issue with my words over the phone. This was 2 years ago, last I checked, the issue was still present.
[+] [-] ascorbic|8 years ago|reply
[+] [-] niklasrde|8 years ago|reply
[+] [-] voidz|8 years ago|reply
[+] [-] fencepost|8 years ago|reply
First, when testing whether you can change a price and have a transaction go through successfully, RAISE THE PRICE. If you lower the price the affected entity may come back and say "See??? He's STEALING from us! Lock him up!" If you've overpaid for something through their web interface that complaint and issue goes completely away.
Second, if you're going to suggest that they contact you for assistance in fixing it also suggest other options. My typical handling for this is with hacked websites, so I'll basically say "Your website has problems X, Y and Z. You should work with whoever you have working on your site to resolve these. If you don't have anyone I may be able to assist you, or I recommend talking with a firm like Sucuri.net which has dealing with and preventing issues like this as their primary business. (My only link with Sucuri is having seen some of their folks do presentations at trade shows.)"
[+] [-] taurath|8 years ago|reply
[+] [-] tom_mellior|8 years ago|reply
Or it doesn't, because you have still "hacked them". Doing it in a seemingly bizarre way may only raise more suspicions; obviously you must have maliciously cheated them, since who would give them money?
Please don't put people at risk by giving such "advice".
[+] [-] angus-g|8 years ago|reply
[+] [-] mintplant|8 years ago|reply
[+] [-] bigbugbag|8 years ago|reply
[+] [-] satyanash|8 years ago|reply
- Firefox 54.0.1 (64-bit)
- Arch Linux 4.11.5-1-ARCH
[+] [-] tekromancr|8 years ago|reply
[+] [-] synicalx|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] fredsir|8 years ago|reply
In both cases, it was dads of children in the institution that noticed the bugs when they were rightfully using the system and were ignored when notifying the responsible party about it until they "shouted it so loudly" that they couldn't be ignored anymore, in which case they were reported to the police for hacking.
Links below are in danish, but they can probably be translated if needed.
1: https://www.version2.dk/artikel/boernehavehackeren-frifundet...
2: https://www.version2.dk/artikel/interview-hacker-tiltalt-jeg...
[+] [-] andai|8 years ago|reply
1: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...
2: https://translate.google.com/translate?hl=en&sl=da&tl=en&u=h...
[+] [-] pmoriarty|8 years ago|reply
In the old days, protesters used to physically go and picket in front of company offices. These days, protesters leave one-star reviews. I wonder which is more effective.
[+] [-] SeanDav|8 years ago|reply
Unless the company concerned has a well documented and trusted bug bounty procedure, it can be very risky to report a bug in a system, if it involves any kind of hacking.
What happens is once the "bug" is reported, someone inside the company asks "How did this happen?". Now the person responsible has 2 options, admit it was their fault and the vulnerability exists and risk being accused of incompetence, or say that the system was hacked.
Human nature being what it is, one tends to complain of being hacked, thus snow-balling effects, which lead to the arrest of an 18 year old just trying to help.
My advice: Don't report these types of bugs at all, or if you really feel you must, report anonymously.
[+] [-] abecedarius|8 years ago|reply
s/stupid/trusting/. There's no reason to think this guy isn't bright, and he's faced enough trouble without piling on.
[+] [-] anujdeshpande|8 years ago|reply
Also, if such behaviour is systemic, how should we bring about the paradigm shift in handling such events? Such incidents will happen more often across the world as e-governance becomes more predominant.
1 - https://thewire.in/119578/aadhaar-sting-uidai-files-fir-jour...
[+] [-] chx|8 years ago|reply
The public procurement process for the current system called RIGO was indeed 2013 but the whole process is much, much older than that. A more than 300 page feasibility study was published in 2011 https://www.bkk.hu/apps/docs/megvalosithatosagi_vizsgalat.pd... And a completely different system, called Elektra was announced in 2004 with a 2006 deadline.
This whole clusterfuck with RIGO starting in less than a year was absolutely unnecessary since the 2011 study already suggested supporting contactless credit cards so once RIGO starts the only ones using this online ticket purchasing system will be those who have a credit card but not a contactless one. This is a (very) rapidly shrinking audience.
[+] [-] skinnymuch|8 years ago|reply
[+] [-] gargravarr|8 years ago|reply
And this software was written by a professional contractor - pretty sure you'd get better quality from a kid fresh out of university, because on my course, it was drilled into me - NEVER TRUST THE CLIENT BROWSER!
Companies need to understand, if they want an internet presence, no matter how strong the laws are in their own country, laws don't stop a crime in progress, especially when all they need to do is send a fairly simple message to the website. Computers are dumb, they do what they're told. Giving anyone the loophole to tell them to do something you didn't intend is asking to have it exploited.
Going after the messenger will solve nothing. The guy who discovered the payment flaw could easily have kept quiet, letting others discover it, or quietly told his friends, who tell their friends, ad infinitum, and suddenly the whole country is buying valid passes for a penny, costing the company a hideous amount of money. Prosecuting the whistleblower will actually hurt their bottom line.
[+] [-] TimJYoung|8 years ago|reply
Also, a question: does the EU have the legal concept of "fair use" ? I would have thought that messing around with a web application would fall under fair use, given that the web application can, and probably will, be stored on a person's computer. A computer that they (also probably) personally own, I might add...
[+] [-] jccooper|8 years ago|reply
Someone's going to probe your system; you should be glad to hear about it in email rather than in the news or your accountants or from angry customers.
[+] [-] nthcolumn|8 years ago|reply
[+] [-] minusSeven|8 years ago|reply
Wtf ,I thought I was bad at my job.
[+] [-] pmoriarty|8 years ago|reply
I'd really like to know which of these is the better solution.
It seems to me that if people go to the http address, they could be redirected to an attacker's address with a simple MITM attack. So there's an argument to be made for not using http at all, even for a legitimate redirect, because it can be so easily MITM'ed.
On the other hand, if the http address is left unused, then people who try it anyway and it fails will be confused. For this solution to work, it seems the users have to be educated to always and only use the https address.
For these reasons, the whole separate http/https scheme seems broken by design.
What's the consensus from the security community as to the right setup here? Am I missing something, or is there a better way?
[+] [-] biot|8 years ago|reply
[+] [-] cpach|8 years ago|reply
[+] [-] beters|8 years ago|reply
edit: a few weeks ago, not this past summer that is still occurring
[+] [-] atleta|8 years ago|reply
About the security (or rather the extremely low quality) of the eTicket system: that was developed by a 3rd party that belongs to the Deutsche Telekom group, and that company is indeed quite a high profile system integrator working with a lot of large companies, banks, etc. So it's a bit of surprising (even if corruption is involved) that they released it in this form. Actually I'm surprised by these bugs even for a prototype that was forcefully pushed out of the door, because you just never do these things in the first place.
[+] [-] ikeboy|8 years ago|reply
Or, the managers knew full well the system was shit and they had no time to fix it, but 80k/month is 80k/month.
[+] [-] oblio|8 years ago|reply