DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email: "We will further investigate this matter internally and do not wish to entertain this matter with your website."
He really missed all the lessons in both manners, common sense and media training.
To be fair, security through denial, lies and intimidation is the industry standard.
Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.
Technically speaking if there's nothing to break, it is unbreakable right? Also if you change the law about some crime, you don't have a crime anymore...
The tone of the article is unprofessional to say the least. You could remove the argumentative tone, vitriol, and insults and have a more impactful article that reflected well on the author while appropriately warning people against this company. Please, don't choose team troll.
Personally, I find the tone of the article appropriate for the response received. The first email clearly set the tone as cordial and friendly while still being urgent. The response was in a clearly adversarial tone. So the prompter adjusted their tone accordingly.
It wasn't necessary to match tones with the person whom wanted to be uncharitable, but it definitely feels more human to me, which is who the writing is for: humans. I would have been fine with an info dump, but I enjoy turnabout as much as any other fan of fair play.
The author is not acting in a professional role here.
He, in his own time, discovered a pretty serious exposure of information and politely informed them. They decided to not be polite in return. He responded in the same tone as them.
There was never any professional obligation, nor any obligation for the author to inform them of their breach at all, nor was there any obligation to give them time to notify clients before publication. Those are all courtesies.
This man didn't choose team troll, he responded to team troll in kind.
Not a journalist or a reporter, posts aren't meant to be professional. The only reason I even write any of my posts is because companies DO NOT disclose incidents at all, so I have to do it for them.
I was also ready to chalk this up to "Yet another security researcher needs to learn how to play well with others..." but the moronic and indigent response from "Sean" makes it clear who's wrong here.
Imagine an alternate universe where "Sean" wasn't so aggressively stupid, and instead replied: "Thanks, JayeLTee, we took the database down while we do an audit. We don't think there were any access, and we would rather you not go public about the findings, but it will take us time to check. Please hold off on your publication until [DATE] and we will be in touch."
There. That didn't take much effort! But, no, "Sean" chose belligerence and threats rather than professionalism. I don't know what is wrong with people who just seem to default to "bad attitude" in their communications.
Concur. Tone comes off as "toxic manboy". Not sure why the author chose that tone. I would not hire them for their security services just yet, no matter how big a genius they are. Maybe once they understand the world is made of people, not rational actors.
Even in a professional setting, you are not obligated to coddle aggressive stupidity. That's how we end up in a world where nobody says what they mean, everything is just BS on top of BS, and nothing improves. Being direct, being honest, and being accurate are critically important in professional technical work, and while it's not necessary to be antagonistic, it is completely reasonable and socially acceptable to respond in kind to the energy you get. People who are aggressively stupid do not get a pass.
The author is more professional than the sean was, and conveys the correct amount of disgust we should all hold for this company and it's leadership.
The point of the essay was to be disrespectful of the CEO. Slightly less disrespectful than the CEO was, so IMO he still holds onto the high ground of ethics.
Please do choose team troll. The correct response to someone being a shitter, is not always to kill them with kindness. A lot of the time it is, but this time, I'm clearly on the authors side. He tried twice to be kind, was ignored and then insulted. When really he was owed a thank you, not to be disrespected.
The tone doesn't have to be professional. Not everybody owes you professional courtesy, especially when you're giving away personal information on your customers.
Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
Oh dear, that really is a poor response by the CEO. Can't wait to see the grovelling apology he comes up with when NZ media/regulator comes asking questions
It looks like the CEO is both clueless and his reports are also probably misleading him. Whoever looked into the security problem probably saw the extent of it. This possibly got downplayed when reported back to the CEO. However rude, the CEO had little reason to lie about the extent of the problem towards the security researcher.
I imagine the conversation between the CEO and his reports included something about "it's no biggie, the passwords were hashed using bcrypt, that's like irreversible encryption" without contextualizing that and mentioning that plaintext auth tokens were also exposed.
CEO felt a threat to his company and responded accordingly. He is clearly green and impolite. Sending a vulnerability disclosure to someone without knowing their experience, and given the amount of spam on the web, one should not be surprised at the response. Trying to do a good thing and getting scolded for it feels terrible, though. One might understand why the researcher would put up database details for the world to see and fail to realize it is petty to do so. I hope both gentlemen learned their lesson.
New Zealander here, really thrilled to see our national medical testing service (primarily blood tests) in here. I've sent a note to them to make sure they're aware of this.
Also I feel like I took the wrong path, trying to be a serious and responsible software developer - seems like all the money is in throwing shit together and making wild claims about it.
Usually like reading such posts but the author’s approach did seem very blackmail-like.
The CEO is surely coming off as a crazy guy but the author isn’t a white knight or good Samaritan either.
The company closed the database access and the guy says “now I will disclose it or you can do X”
Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting?
I’d imagine there is 50%+ chance that any smaller company without a dedicated security team will take this disclosure as a threat and blackmail. Especially that on the first second and third thought it seems the disclosure would be a way for the author to boost their blog and content marketing for their consulting.
If there was a bug bounty or something on their site it would have been different.
> Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting?
A bog-standard responsible disclosure that any tech CEO should either be familiar with or have someone at hand that is, as is clearly communicated in that e-mail.
Both e-mails are OP reaching out to help this company out, the first fixing the vulnerability, the second giving them a chance for compliance / potential regulatory aspects they might want to follow. It's not on random people reporting security vulnerabilities to tutor random companies on this and both behaviors (non-responsiveness, then hostility) of this CEO, despite being sadly common, are actively harmful if you want to get productive security reports in the future. (And the company unilaterally signing up for bug bounty programs is rather irrelevant for independent researchers as well if they have no interest in participating in those.)
I just got offered to discuss a "token of appreciation" by another company that included deleting public posts and signing NDAs. I replied saying I don't accept bribes. If that's clear enough for you.
And I didn't say "I will disclose it or you can do X". I asked follow up questions as I always do. Related to intent on notifications to regulators or clients so I can delay my report until the company does their notifications if that is their intent. I've done this multiple times for multiple companies, some I delayed the post for 3-4 months.
I was actually trying to be nice to the company by not doing a disclosure before them, up until this point this was just like every other interaction I have. I sent the information, the server got closed and no one got back to me. None of my communications warranted the reply I got back from this.
Unfortunately, there are people out there (with a seemingly large overlap with CEOs) that have incredibly fragile egos, and any perceived criticism (such as pointing out a dreadful security failure) can result in lies, excessive reactions, defensiveness, denial, insults, scapegoating or even retaliation. Or all of the above.
In situations like this, it feels to me like the reaction is “how dare you think that I would need your help?!”
Once again, one of my rules of thumb holds true: if someone is claiming that their security is "impossible to hack", they're either massively incompetent or they're trying to sell you some BS.
Even if a guy is an easily hackable asshole, usually accessing the stuff directly and downloading his database is still a crime (at least in the US), stay safe buddy.
If I serve a file with info I didn't intend for the world to see at example.com/secret and you access it, did you commit a crime? Clearly no.
Given that, you have no way to even know if the data which was available publicly contained any private information. This guy is doing a fine public service, and any company he helps should pay him for saving their asses.
Agree. "You're not wrong, Walter, you're just an asshole!" Best case scenario, CEO just got an annoying distraction that was a credible enough threat they had to waste time investigating. Worst case they had a breach and someone is extorting or hacking them. Some grace on the part of the researcher is warranted IMO, despite the amateur handling by the CEO. No one looks good here.
I told him everything he needed to know to fix the exposure on my initial contact on the exact same email I tell him I'm not asking for anything. I even told him some information about the exposed tables.
Backed by the fact that 1 hour after my email, the exposure was closed and the company never replied back to me, it was only after I followed up they emailed all those claims.
Again, I never asked for anything, I even offered to delay my publication so they could notify people if that was their intent, where is the blackmail here?
Blackmail is when someone says "do $thing or else". That didn't happen here, implicitly or explicitly.
If you're saying the implicit blackmail was "don't be an asshole, or else I'll be unkind when I talk about you later to others", then all of us are always blackmailing one another with every conversation.
zettie|1 year ago
DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email: "We will further investigate this matter internally and do not wish to entertain this matter with your website."
He really missed all the lessons in both manners, common sense and media training.
delichon|1 year ago
Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.
cratermoon|1 year ago
soco|1 year ago
dieselgate|1 year ago
scoot|1 year ago
Could you expand on why not? I can't think of a good reason why this isn't a relatively quick fix. What's the blocker?
iandanforth|1 year ago
catapart|1 year ago
It wasn't necessary to match tones with the person whom wanted to be uncharitable, but it definitely feels more human to me, which is who the writing is for: humans. I would have been fine with an info dump, but I enjoy turnabout as much as any other fan of fair play.
dghlsakjg|1 year ago
He, in his own time, discovered a pretty serious exposure of information and politely informed them. They decided to not be polite in return. He responded in the same tone as them.
There was never any professional obligation, nor any obligation for the author to inform them of their breach at all, nor was there any obligation to give them time to notify clients before publication. Those are all courtesies.
This man didn't choose team troll, he responded to team troll in kind.
JayeLTee|1 year ago
ryandrake|1 year ago
Imagine an alternate universe where "Sean" wasn't so aggressively stupid, and instead replied: "Thanks, JayeLTee, we took the database down while we do an audit. We don't think there were any access, and we would rather you not go public about the findings, but it will take us time to check. Please hold off on your publication until [DATE] and we will be in touch."
There. That didn't take much effort! But, no, "Sean" chose belligerence and threats rather than professionalism. I don't know what is wrong with people who just seem to default to "bad attitude" in their communications.
woodrowbarlow|1 year ago
ngneer|1 year ago
tristor|1 year ago
grayhatter|1 year ago
The point of the essay was to be disrespectful of the CEO. Slightly less disrespectful than the CEO was, so IMO he still holds onto the high ground of ethics.
Please do choose team troll. The correct response to someone being a shitter, is not always to kill them with kindness. A lot of the time it is, but this time, I'm clearly on the authors side. He tried twice to be kind, was ignored and then insulted. When really he was owed a thank you, not to be disrespected.
behringer|1 year ago
overstay8930|1 year ago
You only get the benefit of professionalism if you act like one.
Spunkie|1 year ago
unknown|1 year ago
[deleted]
tptacek|1 year ago
1. He discovers an unprotected database.
2. He mails the CEO of the company.
3. The database is fixed.
4. He mails the CEO again to say he's publishing.
5. The CEO replies and says there was no security breach.
6. He goes spelunking in the database tables to write a rebuttal?
How does step 6 happen? What has this person exfiltrated from the database, in advance of losing access to it in step 3?
kruffalon|1 year ago
So say the dumped data contained the URL of a file and you couldn't get the URL now (due to step 3) but you can still download the actual file.
chias|1 year ago
grayhatter|1 year ago
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
unknown|1 year ago
[deleted]
celticninja|1 year ago
badmintonbaseba|1 year ago
shitter|1 year ago
ngneer|1 year ago
mattdw|1 year ago
Also I feel like I took the wrong path, trying to be a serious and responsible software developer - seems like all the money is in throwing shit together and making wild claims about it.
wellthisisgreat|1 year ago
The CEO is surely coming off as a crazy guy but the author isn’t a white knight or good Samaritan either.
The company closed the database access and the guy says “now I will disclose it or you can do X” Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting?
I’d imagine there is 50%+ chance that any smaller company without a dedicated security team will take this disclosure as a threat and blackmail. Especially that on the first second and third thought it seems the disclosure would be a way for the author to boost their blog and content marketing for their consulting.
If there was a bug bounty or something on their site it would have been different.
tastroder|1 year ago
A bog-standard responsible disclosure that any tech CEO should either be familiar with or have someone at hand that is, as is clearly communicated in that e-mail.
Both e-mails are OP reaching out to help this company out, the first fixing the vulnerability, the second giving them a chance for compliance / potential regulatory aspects they might want to follow. It's not on random people reporting security vulnerabilities to tutor random companies on this and both behaviors (non-responsiveness, then hostility) of this CEO, despite being sadly common, are actively harmful if you want to get productive security reports in the future. (And the company unilaterally signing up for bug bounty programs is rather irrelevant for independent researchers as well if they have no interest in participating in those.)
JayeLTee|1 year ago
And I didn't say "I will disclose it or you can do X". I asked follow up questions as I always do. Related to intent on notifications to regulators or clients so I can delay my report until the company does their notifications if that is their intent. I've done this multiple times for multiple companies, some I delayed the post for 3-4 months.
I was actually trying to be nice to the company by not doing a disclosure before them, up until this point this was just like every other interaction I have. I sent the information, the server got closed and no one got back to me. None of my communications warranted the reply I got back from this.
readthenotes1|1 year ago
sevg|1 year ago
In situations like this, it feels to me like the reaction is “how dare you think that I would need your help?!”
azinman2|1 year ago
soulofmischief|1 year ago
JohnFen|1 year ago
hobs|1 year ago
j_w|1 year ago
If I serve a file with info I didn't intend for the world to see at example.com/secret and you access it, did you commit a crime? Clearly no.
Given that, you have no way to even know if the data which was available publicly contained any private information. This guy is doing a fine public service, and any company he helps should pay him for saving their asses.
dtgm92|1 year ago
Wants to be helpful but comes across as aggressive, names and shames them, insults and ridicules them... come on, you can do better.
JayeLTee|1 year ago
Not sure if you read my 2 emails to the company but I would say I was polite to them and was met with accusations of harassment and straight up lies.
Don't expect me to pat you in the back if you come at me with such claims when I simply alerted you of a security issue.
DangitBobby|1 year ago
hackburg|1 year ago
[deleted]
hackburg|1 year ago
[deleted]
sachinaag|1 year ago
[deleted]
unknown|1 year ago
[deleted]
DangitBobby|1 year ago
[deleted]
JayeLTee|1 year ago
Backed by the fact that 1 hour after my email, the exposure was closed and the company never replied back to me, it was only after I followed up they emailed all those claims.
Again, I never asked for anything, I even offered to delay my publication so they could notify people if that was their intent, where is the blackmail here?
margalabargala|1 year ago
Blackmail is when someone says "do $thing or else". That didn't happen here, implicitly or explicitly.
If you're saying the implicit blackmail was "don't be an asshole, or else I'll be unkind when I talk about you later to others", then all of us are always blackmailing one another with every conversation.