This is a symptom of an unfortunately very common reaction to system security. Unless businesses are actively encouraging bug hunting, almost unbelievably they will act with a lot of hostility to exposure of weaknesses in their systems and will often shoot the messenger with extreme prejudice, even if they receive the information privately.
There are countless examples of people getting burned rather than rewarded or even thanked for bringing to attention some sort of flaw. My advice is do not bother. There is almost no upside for you and likely very significant downsides.
Second this motion. The number of vendors or administrators who respond well to security or privacy reports is tiny.
Some approximate data from my own emails. I've reported just over 120 security or privacy bugs over the past 4-5 years that this email address goes back (using my real name). I tag the emails, but searching "from:me vulnerability" brings them up. It is like a scoreboard of horrible vendors and site administrators.
From the most recent 100, there are around 25 with no reply at all. I know that some of those, such as government sites were followed up on the phone. Of those with a "(1)" in the thread meaning an additional message, most are me sending a reminder or trying to work out who to contact.
There are then a group of replies where they confirm receipt of the email, but then never confirm the actual contents of what i've reported. Scanning the threads, this looks like another 30 or so emails.
Then there is the group who confirm or deny the bug or parts but get into prolonged technical arguments, with around a dozen threads stretching beyond 10+ emails into arguments about if it is a bug or not.
Last group is those who get the bugs fixed and respond well. In these cases there are only a very small number where the threads are short - most involve long conversations. Some of these are still open - I just reminded myself that I have an open privacy issue with a large web company that still hasn't been fixed. That thread is 30+ emails long.
Overall more than half either didn't reply or didn't confirm the bug (silently fixed or not). There is a messy middle full of long threads and replies that are full of frustration and then only a tiny number of reports where they just get fixed with minimal effort (and you know who these companies are).
There is not a single instance of a non-software company responding well to a bug report (usually from a custom web app), and that includes some well known brands (banks, etc.). The number of good experiences I could count on one hand.
In terms of vendors, recent examples are a 20+ email thread over 3 weeks debating a vendor about severity of a group of bugs (still ongoing), two reasonably well-known vendors with no reply and a well-known vendor who only fixed after more than a month.
You can work out before reporting an issue who the good vendors are. They have a page dedicated to security with contact info, a key and a proper reporting program (preferably with a bounty). With everyone else, you are working for free, wasting your time, not making the internet any more secure and run the risk of getting into trouble - in some countries that could involve legal trouble (there have been a number of raids as a result of security reports in Australia, and the government head of privacy here said there is no such things as a white hat report).
Nowhere in the original article[1] is the professor accused of hacking and certainly not of having any malicious intent. The headline of the subsequent summary in scmagazine.com[2] is where the word "hacked" came in, and to be fair to the reporters, what the professor did would be considered "hacking" in some legal interpretations of existing laws whether that's right or wrong.
To be clear, we have absolutely zero evidence that the IT staff at the hospital ever accused him of anything or claimed he did anything wrong. Apparently they didn't respond and tell him thanks, but given that they knew who it was, if the hospital thought it was a crime, surely they would have contacted the authorities.
In any case, neither article named the professor until he came forward, so I'm not sure how even the extremely mild misinterpretations of the case could be called libel, exactly.
All in all, this isn't exactly a cut-and-dried case of curious white-hat smeared by the government and media. There are plenty of those to go around. We needn't invent more.
I work as a contingent faculty member at a private liberal arts college. When searching for someone's email address recently, I discovered published on the web a list names, email addresses, and ID numbers for all staff and faculty. I notified the responsible department through a trusted tenured faculty member. The response was "oh, that's just test data," which turned out to be false, and then "oh, it's not a big deal anyway." This was also false, for any number of reasons. Among them is the institution's use of swipe cards to control access to buildings and labs, and a ridiculously simple swipe payload (essentially just the unencrypted ID number).
They removed that information from the site and probably no one with ill intent accessed it. However, the security situation at that institution would be in better shape today if there had been an open discussion about this leak and its implications. Because I didn't feel comfortable approaching decision makers about this without risking retaliation against me, that discussion never happened.
Reading your post makes me wonder why bug-hunters aren't more cautious about this. Sure the sentiment is good, it is a moral obligation to expose a bug that could be harmful to users.
But if you suspect you could get burned for pointing it out, you can take steps to mitigate it. Anonymity for example. Then again if you are in it for the fame and recognition, getting burned is a risk you are taking out of vanity.
I see this as a symptom of something different. Security researchers have treated press coverage as a desirable commodity for a while now. Journalism has changed though, and so now we are seeing people like zdarski calling out journalists for reporting failures.
The fact is that journalists today are too busy writing linkbait headlines and getting page clicks to bother with details like accuracy or ethics. Researchers need to look at stories like this one and realize that journalists are not your friends, even if they write nice things about you or hang out with you at parties.
This journalist probably thought he was doing this guy a favor by writing about him.
You would think they would have been grateful for the head's up. I guess some people would rather shift blame then accept they made a configuration or security mistake.
There should be some kind of anonymizing escrow-type service that allows people/info.sec researchers to help companies with security issues (or am I being woefully slow, and there already exists such a thing? This was just a OTTOMH/knee-jerk thought, FFTTMTFO..).
> My advice is do not bother. There is almost no upside for you and likely very significant downsides.
Years ago I realised that security bug reporting is a painful experience at best, from about 2006 I decided I'd stop tracking and reporting software security bugs that I find, which while not the optimal solution has made my life a lot less stressful.
Sam, if you're reading this, you need to find the newspapers' ombudsman. You'll probably get better results from him/her than the CEO, since their job is specifically to address these issues and in a decent organization will be given the autonomy to do so (no guarantees here!).
It's not clear to be that LSU is responsible for anything more than shitty security. It's possible that they told the newspaper lies, but it's also possible that they told them the truth and that the newspaper misreported. I think reporting them for a HIPAA retaliation may have been premature, unless you know more about this situation than you wrote on your site (as opposed to reporting a HIPAA violation, which this clearly is).
But best of luck going after the newspapers. I'm getting sick of these "journalists" making up lies about the central figures in their stories without bothering to even check with them first to get their side of the story.
EDIT: Aaand, apparently, neither publication has an ombudsman, which tells you a lot already. Not a big surprise with SCMagazine, which is some kind of trade magazine, but it's too bad that even a small-circulation newspaper like the News Star wouldn't have one.
I spent a time as a HIPAA architect so I know exposing patient information to the public is a violation and should be reported even if accidental. However reporting it and having someone actually investigate it and prosecute is unlikely. It was pretty rare that anything was ever done (been a few years), especially to a large organization. I also know that people inside companies that handle HIPAA covered information rarely care as long as they pass their audits.
Falsely accusing someone of a crime often isn't just libel, it's per se libel, meaning that that there's liability even if the aggrieved party can't prove damages. Running a newspaper article that turned out to be false without even attempting to contact you might clear the negligence hurdle here.
I like the fact that the article stated that no patient information had been accessed. How many times have you heard that line when news of a breach is made public? It makes me think that these folks would rather cover up a breach than actually take responsibility for it.
Yeah. Having been caught storing private information on an open ftp server disqualifies your authority to claim that you know/knew who else may have accessed the data.
I can give some personal experience on this - I started bug/vuln reporting mid-last year. I've reporting a bunch of web-applications bugs that ranged from simple XSS and CSRF to RCE and directory transversal in a range of applications (Enterprise software is rampant with holes).
I've only encountered two non-respondents. Everyone else has thanked and patched within a month and I even gained employment from one encounter! Yet to get a reward, however I do this for a hobby, rather than money.
Although one day I hope to do this professionally! There isn't much work in New Zealand for it though.
EDIT: To clarify, my process is: report to vendor with suggested patches, follow-up 1 week later if no response, follow-up two weeks after response to see if it's patched, ask permission to use my bug report publicly. In some cases there'll be a phone call from the respondent to ask about my background and see what my intentions are. Occasionally they schedule a coffee/meeting.
One can only hope our friends at UHC are undergoing a proper procto-scoping by the regulators at this point.
As for the reporting side of this (note I did not use the word 'Journalism'...)..this is the quality level that has become the standard in the world of junk news. One must have the sensationalism in the title to get the click...that's it. The actual quality of the content is pretty much irrelevant..
If the linked recitation in any way corresponds to reality, and it seems to, the professor has a legitimate complaint, but he should have consulted an attorney before publishing his responses to the various parties involved. The reason I say this is because, even though he appears to be in the right and has a reason to be outraged, he could be sued for libel himself.
As one example, if he describes a named or identifiable person as a "liar" online, the subject could sue for defamation of character if it turns out that they didn't know what they said was false (which fails the definition of "lying"). That's a simple case where an extreme, emotional term places someone in a false light.
I'm not sure why people inform organizations about vulnerabilities. All what they will get from informing them is to get shock when they slap you on the face and call the police for the alleged hack!
it is better to sell the vulnerability in the underground forums
No it is better to do absolutely nothing, and quietly divest yourself from them because that's not illegal.
But what we really need are some damn whistleblower protections for cybersecurity - buzz-wordy enough for government funding and command centers, but no actual help for the people who want to help because it feels like the right thing to do.
Consider it a ethics thing. Willing to take the risk to protect those innocent people's data or sell a grandma's SSN to the highest bidder. I think identity theft takes a certain amount of self centeredness and lack of empathy that I could never deal with. The option to do nothing is a strong one as well. I would say its best to report it but do it anonymously.
Reading through this, it seemed like a pretty clear-cut case where Bowne had done things right from start to finish. And then I got to this:
"Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims."
I understand that he's likely under tremendous stress as a result of the allegations that LSU has made, but I'm a bit concerned that in his expression of shock and outrage he has turned to making what appear to be potentially libelous statements of his own.
I hope that his goal of having the accusations withdrawn is not hindered by this momentary slip into hyperbole.
Hm, not really. That's just you being pedantic. When you've been a victim of someone else's incompetence you assume that he is an incompetent because, the only reason you know of his existence is because of his incompetence.
Given the fact that many of us believe that the two magazines do not really care about what happened, as much as they prefer getting clicks - a view which is supported by the course of action this story took - it's not a far-fetched claim at all. Especially for a man in his position.
NOTE: They didn't took any action even when notified. The only way for them to remove the article would a letter from a lawyer (or at least that's what I'm getting).
I think the first article is just an sponsored article by University Health Conway. By trying to convince public opinion that it was hacking, University Health Conway probably want to skip charges for negligence, reveal and distribute personal data publicly...
I think the thing to be careful of here is the method(s) one uses to reveal a vulnerability.
Think of a brick-and-mortar analogy. You queue up at airport security, you go through, and you notice that their procedures are such that one COULD bring a banned item through and potentially not get spotted. You inform the appropriate authorities that you think there might be a weakness, and you say how and why.
This is probably not going to get you in trouble.
Another scenario: You go through security and make a mental note (as above) of a potential vulnerability. You (as above) report it to the appropriate authorities. Now some time in the future you are going through airport security and you wonder to yourself "I wonder if they fixed it". So you decide to test it out. You bring a banned item through. You get caught. You are in trouble but you say in response "but I was the guy who informed you of the vulnerability and I was just checking to see if it was fixed".
Good luck with that.
My feeling is that if you notice a potential (or actual) vulnerability as part of a everyday, normal use case of a website, or a web service, or network, then fine, you can report it, and you likely won't get into trouble.
On the other hand if you additionally decide to test the system in such a way that could be misconstrued as an attack, then you will probably get into trouble.
Another analogy: you walk into Macy's and on your way in you notice that the security system they are using is outdated, and you know it is vulnerable --- (made up silly example) you know that if you break in while holding a tuna sandwich, the alarm will not go off. So that night after the store is closed and locked, you break in, while holding a tuna sandwich, and you take a pair of $300 shoes. The next day you go to the store and you say "look guys, I was able to break into your store and steal these $300 shoes." You think they will thank you? or will they call the police?
I like your first analogy. Your second analogy, on the other and, seems to me to justify the action. I think Macy's would thank you rather than call the police, but that's just my opinion.
This is why I never ever "report" security vulnerabilities without first having a contract with the afflicted party. It sucks, but I am not willing to be burned as a witch just because I understand security.
The guys with the open FTP server clearly don't give 2 fucks about your privacy, but in a sue-happy atmosphere they're trying to place the blame on someone else.
it's sad that institutions act this way. I also stumbled upon a rather nasty vulnerability in the website of a largish company. I left it as is, without notifying anyone, precisely because I didn't want any trouble.
if I found it by accident, I'm sure malicious actors can find it as well.
[+] [-] SeanDav|11 years ago|reply
There are countless examples of people getting burned rather than rewarded or even thanked for bringing to attention some sort of flaw. My advice is do not bother. There is almost no upside for you and likely very significant downsides.
[+] [-] nikcub|11 years ago|reply
Second this motion. The number of vendors or administrators who respond well to security or privacy reports is tiny.
Some approximate data from my own emails. I've reported just over 120 security or privacy bugs over the past 4-5 years that this email address goes back (using my real name). I tag the emails, but searching "from:me vulnerability" brings them up. It is like a scoreboard of horrible vendors and site administrators.
From the most recent 100, there are around 25 with no reply at all. I know that some of those, such as government sites were followed up on the phone. Of those with a "(1)" in the thread meaning an additional message, most are me sending a reminder or trying to work out who to contact.
There are then a group of replies where they confirm receipt of the email, but then never confirm the actual contents of what i've reported. Scanning the threads, this looks like another 30 or so emails.
Then there is the group who confirm or deny the bug or parts but get into prolonged technical arguments, with around a dozen threads stretching beyond 10+ emails into arguments about if it is a bug or not.
Last group is those who get the bugs fixed and respond well. In these cases there are only a very small number where the threads are short - most involve long conversations. Some of these are still open - I just reminded myself that I have an open privacy issue with a large web company that still hasn't been fixed. That thread is 30+ emails long.
Overall more than half either didn't reply or didn't confirm the bug (silently fixed or not). There is a messy middle full of long threads and replies that are full of frustration and then only a tiny number of reports where they just get fixed with minimal effort (and you know who these companies are).
There is not a single instance of a non-software company responding well to a bug report (usually from a custom web app), and that includes some well known brands (banks, etc.). The number of good experiences I could count on one hand.
In terms of vendors, recent examples are a 20+ email thread over 3 weeks debating a vendor about severity of a group of bugs (still ongoing), two reasonably well-known vendors with no reply and a well-known vendor who only fixed after more than a month.
You can work out before reporting an issue who the good vendors are. They have a page dedicated to security with contact info, a key and a proper reporting program (preferably with a bounty). With everyone else, you are working for free, wasting your time, not making the internet any more secure and run the risk of getting into trouble - in some countries that could involve legal trouble (there have been a number of raids as a result of security reports in Australia, and the government head of privacy here said there is no such things as a white hat report).
[+] [-] skywhopper|11 years ago|reply
To be clear, we have absolutely zero evidence that the IT staff at the hospital ever accused him of anything or claimed he did anything wrong. Apparently they didn't respond and tell him thanks, but given that they knew who it was, if the hospital thought it was a crime, surely they would have contacted the authorities.
In any case, neither article named the professor until he came forward, so I'm not sure how even the extremely mild misinterpretations of the case could be called libel, exactly.
All in all, this isn't exactly a cut-and-dried case of curious white-hat smeared by the government and media. There are plenty of those to go around. We needn't invent more.
[1] http://www.thenewsstar.com/story/news/local/2014/08/19/conwa...
[2] http://www.scmagazine.com/professor-hacks-university-health-...
[+] [-] plitfabi|11 years ago|reply
They removed that information from the site and probably no one with ill intent accessed it. However, the security situation at that institution would be in better shape today if there had been an open discussion about this leak and its implications. Because I didn't feel comfortable approaching decision makers about this without risking retaliation against me, that discussion never happened.
[+] [-] AwesomeTogether|11 years ago|reply
A student in Montreal was expelled after informing the college where he studied that there was a security flaw http://business.financialpost.com/2013/07/17/montreal-studen...
[+] [-] kermorvan|11 years ago|reply
But if you suspect you could get burned for pointing it out, you can take steps to mitigate it. Anonymity for example. Then again if you are in it for the fame and recognition, getting burned is a risk you are taking out of vanity.
[+] [-] droopybuns|11 years ago|reply
The fact is that journalists today are too busy writing linkbait headlines and getting page clicks to bother with details like accuracy or ethics. Researchers need to look at stories like this one and realize that journalists are not your friends, even if they write nice things about you or hang out with you at parties.
This journalist probably thought he was doing this guy a favor by writing about him.
[+] [-] RexRollman|11 years ago|reply
[+] [-] rasur|11 years ago|reply
[+] [-] _b8r0|11 years ago|reply
Years ago I realised that security bug reporting is a painful experience at best, from about 2006 I decided I'd stop tracking and reporting software security bugs that I find, which while not the optimal solution has made my life a lot less stressful.
[+] [-] jnbiche|11 years ago|reply
It's not clear to be that LSU is responsible for anything more than shitty security. It's possible that they told the newspaper lies, but it's also possible that they told them the truth and that the newspaper misreported. I think reporting them for a HIPAA retaliation may have been premature, unless you know more about this situation than you wrote on your site (as opposed to reporting a HIPAA violation, which this clearly is).
But best of luck going after the newspapers. I'm getting sick of these "journalists" making up lies about the central figures in their stories without bothering to even check with them first to get their side of the story.
EDIT: Aaand, apparently, neither publication has an ombudsman, which tells you a lot already. Not a big surprise with SCMagazine, which is some kind of trade magazine, but it's too bad that even a small-circulation newspaper like the News Star wouldn't have one.
[+] [-] coldcode|11 years ago|reply
[+] [-] ck2|11 years ago|reply
Management tells the lawyers and PR which forwards it to the "news" who just go for the most sensationalist story possible.
Hope he wins any lawsuit and more importantly his reputation back somehow.
I'm not even sure what would have been the better course here other than to have CC'ed other people on the email.
ps. No way in heck I am going to click on them but those filenames seem to appear in google cache elsewhere.
[+] [-] rational-future|11 years ago|reply
[+] [-] UnoriginalGuy|11 years ago|reply
I mean aren't real journalists meant to check sources and get both sides of a story (or outside of America anyway)?
[+] [-] Mithaldu|11 years ago|reply
> At press time, Sam Bowne had not responded to a Thursday email and Friday phone call from SCMagazine.com for comment.
[+] [-] tptacek|11 years ago|reply
[+] [-] metaobject|11 years ago|reply
[+] [-] fnordfnordfnord|11 years ago|reply
[+] [-] ninkendo|11 years ago|reply
"Oh we meant it wasn't lost, as in it wasn't deleted off our servers!"
[+] [-] spacemanmatt|11 years ago|reply
[+] [-] Mandatum|11 years ago|reply
I've only encountered two non-respondents. Everyone else has thanked and patched within a month and I even gained employment from one encounter! Yet to get a reward, however I do this for a hobby, rather than money.
Although one day I hope to do this professionally! There isn't much work in New Zealand for it though.
EDIT: To clarify, my process is: report to vendor with suggested patches, follow-up 1 week later if no response, follow-up two weeks after response to see if it's patched, ask permission to use my bug report publicly. In some cases there'll be a phone call from the respondent to ask about my background and see what my intentions are. Occasionally they schedule a coffee/meeting.
[+] [-] chris_wot|11 years ago|reply
[+] [-] pavel_lishin|11 years ago|reply
[+] [-] hliyan|11 years ago|reply
[+] [-] rdxm|11 years ago|reply
As for the reporting side of this (note I did not use the word 'Journalism'...)..this is the quality level that has become the standard in the world of junk news. One must have the sensationalism in the title to get the click...that's it. The actual quality of the content is pretty much irrelevant..
[+] [-] lutusp|11 years ago|reply
As one example, if he describes a named or identifiable person as a "liar" online, the subject could sue for defamation of character if it turns out that they didn't know what they said was false (which fails the definition of "lying"). That's a simple case where an extreme, emotional term places someone in a false light.
http://en.wikipedia.org/wiki/False_light
Remember, in this litigous society, no one is immune from legal actions, even those clearly wronged, as the facts seem to indicate in this case.
[+] [-] Soyuz|11 years ago|reply
it is better to sell the vulnerability in the underground forums
[+] [-] XorNot|11 years ago|reply
But what we really need are some damn whistleblower protections for cybersecurity - buzz-wordy enough for government funding and command centers, but no actual help for the people who want to help because it feels like the right thing to do.
[+] [-] cnlwsu|11 years ago|reply
[+] [-] akerl_|11 years ago|reply
"Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims."
I understand that he's likely under tremendous stress as a result of the allegations that LSU has made, but I'm a bit concerned that in his expression of shock and outrage he has turned to making what appear to be potentially libelous statements of his own.
I hope that his goal of having the accusations withdrawn is not hindered by this momentary slip into hyperbole.
[+] [-] atmosx|11 years ago|reply
Given the fact that many of us believe that the two magazines do not really care about what happened, as much as they prefer getting clicks - a view which is supported by the course of action this story took - it's not a far-fetched claim at all. Especially for a man in his position.
NOTE: They didn't took any action even when notified. The only way for them to remove the article would a letter from a lawyer (or at least that's what I'm getting).
[+] [-] teachingaway|11 years ago|reply
"Professor hacks University Health Conway in demonstration for class"
While the follow-up is titled as "Professor says..."
"Professor says Google search, not hacking, yielded medical info"
http://www.scmagazine.com/professor-says-google-search-not-h...
[+] [-] lnanek2|11 years ago|reply
He doesn't seem to realize all that matters to the blog is getting page views...
[+] [-] cientifico|11 years ago|reply
[+] [-] plg|11 years ago|reply
Think of a brick-and-mortar analogy. You queue up at airport security, you go through, and you notice that their procedures are such that one COULD bring a banned item through and potentially not get spotted. You inform the appropriate authorities that you think there might be a weakness, and you say how and why.
This is probably not going to get you in trouble.
Another scenario: You go through security and make a mental note (as above) of a potential vulnerability. You (as above) report it to the appropriate authorities. Now some time in the future you are going through airport security and you wonder to yourself "I wonder if they fixed it". So you decide to test it out. You bring a banned item through. You get caught. You are in trouble but you say in response "but I was the guy who informed you of the vulnerability and I was just checking to see if it was fixed".
Good luck with that.
My feeling is that if you notice a potential (or actual) vulnerability as part of a everyday, normal use case of a website, or a web service, or network, then fine, you can report it, and you likely won't get into trouble.
On the other hand if you additionally decide to test the system in such a way that could be misconstrued as an attack, then you will probably get into trouble.
Another analogy: you walk into Macy's and on your way in you notice that the security system they are using is outdated, and you know it is vulnerable --- (made up silly example) you know that if you break in while holding a tuna sandwich, the alarm will not go off. So that night after the store is closed and locked, you break in, while holding a tuna sandwich, and you take a pair of $300 shoes. The next day you go to the store and you say "look guys, I was able to break into your store and steal these $300 shoes." You think they will thank you? or will they call the police?
[+] [-] pitnips|11 years ago|reply
[+] [-] cjschroed|11 years ago|reply
[+] [-] mariuolo|11 years ago|reply
The guys with the open FTP server clearly don't give 2 fucks about your privacy, but in a sue-happy atmosphere they're trying to place the blame on someone else.
[+] [-] volume|11 years ago|reply
... or applied some logic. Instead of contacting them directly he could have:
* broadcasted it to the world (maybe a reporter!) that the FTP server was insecure * do/say nothing
[+] [-] gravypod|11 years ago|reply
[+] [-] jigglepanda|11 years ago|reply
if I found it by accident, I'm sure malicious actors can find it as well.
[+] [-] chid|11 years ago|reply