The organization of my previous post confronted me shortly after a misfired tweet on my part exposing who the organization was. I admit my fault there, but the head of their IT was quick to ask me to retract my article. For a few hours, it was retracted, but I was not in a submissive mood. They made the security error, they left it there for years, I found it. I made a few changes and put it back up as you can tell. I'm not going to let them think they can control what I post, hence I'll tell you the story without their permission or editing. I'll still retain their anonymity but I feel they were less than understanding about the ordeal.
Think of this as my public rant about the IT of this particular organization. Like I said, I plan to keep them anonymous to prevent them of the shame they are due.
Shortly after my tweet revealing the organization, I received this email:
Corey,
I am very disappointed in your recent tweets and posts on your blog related to [the website's] security. I appreciate your willingness to identify potential security issues and bring those to my attention however I thought we were in agreement that you would not share these vulnerabilities with any other than IT staff. I would request that you pull these posts immediately. I would also like to meet with you when I return to [the facility] a week from today.
[Jay]
First problem: I NEVER agreed that I wouldn't share the vulnerabilities. While trying to break the hash, thoughts like "I can't wait to blog about this" went through my head. In email or over the phone, I never agreed to keep their problem a secret. Also, his request came with no authority. I was not stepping on any toes by discussing it. With no authority, it doesn't matter what he's requesting. I should have turned down his request from the beginning, yet here we are. My response, although perhaps over-heated, was as follows:
It was to my understanding that you did not appreciate release of security information WHILE THE EXPLOIT ALLOWING ALL INFORMATION TO BE AVAILABLE TO ANYBODY was still a problem. Upon your solution (solved twice over with today's Sharepoint release) of this MAJOR EXPLOIT, I felt that releasing this information would make no more difference than a fictional story. In my article, I made no reference to the [organization] by name. The offending tweet, which I admit related the article to the [organization] by the @reply, has since been removed.
I'm a computer scientist and more specifically I'm studying computer security outside of class. Told to me by Mr. Bruce Schneier himself, if I want to make a name for myself in the cyber security world, I not only need to propose new security ideas, but I need to identify, analyze, break and report existing errors in erroneous systems. Nothing I have done has compromised the [organization]'s security without the intention of fixing it (which by all accounts has been), and by no means have the article or tweet enabled existing [members of the site] or outside malicious users any access to a [member] or [admin]'s personal information entrusted by the [organization]. I'm not teaching how to hack, I'm providing an example for how to discover and repair MASSIVE security holes. Also, considering the many weeks of work I put into fixing an error that has existed for 7 or 8 years (noted by [James] of the [alternate division of IT]), I feel the least I deserve is an anonymous drop about my research, findings, and recommendations to a security hole I have found that revealed 100% of my personal information to anybody who knows what a cookie is.
The tweet is gone for good and the article will be removed from the view of non-admin visitors (of which I am the only admin visitor). Pending our talk, I expect this article to be reinstated with little to no censorship. I shall see you next week Mr. [Jay].
Corey Ogburn
I mulled it over for several days in anticipation. The only reason I could figure Jay'd want it down is because of pride. The problem was solved, eventually all that base code was replaced, but it was fixed for at least three weeks before my post. When we finally met, Jay was dodgy. He tried to tell me that if I'm going to do these kind of security services for people that I should "protect" them by not exposing their problems. I didn't tell him this, although I wish I had, but: I did not do this FOR the organization, I did this in spite of their incompetence with 1000s of users' information. I was responding to their irresponsibility. I didn't tell them how to fix the problem because it was the right thing to do, I did this because it's research in a field I'm interested in and they were fooling around with my personal data. He never brought up the fabled agreement about not telling anybody outside of IT. He did ask that I tell him about other security issues I found. I spilled the beans about the SMTP server both relaying emails and not having any sort of authentication, but he claimed it was fixed two years ago. I mentioned a variety of other smaller security problems such as customer facing sites with semi-sensitive information, I would go into more detail to the other problems here except I'd have to give away the organization's identity to do so.
He kept a very "holier than though" attitude the entire time. He referred to the cookie as a "small problem." Each security aspect I talked to him about, he claimed was either fixed or not a problem. I told him I was very concerned that the guy in charge of the website who wrote the cookie bug was still working there, but Jay responded as if he had no clue why I would be concerned. I'm concerned about how they execute everything they do. Everybody who has gone to them already knows they format first and ask questions later. They are a shame to the organization and IT services. Ok, I got that out. You may realize I didn't cover too many technical bases here. Think of this post more as a public response to Jay and the meeting we had. Moral of the story? Stand your ground when it comes to receiving recognition. If you worked hard, don't let some guy's pride issues slow you down.
Misc
censorship, IT, Jay