Thank you for posting this. As a community of entrepreneurs and hackers it helps all of us know what happens behind the scenes. Some people may view it as airing their dirty laundry but I see it as a way to keep people honest.
The fact that you dropped the production database sucks. However you stayed around and fixed it. I can't really say anything more. My bet is we all handle lots of sensitive data around here. Our worst nightmare is to drop that data by accident. Stuff happens...fix it and move on.
I understand we are a litigious society but if your knee jerk reaction is to bring in lawyers something is wrong. My hope is this post will make it around to Somrat and Tim (I've never met either of them) and you two will resolve it amicably. Maybe I am delusional but good character still counts for something.
I am definitely not the person to be giving you feedback on this, I'm not a lawyer or anything myself. Just consider me a pair of outside eyes looking in that loves when hackers tackle problems in other industries.
If a neighbour comes by to let me know that I left the garage open, I close the door and thank them profusely.
Why does someone at this organization think that filing a police report is the appropriate action. It fairly well guarantees that no one else will let them know the door is open in the future, and it highlights to adversaries that there is a good chance this is an easy company to find a weakness in.
As an aside I see this as a side effect of increasing layers of abstractions between law/society and technology. A tech manager goes to legal to let them know that a former employee has just let them know that there was a security breach. Without understanding git, github, responsible disclosure or programming, all the lawyer hears is that a former employee has written to tell us that he has found copies of sensitive information and has encrypted them on his hard-drive.
If you are the legal representative for a technology company, at what point do you have a responsibility to understand the technology?
It's sad that everyone is being so harsh to you just because you decided to post about a vulnerability that who knows thousands of other people are quietly exploiting for their own benefit. If anything I am happy that instead of trying to misuse it or keeping it a secret you made it public knowledge so that there can be something done about it.
Yes you could have handled it more appropriately and you probably will in the future too. I just don't understand the harsh attitude and all this legal nonsense and insults being hurled at you for no big reason.
Responsible disclosure to the vendor is one thing.
Taking the fruits of your exploits and publishing it for glory and a "I leaked all that information because you wouldn't fix it" attitude is quite another.
I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.
If you used that vulnerability to steal my database and publish it to the public domain -- when it has no place in the public domain, i would expect the DoJ to hunt you down.
I never said anything about not being friendly.
But if you are playing with peoples identities, their lives, this is not friendly at all.
On the one side, this was a realllly stupid mistake that should have been caught earlier, not by some external party who was kind enough to report it to them. I feel like the stakes should be raised a bit for companies who are keeping my data.
On the other side, fear of lawsuits leads toward less disclosure and meaningless PR announcements.
I would like to highlight the parent post's comment about attempting to contact the people whose work you are exposing vulnerabilities in.
I have do say that if this is "showing your work" then the most important thing you've shown is poor judgement in publishing their secrets in a submission to a very popular website. The fact that they have followed such shockingly bad security practices themselves is absolutely no excuse.
The work I wish we saw was the valiant effort you made to contact the company and help them see their mistakes. That is an area where we can all use more good examples, even if only to show how difficult it is to get something so obviously problematic taken seriously.
I'm certain you mean no ill will, but the lack of consideration here is concerning.
A security researcher listed data they'd stolen through a security exploit on the dark web so they could bring it to your attention?
Am I the only one thinking this seems incredibly questionable on an ethical level?
What would he have done if you hadn't seen the data was for sale? Sold it to blackhats to exploit? Or spammers to take advantage of?
That seems like the 'researcher' was being a real sleazebag here. Forget ethical disclosure, this person is clearly going to be sued at one point or another with those sorts of practices.
Either way, sorry you went through this. Hope you learnt how to improve your security for the future after this debacle too.
What if the maintainer IS the hacker? Where's the evidence they're two different people? I don't think these things are true but calling into question motivations and asking more questions isn't slander (plus it's written which would make it libel, but it's not that either). We are all affected by this, so these are valid concerns.
Unfortunately, that cyclone may not be as easy to get past. Yes, people won't forever care about phpfog. However, if phpFog (which was at least PARTIALLY at fault here) presses charges, thats a criminal record and will come up on every background check for the rest of his life. This effects job opportunities, VISA opportunities, loans (not to mention lawyer debt from fighting it), hell even insurance prices.
What the kids did was bad, but I think pressing charges and seriously hindering two smart sixteen year-olds is a knee-jerk, over-zealous application of law and retaliation/punishment. Especially (I know I'm going to draw a lot of heat for this) when they found THEIR irresponsible storage of sensitive data.
I am a dev. I have also worked in the computer security field for a reputable firm. What phpfog did was irresponsible(actually, stupid!) and it was relatively easily avoidable. I know this because I (along with pretty much every dev) have used the exact stopgaps and quick-fixes that phpFog did. BUT (big lesson) cleaning up after your self is as much a part of programming as putting those quick-fixes in place. Unfortunately, its not the "fun" part and its not the most obvious money maker.
Like they (pretty much) said, phpFog put off the fixes because they wanted to deliver quickly. Thats THEIR decision and THEIR risk/reward assessment. I've made the same assessments in my work. They should suck it up and learn the lesson. Not hurt little kids. They're lucky it was found by these kids and not someone that knows how to conceal their identities and/or wants to do more serious damage (For example, hurting a phpFog clients).
If I knew some dev at my hosting company was keeping system passwords on a web server, they wouldn't be my hosting company. What about the trust/confidence of the clients that phpFog was knowingly betraying?
Edit: Yes, there is a proper way to disclose information. They're kids. I'm surprised they handled it as well as they did to be honest. I was a much dumber 16 year old.
Blame for a leak isn't the problem if a leak never happened, since the goal is to _prevent_ a leak through disclosure. Your snark makes it clear that you have little to no interest in trying to see the issue from the side of the person disclosing the issue, who at the end of the day is just trying to prevent lives from being ruined through simple negligence. Yes, people obsessed with bug bounties is a thing, but in contrast to the risk of ignoring a legitimate disclosure email, who cares?
The issue here isn't that someone would be blamed for a data leak - not even a bit. The issue is that there's a good chance that panicked management won't consider the disclosure as helpful, but instead as a genuine attack on their infrastructure and will get non-technical lawyers involved. Tons and tons of people have been sued from doing this.
Giving as little information as possible is _necessary_ to reduce the risk of being sued. That you, and people like you, think that little information is a waste of time is just sad, man. Think about it from the shoes of those who try to disclose, and the lives of people whose information is in the systems that you maintain. Get off your lazy high horse, spend the hour to review their email, do your fucking job, or get out.
I think, if anything, it's a lesson to entrepreneurs to be open when such things happen. Be honest. Be up front. Be frank. Be proactive.
The temptation will often to be hide this kind of thing, claiming it's irrelevant (which typically just means it's embarrassing).
Also, I'm glad to see this isn't another incident where a vulnerability reveals a site is storing passwords in plaintext (like Gizmodo). Seriously, why do people do this?
I never claimed it was acceptable. Only that it was irrelevant. Why should anyone besides PHPFog's lawyer and the kids' parents care? It's because PHPFog chose to play PR guru and throw the drama into their postmortem as a distraction.
Does it matter to you if some kid in Australia is brought up on charges? No?
Does it matter to you if a hosting company is competent in securing their servers? Yes?
Any discussion of who did the hack servers no purpose other than to distract from the only issue that matters to anyone which is PHPFog's security.
I don't get all of the animosity toward the OP. He has taken all the risk by documenting everything -- essentially saying "I'm doing what I believe is right, and you can prosecute me if you want." Making him "aware" of what he's done (and the possible consequences) seems redundant.
We can go back and forth on the white hat/black hat issues, but I think we need more people who are willing to raise awareness on this.
The animosity should be reserved for those who use Firesheep/Wireshark for completely malicious purposes.
Is there not some level of basic accountability? I mean, shouldn't AT&T face penalties for hosting consumer data in such an egregiously unsafe fashion?
While I think the responsible disclosure could've happened in a better way, I don't think this is akin to walking into an unlocked house. This is a web server that's only protection was prayer. There was no authentication, no verification and no accountability.
What makes me so mad is that AT&T can be so goddamn careless with my information and skate away free while the gentleman who exposed this lack of attention is sent to a jail for a very long time. It just doesn't sit well with me and I don't think the boundaries are obvious.
I'm not a hacker if I increment a URL by 1. I wouldn't even call you a hacker if you used DNS reflection attacks. To identify cheap parlor tricks as hacking is offensive to the professional breakers and ludicrous in the larger scheme of things.
If you've been infiltrated and your systems have been compromised, it has always been the case that your data may also have leaked. A responsible organization in this situation would take that possibility seriously, including the potential disclosures and legal ramifications that may come along with it.
Attempting to sweep such an incident under the rug should never have been a serious option, but of course organizations in this situation are usually looking to do as little as possible. So here we are. This is just taking that latent possibility and making it real and explicit.
Wow, making a claim who broke the license is rubbing nose?
If voicing the wrongdoing makes a company untrusted, I have no idea your view of trust. Maybe someone who can keep wrongdoing a secret is more trustable.
Who said anything about exploit? You made the API and it has open access. If it is private don't make it public. Absolutely no analogies are needed for that.
Slap on some authentication before calling the lawyers. Lawyers are needed for when such systems have been subverted.
Seems the reality distortion of blaming anyone that touches something a corporation doesn't want touched is catching on. Persons behind corporations that dispatch lawyers with great zeal are responsible for conflating their own mistakes for exploitation.
For those having a hard time, just think like the NSA: Public unencrypted data will be used, but not always in the way the persons who made it public contemplated.
I think legal's involvement is perfectly normal. Part of damage control consists of figuring out the legal ramifications of the product/service having technical vulnerabilities. Especially if those vulnerabilities leak customer data.
What isn't cool is legal deciding to go after the party disclosing the vulnerability.
The fact that you dropped the production database sucks. However you stayed around and fixed it. I can't really say anything more. My bet is we all handle lots of sensitive data around here. Our worst nightmare is to drop that data by accident. Stuff happens...fix it and move on.
I understand we are a litigious society but if your knee jerk reaction is to bring in lawyers something is wrong. My hope is this post will make it around to Somrat and Tim (I've never met either of them) and you two will resolve it amicably. Maybe I am delusional but good character still counts for something.
reply