What do you say to the boss who has been robbed blind by the outsourcers?

Kuro · Jan 26, 2015

Change it to show anyone trying to access that back door Goatse.

Kreugen · Jan 27, 2015

Just make sure you get the decimal point right or you might have to burn the building down.

Sutekh · Jan 27, 2015

gremlinz273_sl said:
So I'm at a new contract job to write a mobile app for this large corporation. They have a preexisting api that was written for an inhouse app. The developer that wrote the api is no longer with the company and has gone home to India. So I'm digging through the api to figure out what is going on and if it is even suitable for what I need. I find a section of the code that looks strange, almost deliberately obfuscated, or less carefully written than other parts of the code. I dig further into to it find that is is accessible without going through any log in process and allows total access to the database without any auditing.

What should I do? Brave members of Rerolled screenshots help me decide how I should handle this dilemma.

I tempted to go tell the idiot boss what an idiot he is for blindly trusting outsourcers.
But who knows, for this company, it could be placed there for the NSA.

What do you boys think?

Just ignore it, collect phat paychek?

You should do what any self-respecting person does, create an anonymous email and mail the security team about it. Then of course disclose the details of the backdoor the next day when they don't respond instantly.

Nester · Jan 27, 2015

Why is standing up and doing the right thing (which really requires no effort beyond an email or conversation) even a question?

Jorren · Jan 28, 2015

Send an e-mail or better yet, file a ticket or bug report and have it triaged/discussed with the team. This is basic 101 type shit.

PatrickStar · Jan 28, 2015

Scorched earth and cover yo ass. In the game of life Paper always beats words so fire off emails like you're giving a porn star a facial.

gremlinz273 · Feb 6, 2015

I'm sorry I'm an NYC consultant. Shitty human and shit-eating grin kind of go hand in parcel with the job.

Jilariz_sl said:
You are pretty much obligated to report this to the company and maybe even the FBI considering this most likely goes across state and country lines. By not reporting it you could easily be nailed for accessory.

I've been trying to determine a reason to bring the FBI in. Some sort of nightmarish auditing scenario would be my ideal endgame here. I can't think of any actual crime that has been committed. Other than the crime of extremely bad and insecure code, which to my experienced eyes was by flawed by design.

Stosh · Feb 6, 2015

gremlinz273_sl said:
I'm sorry I'm an NYC consultant. Shitty human and shit-eating grin kind of go hand in parcel with the job.

I've been trying to determine a reason to bring the FBI in. Some sort of nightmarish auditing scenario would be my ideal endgame here. I can't think of any actual crime that has been committed. Other than the crime of extremely bad and insecure code, which to my experienced eyes was by flawed by design.

So if that's the case, why not say something? You might even get additional work out of it to fix the issue.

gremlinz273 · Feb 6, 2015

I did bring it up, and got the 'we don't care if we get hacked' answer.

Palum · Feb 6, 2015

Is the data PII or supposed to be PCI DSS compliant (ie card numbers)? If so and you don't report it you could burn in hell with that ship down the road.

gremlinz273 · Feb 6, 2015

'Burn in hell', I'm not sure what you mean by that. I have trouble coming up with a response to these guys that don't care about security. When one of these high profile hacks occurs and does make the press, no one so much as loses their job. It doesn't make a blip on there stock valuation, so the board of directors won't give a damn. Why should they care, even if it is highly sensitive PII?

chaos · Feb 6, 2015

Because there are millions upon millions in costs associated with each of these high profile hacks. The Target one alone is going to end up costing like half a billion dollars.

And just wait until the CC companies lobby Congress enough to get the laws changed and make the attack victim foot some of the bill for that based on negligence. Woe,I say woe.

Rais · Feb 7, 2015

You are somewhat correct. Some stocks don't take a huge hit at the moment the hacks happen, some do over time. To say no one gets fired for not protecting the companies assets and information is crazy talk. Someone gets fired, not the guys making millions tho. Prolly some chump making 40k a year in charge of 3 monkeys.

Target first acknowledged the hack December 19, and its stock prices obviously suffered in the months to come. And the end of November, the retail chain was sitting at $64. By February 5, it had dropped all the way down to $55. It only just recently started to gain ground back into the $60+ territory.

46 - The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

Wasn't that much of a drop for these guys.

Home Depot saw a slight dip in its stock prices, which sat at $93 prior to the announcement of the breach and dropped to $89 by the following day.

Google

Around the time the hack was revealed to the public, Google sat at $300, but it quickly dropped. By the end of February, it had dropped to $263, and by July it dipped all the way down to $218 - the stock's lowest price in the past five years.

gremlinz273_sl said:
It doesn't make a blip on there stock valuation, so the board of directors won't give a damn.

gremlinz273 · Feb 7, 2015

Now, if it isn't payment card data or health insurance or some other regulated industry such as financial, would they even have to divulge if they were hacked?

Palum · Feb 7, 2015

So as an independent contractor who 'discovers' this security flaw, if this blows up who do you think is a good scapegoat? Keeping in mind the truth is largely irrelevant if they have deeper pockets to fight a PR battle to hang you in the court of public opinion.

gremlinz273 · Feb 7, 2015

So for someone in this particular situation, a preemptive strike might be one of the better options available. And a smart little hobbit doesn't simply walk into Mordor without a full nuclear arsenal scorched earth policy backup plan.

Still, if there was no audit trail and no logs, was there ever actually a crime?

Angelwatch · Feb 7, 2015

Their external auditors might be VERY interested in knowing about this loophole.

Chukzombi · Feb 7, 2015

christ, just do your job and tell them and make sure you have it well documented. its none of your concern what the company does about it. if your job says you are supposed to fix the issue, then fix it. what the hell are we discussing here?

gremlinz273 · Feb 7, 2015

It became a known issue - not going to fix. So now as a contractor, am I liable in some way if this thing get's used for an unlawful purpose simply because I was aware of it.

moonarchia · Feb 7, 2015

gremlinz273_sl said:
It became a known issue - not going to fix. So now as a contractor, am I liable in some way if this thing get's used for an unlawful purpose simply because I was aware of it.

Not if you got your telling them and them saying they don't care in writing. In writing is the biggest thing when doing basic CYA.

Search

What do you say to the boss who has been robbed blind by the outsourcers?

Kuro

Naxxramas 1.0 Raider

Kreugen

Vyemm Raider

Sutekh

Blackwing Lair Raider

Nester

Vyemm Raider

Jorren

Maximum Derek

PatrickStar

Trakanon Raider

gremlinz273

Stosh

Bronze Knight of the Realm

gremlinz273

Palum

what Suineg set it to

gremlinz273

chaos

Buzzfeed Editor

Rais

Trakanon Raider

gremlinz273

Palum

what Suineg set it to

gremlinz273

Angelwatch

Trakanon Raider

Chukzombi

Millie's Staff Member

gremlinz273

moonarchia

The Scientific Shitlord