I'm also kinda curious why the author didn't run through a simple spell checker before posting. I'm grateful for the article, it was an interesting read, but really why not just paste into google docs real quick or something?
Native English speaker. Very jet-lagged. Posted from Doha airport and blogspot.com kept redirecting to that other domain. Thank you, I have made many corrections now.
var i = document.createElement('img');
i.src= "https://news.ycombinator.com/y18.gif";
document.body.insertBefore(i, document.body.firstChild);
The image appeared in the upper left of the Google home page.
So, I clicked over to the Network tab and viewed the headers. The request headers do not include any cookies. If Hacker News were a broker using GET requests to buy shares, and the image URL was such a request, HN would not have known whose account to buy the shares for, even though I'm logged in in another tab.
So, presumably, the hack does not work in Chrome 57.
Edit: Never mind. It's because I have third-party cookies blocked. If I unblock third-party cookies, my HN cookie does get sent.
Cookies are still sent for requests in which the response is opaque to the current document/window (e.g. <img>, <video>, <audio>, <script>, etc). There's no way for the document/window containing these elements to ever access the actual bytes returned by them.
Because most people don't have 3rd party cookies disabled. It's one of the first things you should do when you install a browser. It doesn't break anything worthwhile and protects your privacy (and security).
Wow. Going on with your life as a C-level executive with this knowledge, as if it's just all good, is just insane. I'm sure they're in the clear personally now, but I can certainly see why they would wanna sell their company fast after gaining this knowledge in 2010.
Don't be so sure. If they didn't disclose this to their buyers they are guilty of fraud. The statute of limitations has probably run out (I don't know which state has jurisdiction here), but delayed discovery rules may apply.
I'm not so sure it's fraud for 2 reasons: 1) how easy it would/should be for the buyer to discover the issue; 2) these transactions generally have very detailed disclaimers / disclosure -- basically making them 'as-is' transactions.
If I were a betting man, I'd bet the buyer knew about the issue and basically didn't care.
Yet security researchers go to prison for iterating the ID numbers in a URL to access private profile pages :/
This is negligent. If they are running banking ecommerce infrastructure and are unable to deal with 101 security risks then it is absolutely negligent. The "it is too complex for the average person" isn't an adequate defense.
The only thing is that there has to be someone who lost something of real value for it to go to court as negligence does it not?
This is good thinking. But you need iron tight wording when spelling this stuff out.
In your contact with companies you should say "Failing to fix this issue would be a violation of reasonably assumed security practices as required in LAW..."
Given my experiences with C-level executives it's unlikely the leadership thought this was a "real" security issue - and it is entirely possible that there haven't been any attacks made using this vulnerability - Zecco isn't Fidelity or MorganStanley.
Wouldn't the FTC want to know about this though, as this would be a great way to execute a pump-and-dump scam...
The NDA is not a valid contract because there is no consideration. For a contract to be valid each party has to gain something. This is why many contracts include a token consideration of $1. This one didn't, so it's invalid.
This is actually pretty close to how I personally define a "professional": A professional is someone whose work can only be judged by other professionals of the same domain.
Obvious failure modes are exempted. Anyone can tell you about a bad bridge after it has failed. But it would take a bridge engineer to tell you that before it fails.
Your definition would include tradesmen and craftworkers, then, who are not strictly professionals. Anyone can work in wood long enough to say "That wooden bridge looks like it'll hold X people," and not have any way of conveying how they came to that conclusion, because they didn't learn via a means of studying a specific body of work that can be measured and accredited. Without this distinction, many professions would not exist.
> Your definition would include tradesmen and craftworkers, then, who are not strictly professionals.
According to what definition?
> Anyone can work in wood long enough to say "That wooden bridge looks like it'll hold X people,"...
I severely doubt that, given the complexity of trussed bridge designs [0]. There's a lot more to it than how much weight a 4-by-4 can support.
> ... and not have any way of conveying how they came to that conclusion...
If you can't transfer knowledge in a way that other people can independently verify, you're working in magic. If such a transfer is possible, but simply not possible for a particular person because they lack the tools, then that's a professional failing. For some reason, this state seems acceptable to you when we're talking about physics and complex loads. But could you imagine a doctor describing the appendix as "that thing sticking out where the long thin squiggly bit meets the short thick squiggly bit"?
> Also, your definition includes itself as part of its own definition, which is a circular definition fallacy.
You can't just throw out "circular definition is fallacy" and dismiss the idea. That itself is a fallacy -- "argument from fallacy". [1]
Yes, I use the word "professional" twice, but that's not necessarily a circular definition and especially not necessarily a fallacy. First, the two "professionals" are not the same person. The first mention of "professional" is an individual, while the second mention is a group. What I did is tie membership of a group to a conditional ability which is dependent on the group itself.
However, I did cheat a little bit. Because what I did not define is the individual ability necessary to meet that conditional. Because, of course, that changes depending on what group of professionals we are discussing.
For backup, let's look at a definition of malpractice [2]:
> a dereliction of professional duty or a failure to exercise an ordinary degree of professional skill or learning by one (as a physician) rendering professional services which results in injury, loss, or damage
In other words, malpractice is a professional doing something which such a professional should not do... Because the mere fact of a person being a professional implies that they should know better.
It's this same logic that I am using: A professional is someone who acts in a professional capacity, and understands the practices of such profession, and thereby is capable of judging whether another person understands and acts in a professional capacity.
Lawyers tend not to tell they are on internet because of potential liability. Thus when you read IANAL odds are goods that the writer known about the subject but don't want to be liable in any way so he just protect itself.
PS: and if you want an advice by a lawyer that accept liabilities for its counsel just pay for it, because that is the only way you get it.
I wouldn't be so sure - for example, out of court settlements pretty much amount to "We'll pay you $x without admitting that we ever did something wrong, and you agree not to sue us over that thing that we totally did not do.", and these definitely are valid contracts.
Not suing in that case is the terms of the contract. The consideration is $x for party A and for party B it's not having to admit wrongdoing. Had the NDA in question given William $x to not disclose the security hole then he would certainly would be in breach of contract. But the NDA gave him nothing.
When they were drafting the "contract", the concept of consideration was very interesting. I had considered that if I would receive cash for agreeing to not disclose then this would be blackmail which apparently is bad.
Obtaining an opposing party's waiver of their right to pursue legal remedies is not the same thing as obtaining non-binding indication that they may not pursue you legally.
In the first case you have extinguished a right that could be used against you. In the second case you have obtained nothing more than the illusion of safety.
It is, especially (but not necessarily) if the person promising not to sue has a valid claim. This is covered in any contract law textbook, but it's an old common law principle so there are plenty of free online sources, too. For example, in the US, see Bennett, 'Forbearance to Sue' (1898) 10(2) Harvard Law Review 113–118 [1]; in the UK, see Kelly, 'Forbearance to Sue and Forbearance to Defend' (1964) 27(5) Modern Law Review 540–545 [2].
I thought continued employment was the textbook example of not being consideration which is why a company can't say they fired you with cause for not signing an NDA that was presented to you after you had already been working there
Edit:googled some more and it appears that continued employment as sufficient consideration is different on a state by state basis and isn't firmly set in stone yet
It's not about the dollar value, it's about having a contract. In a contract, the parties usually agree to do something in return for something else. This NDA is completely one-sided. The author gains nothing. So basically it is a gift, and not a contract. And in many legal systems, it is easier to take back a gift than to undo a contract.
Consideration is a common law concept as far as I can tell. As someone unfamiliar with how it came to be: Why was consideration introduced? What's the rationale, the goal behind it?
I believe the idea is nobody would willingly sign a contract that does nothing to benefit themselves so they must have been mislead into the agreement thus it is invalid. Sort of a rational actor theory of law.
Possibly. But the contract doesn't say so. This is exactly why the consideration has to be explicit, so the judge adjudicating disputes doesn't have to guess about such things.
Typically yes, access to the information is the proper consideration for agreeing not to further disclose the information. But as lisper says [0], that will also typically be spelled out in the contract.
If a contract doesn't outline consideration, and the jurisdiction requires consideration, then the lawyer writing the contract was not very good at their job...
This was a test for understanding that a person not familiar with a particular field (e.g. GP and common law) will not be easily able to find a source on a particular aspect of that field and at the same time verify the information are more-less complete. Therefore, it's much easier for someone familiar with the field to provide a link to appropriate source.
I thought it was significant that they were able to distinguish it as a common-law concept. Are you implying this was something like a lucky guess on their part?
A contract is what lets you sue someone over a private transaction. That's what it does, that's all it does. If for whatever reason you're not willing to bring a contract dispute to court, then your contract doesn't do anything and you wasted your time writing it. Contract = right to sue for breach of contract.
In order to sue someone, you need to be able to describe what damages have been done to you. The goal of a lawsuit is for the responsible party to 'make you whole,' i.e. pay you back an amount equal to the damages done to you.
In a contract dispute, the 'damages' of breaking the contract is equal to the 'consideration' of fulfilling the contract. In other words, the promised consideration is the actual thing that you can sue over.
If there is no consideration, then there are no potential damages, and there is no potential lawsuit. And since the only point of a contract is to enable a lawsuit, a contract that doesn't do that isn't a contract.
"the 'damages' of breaking the contract is equal to the 'consideration' of fulfilling the contract"
This is categorically incorrect.
Damages for breach of contract are supposed to put you back in the position you'd have been in had the contract been performed. It's not related to the value of the consideration.
Consideration is one of the things needed to make a contract binding in English law (along with offer & acceptance, and "intention to create legal relations").
Jurists still debate the rationale for consideration, but the best answer I've found is that contract in English law is seen as an exchange or a “bargain”. There is no gratuitous contract, donations are not contractual right.
By comparison, a contract under French law is based on "consent of the parties" and the theory of individual autonomy. There's no requirement for consideration.
In a "mutual NDA", consideration is easy to find; each party agrees not to disclose confidential information disclosed by the counterparty.
Another way to make an agreement binding without consideration is to sign it as a deed.
> In a "mutual NDA", consideration is easy to find; each party agrees not to disclose confidential information disclosed by the counterparty.
I don't think mutual NDAs are typical. Typically, you sign an NDA prior to receiving information. So the consideration for signing the NDA is receiving the information that you agreed to not disclose. If you already have that information, then that's no longer valid consideration.
In this case, the reporter already knew the security vulnerability, so that knowledge could not be considered consideration. The bank would have needed to offer something else.
It's what distinguishes a contract from a promise.
If I say, "I'm going to give you some apples in six months, after the harvest" and then there's a blight and I don't actually end up with any apples, society (at least in America) decided that I should be able to just say, "Oops, sorry, I'm not going to be able to give you those apples after all" and be done with it.
On the other hand, if I say, "I am going to sell you some apples in six months, in return for $100", American society collectively decided that I'm on the hook to get you those apples, regardless of whatever difficulties should ensue.
Because it’s much easier for the court to reach a judgement about a contract if both parties are clear about what they were expecting to gain from it.
Also, you have to ask why someone chose to sign a one-sided contract. Was it signed under duress? The court shouldn’t enforce that. Was it a gift? The court would rather not get involved with enforcing every casual promise!
Consideration is a necessary but not sufficient condition to have a valid contract. There are a lot of other requirements as well. This is why it is best to have a lawyer review any contract you sign, especially when the stakes are high.
My reading is that he signed it because he was falsely made to believe he may have done something illegal and this would protect him from the FBI. I.e. he was coerced.
I agree. There's plenty of "Tester agrees"/"Tester shall (not)", but the document provides nothing of value/benefit in return.
Worth noting that just because it doesn't stand up as a contract doesn't necessarily mean a claim can't be made under breach of confidence (I doubt it would be applicable here, but just pointing out that contracts aren't the only form of legal protection provided to confidential information).
I definitely think you're correct. In the future you could probably save yourself the hassle of the "Are you a lawyer?" questions by dropping the phrase "almost certainly" right before "not a valid contract". Most attorneys I know are super reluctant to call a contract invalid without some sort of qualifying language.
This contract might actually be egregious enough to warrant an unqualified declaration of invalidity, in which case you should go the other direction and overstate your case with conclusory statement and some word like "clearly" or "patently". "This contract is patently invalid!" and then explain why.
Despite the fact that I'm not a lawyer, I happen to know quite a lot about contract law because I was once involved in a contract dispute. That provided quite a good education on this particular topic.
P.S. It might be of limited correctness, only in some states, in the USA. I'd suggest you don't talk people into signing perfectly valid contracts hoping for an unlikely loophole.
Assume the expertise. A whole semester of university dedicated to contract law: Consumer contracts and B2B contracts in the national law, then the specifics when dealing with a party in another European country and internationally.
You'll see what a contract needs to be valid during these courses. There is simply nothing about both parties requiring to gain something.
"the best schools are free where I come from" generally implies living in one of civil law jurisdictions, where many legal principles are quite opposite from USA.
A good bunch of things taught in a contract law class are subtly wrong even for a very similar neighbouring country (in EU it's now getting a bit better because of harmonization efforts) but common vs civil law changes pretty much everything.
And a semester in contract law is not really much expertise - any MBA with a semester in USA contract law would have much more relevant expertise than us Europeans talking.
We certainly don't have all the facts surrounding this case, but we definitely have enough to move forward under the assumption that this would be resolved with American and probably Californian law. I'll leave you to research whether California requires consideration for valid contract.
You think you are qualified to determine ANYTHING about US contract law when you've taken a single semester in contract law related to an entirely different country?
By your logic I am basically a Astronomer. Except mine is more relevant since astronomy is the same regardless of where you take a "whole semester" of it.
I have no idea since I haven't reviewed the contract. But consideration can be more than just cash money. In some areas and circumstance continued employment can be enough consideration. Or getting access to more information might be enough.
We definitely don't have all the facts and learning new facts could definitely change the direction of the conversation. I hope that we all understand that this arm-chair lawyering is, at its core, a hypothetical exercise.
But even if we are allowed to infer consideration, and I agree with you that we are, this contract isn't simply lacking the terms of consideration. It doesn't appear to contemplate consideration at all, which in my experience, is unheard of for these types of agreements.
Well, the contract has been published, we could get more facts. (except it's midnight now and I'm not gonna read it carefully now)
Without going into the extreme details of this case. Being "considerate" in legal jargon is much more subtle than "both parties have to gain something" in engineering talk. Determining the consideration can be as hard as a NP problem, to speak in engineer :D
Back to my original point: Let's not talk people into signing perfectly valid contracts, hoping for a loophole because it didn't look nice enough to them!
Normally, you'd be allowed to look at the entire circumstance to determine consideration if it was unstated. however, this contract contains some pretty strong clauses about the document being the entire terms of the contract. So maybe that would be enough to invalid it.
But that would depend on the specific jurisdictions case law on contracts and then how the judges reading the contract.
If this were my client and he got some kind of consideration, I'd tell him to treat it like a valid contract. Though I'd trying to poke holes in it during litigation. But litigation is losing 9 out of 10 times, even if you win.
Couldn't anyone who lost money on a stock be able to claim damages? How would the bank prove the purchase order was legitimate seeing as there's basically no security around the endpoint and the bank knew it?
The bank may be able to demonstrate that the vulnerability was not exploited by, e.g., showing that the order preview page was first loaded with the same parameters, or showing a same domain referer.
Maybe the bank should've used this method to prevent the problem in the first place by just checking that the referer request header was from their domain.
The article mentions that unauthorized transactions were indistinguishable from legit ones:
>Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.
You can spoof referrers, you just need some browser extension (or, if using python and requests, doing requests.get(url, headers={'referer': my_referer}) )
>Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.
That doesn't really matter that much. The customer would have to show they were harmed. So if you were playing around with certain stocks, decided you didn't like the outcome and are now going to sue, you'll need to provide some proof that you didn't make that transaction.
If you kept buying and selling on that account, including with the supposedly-hacked-purchased shares, you'd need to explain why you didn't bring it up until now.
Would he not have a case of gross negligence against Zecco if he were a customer? Is there something preventing a lawsuit, outside of the possibly non-binding NDA?
Couldn't he simply claim unauthorized trades were executed?
How would the bank be able to prove otherwise? Especially considering the bank knew about this huge security hole.
Yeah, but presumably he'd claim it on an asset in the red, and for a large enough amount of money to be worth risking lying about under oath. Zecco could have the court subpoena the ISP to prove the IP was in use at the time by the defendant.
Of course it was from his IP, the only way the transaction works is if your browser has the proper cookies. The whole vulerability is that all someone has to do is put that <img> into ANY webpage you visit and so long as your browser still had the cookies, the transaction would go though without you needing to do anything.
Good point. IANAL, but I would think burden of proof is still on the claimant that the transaction was fraudulent. If it had happened to multiple users around the same time frame who provably visited a similar set of potentially malicious websites, it might work, but then the company could respond that it's strange he conveniently didn't notice anything on the statements or confirmation of purchase e-mails until the exploit was publicized.
In order to do so, he would have to actually declare a claim that a particular trade was unauthorised. Assuming that he actually did execute all his trades himself (which, frankly, is quite likely), making that claim in court would be a crime (perjury + fraud), a much serious issue than the security vulnerability.
With sufficient preparation it's likely, that the bank (and prosecutors) wouldn't be able to prove that crime beyond all reasonable doubt, and he wouldn't be convicted for it, but it still carries a risk that they could prove that (e.g. by forensic analysis of his computer) and he'd go to jail.
Furthermore, even if he manages to prevail in the criminal case, in the civil case (where the criteria is less strict) it is quite likely that after reviewing all possible evidence they'll manage to get to the correct judgement that the "unauthorised trades" claim was false, thus not getting him anything anyway.
How is the bank able to get to get the correct judgement in the civil case? There's proof the bank knew about the security hole, there is proof that at least one person outside of the employment of the bank had discovered this vulnerability (meaning there were likely more), and there is no way for the bank to prove that the transactions were legitimate. The article mentions that unauthorized transactions were indistinguishable from legit ones:
> Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitimate transactions.
For starters, all the details on how that particular transaction was performed, timestamps, IP addresses, all the browser fingerprints visible in the logs of that request (they tend to be quite identifying), subpoenaed logs from the claimant's ISP.
They don't have to prove that it couldn't have been someone else, they have to convince the court that it's more likely than not. Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
If data shows that the transaction is e.g. done from some Starbucks and local security cameras show the claimant near that Starbucks at that time, it's probably not enough to get a conviction but likely enough to make them lose the civil claim.
The criminal case would be expected to get much more evidence than an ordinary civil claim, so they'd likely wait for its results and use everything that the police/prosecutors gathered to dismiss their civil claim.
> For starters, all the details on how that particular transaction was performed, timestamps, IP addresses, all the browser fingerprints visible in the logs of that request (they tend to be quite identifying), subpoenaed logs from the claimant's ISP.
Again, the IP address would obviously be associated with him and the browser because that's how the vulnerability works. The attacker just has to get the victim to visit any website with a browser which has the cookies for the bank. So proving that the user's browser/machine/IP made the request does nothing to show that the user did so intentionally.
> Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
It doesn't have to be done by a fraudster. The motive for the attacker could simply be to fuck with people. They don't gain anything but satisfaction from the fact that they were able to successfully exploit this vulnerability.
The attack would leave traces. Timestamps would show when exactly the request was made, ISP logs or data from the claimants computer would show other requests in the same seconds (i.e. wherever the victim got served the malicious link); Sending the img link by email would be visible in that email; getting the user to view a malicious post on some webpage/forum/etc is likely to leave evidence there.
In general, you make good points, they are believable and likely would be made if such a court case happened. In the absence of hard evidence, if they seem slightly more believable than whatever story the company presents, the claimant would win; if they seem slightly less believable, the claimant would lose. In a civil claim, the company needs to prove that it was authorised only just as much as the claimant needs to prove that it was not, it's a somewhat symmetric contest - simply claiming "I didn't authorise it" is effectively countered by claiming "Yes you did", and simply moves the discussion on to further investigation.
The motive could be just a prankster messing with people, but it's a lot less convincing motive than an obvious benefit. If the transaction is one where you clearly lose money and someone (possibly anonymous) gains it, it's easy to make the case that you were hacked. But, for example, if the claimant had previously unsuccessfully complained to the company about the theoretical possibility of such vulnerability, and then complained that a seemingly random transaction is unauthorized, I'm fairly sure that any decent lawyer would successfully convince the court that "a prankster did it" is comparable to "the dog ate my homework" and it's a bit more likely that they orchestrated the claim themselves to mess with the company. Getting 51% of belief is preponderance of evidence, and sufficient in a civil trial.
And in any case, all this wouldn't be "simply claim" - seriously making such a claim would require a significant investment of time and money from the claimant. It's not something most people would do for fun. Some would do it to make a point, but that's quite a niche hobby.
Nope, but if you reported that you just noticed a fake stock deal made 12 years ago on an account that you actively use, you'd have an uphill battle proving that it really was unauthorised, and the lack of logs would only make it harder for you.
> if somebody sent you an email with that code (even if you never open the email)
What is he trying to say here? How on earth would it be possible to execute the url in the context of your zecco cookies unless it's openend in a (browser) in which you've logged into zecco?
I know that MS Messenger used to "pre-fetch" URLs in your system's IE session even if you don't open the conversation. I presume there was some similar issue with 2008-era email clients (it's a "useful feature" after all).
Some webmail clients (and potentially other web communicators like online chats - FB messenger, etc) might pre-fetch all URLs send in the email or chat.
The pre-fetching will use the user's context (and cookies) because it's executed by the user's web browser.
Kudos to the author, and hopefully they don't get sued as a result. This bullshit with corporations trying to cover up security vulnerabilities (rather than fix them) needs to stop.
"Sign this NDA or we will send the FBI to arrest you because you found that our banking website's security was completely fucking broken and told us about it." Jesus fucking christ.
No one should independently contact a company about this type of issue without first obtaining competent legal advice. And I do mean competent advice; most lawyers are very technically illiterate and will not be sympathetic, let alone familiar with the relevant areas of law.
The researcher is lucky that TradeKing believed their NDA trick was sufficient. Even if the case here is weak, and I wouldn't necessarily assume it is, it would still seriously damage the researcher's life.
Here's how it goes when you get sued by a big company. Their lawyers essentially have a heyday doing everything possible to obstruct and delay the process so that they can maximize their time on the corporate teat. It will go on for years; they won't mind because it's business as usual for them, and they're getting paid big bucks to torment you. Your life will be ruined: assets seized pre-emptively, reputation and credit destroyed, inordinate quantities of time consumed by legal research and tedious paperwork, struggling (if not immediately blatantly failing) to keep your incompetent counsel paid at $250/hr and meet the retainer, and eventually failing to file some document or pay some fee that will cause the court to enter a default judgment against you and permanently confiscate everything you own, leaving you with the albatross of a massive outstanding judgment waiting to be enforced, bank accounts garnished any time you get any money, etc. And that's the short version!
And then guess what -- if, by some miracle, you don't lose in the first round, this whole process will repeat as they file appeal after appeal. Hunker down because the proceedings will last at least 5 years.
The corporate lawyers will be able to justify all of it to their clients without blinking an eye, who probably forgot that they even asked them to sue you. Everyone at the company and the law firm will go home and sleep soundly on their piles of money, and you'll have learnt your lesson that trying to stop the subterfuge of an online trading platform is a terrible offense.
How much should one spend to report this? Even the first consultation with that type of lawyer would be a few hundred $. If the threat is that real, why not just close the account and go somewhere else.
My father is a (technically literate, he used to be a database architect) lawyer, and the general advice he gave me was that if you are in a situation where you have a critical vulnerability you should disclose it through a lawyer anonymously -- your identity is then protected under attorney-client privilege (assuming you haven't just asked your lawyer to commit a crime by disclosing it).
Interesting idea. Thank you for sharing. Is the goal just anonymity? Technically we already have solutions for anonymous disclosure of documents. Are there other benefits?
A technical solution to the anonymity problem would probably work just as well (assuming it wasn't backdoored), though the protections against a lawyer disclosing their client is legal rather than technical (so the "splatter" from a company's over-reaction are more likely to be smaller). You also get the additional benefit of the company probably taking a disclosure more seriously if it comes with a law firm's letterhead (unfortunately).
Yeah, the incentives are perverse. This is more of a symptom of the function of our legal apparatus than the law itself, because in theory, going through the legal process should be quick and if not affordable, at least reasonably doable for the individual or small business.
Companies that run formal bug bounty programs (either directly or through a third party like HackerOne) show some recognition of this and some goodwill, especially those that include payouts of five figures or more, but those companies have to be careful that they don't accidentally create an environment where bidding wars between exploiters and companies are legitimized.
Why not? Yes prices can become high, but isn't that the work of the researcher? If the company doesn't want to have to purchase expensive bounties, they can either reduce the exposure (less legacy code, fewer APIs, more firewalls) or use more strict security rules.
I'd feel safer if LastPass' bounty was higher than the value of the assets I put in that vault. If the value of a single vault (mine, actually) is $10,000 and the bug bounty is $2500 (which it is), how can we persuade discoverers to sell to LastPass?
Here's what really happened. I talked with my doctors and realized that I only have so much time left to live. Writing this article was of the items about putting my affairs in order. So short term this was a good decision.
Otherwise, in court I'll be happy to defend myself. If it is necessary to spend time to defend yourself then that is a blessing. I have successfully sued the government (the US Army and Veterans affairs, no less) http://www.gao.gov/docket/B-413723.2 when they do things wrong. Just be persistent and be right. Then we came out with a nice settlement. Sorry GAO used to publish fulltext docket outcomes but I don't see it here.
Fuck Nissan. (Can we curse here on HN?) Because their cars suck and because of this case that I am well aware of. The sad thing is that Mr. Nissan spent so much money in defense. I should hope that he would be able to be more effective with less money.
I like to think that the world's view on network security has changed, even in just the past few years. Companies seem more educated on proper disclosure, network security is now seen as a part of national security and/or common good, and society seems to be shifting the blame for insecurity away from the exploiter and more toward the exploited.
For example, if you'd stolen millions of credit cards in 1983 you'd have a special session of Congress dedicated to going after you, whereas now we (rightly) blame Target.
I realized that life is shorter than I expected and I started putting some affairs in order. This is something I had wanted to do for a while and now any consequences are less important to me.
On a similar, but separate note, my bank launched a new version of its online banking platform. From launch I noticed it opened my accounts in a new tab while leaving my credentials (password and all) in the sign-in form. Not so bad when signing in from home - horrific if you're signing in from a public computer. I tweeted to the bank and spoke to someone on the phone about it. It's been 3 months and the bug is still there.
[EDIT]
I decided to log in today just to see if it's still there (was a couple days ago), and it's finally been patched. If I had used a throwaway I would gladly let you guys know the bank, but I won't since it's trivial to find out who I am from my handle.
This deserves more than an upvote. This is exactly the right attitude. It puts the incentives in the right place and will let the market do what she does best: work.
Just curious, what would the legal implications of something like that be? It seems like you're still benefitting from criminal activity that you enable, but what would the specific charge (if any) be? And any examples where people have tried this?
Although I guess it could help align customer and business goals, since no one wants to lose money
Martin Shkreli claims to have made a lot of money by shorting pharma companies ahead of their FDA results - he would read their studies and make reasonably accurate predictions as to the outcome.
Shkrelli has shuttered two hedge funds (Elea Capital Management & MSMB Capital Management) when he was unable to cover shorts and put options when the stock price moved away from him. He is also currently awaiting trial for securities fraud. So I would take his comments with a grain of salt.
This is why I said "claims". He no doubt failed at some of his shorts. On a livestream he said he made all the money he still has on his companies, not trading. The strategy is still relevant to the discussion, though.
Great link, thanks for sharing. The quote that stood out to me was “My issue was that patient safety wasn’t front and center.”
I don't have a problem with MedSec making money by shorting St. Jude's stock (that seems to align incentives to take care of security issues as early as possible). But if MedSec publicly disclosed specific, exploitable vulnerabilities (I'm not sure about specifics from the article), they shouldn't be able to hide behind the "doing what is best for the consumer" argument. It's definitely a clever business hack, and that's alright, but the fake sense of moral superiority isn't.
Not at all. You're making bets based on public information only you have realized is meaningful before informing the rest of the public to make money off that discovery. Quite a few folks make a lot of money this way and (nearly) everyone benefits: https://www.bloomberg.com/news/articles/2015-03-04/how-a-25-...
IANAL but there is no risk that you may have to defend that proposition in court as long as you don't actually exploit the vulnerability and simply point it out.
It's public information.
Now if someone who works at the bank had told you about it, you'd be in a lot of trouble.
IANAL either but my understanding is that you can be prosecuted under U.S. law for poking around on servers in any unconventional way. The text of the CFAA forbids "unauthorized access" or "exceeding authorized access".
I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).
At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.
"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."
BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.
This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:
1. conspiracy to access a computer without authorization
2. fraud in connection with personal information
This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.
Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.
According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).
I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.
Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.
Would this really be considered public information, since the existence of that vulnerability it's not known to the public or literally anyone else until you publish that blog post?
Nothing can protect you from the lawsuit being brought, but it will likely be thrown out. That's the same with anything, and whether you short a stock or not.
If you short it, at least you might make some money to offset any pending lawsuit. There's plenty of examples of people doing the same thing to fall back on, such as the guy who found out a newly listed company wasn't actually real[1].
I agree that making bets by noticing public information earlier is 100% okay (and in the case of Lumber Liquidators, a better outcome for almost everyone).
But would this case with the bank be different because the vulnerability, unlike formaledehyde, could be actively exploited? Encouraging a stock price to fall because of bad practices seems alright (like the LUmber Liquidators example), but if in the process you become an accessory to smaller-scale fraud against individual account owners, is it still "alright"?
There are law firms working with hedge funds that specialize in doing exactly this when they are about to file a class-action suit. It's possible to be criminally charged if you know that the information you are spreading is false. But other than that limited circumstance, you are free to trade on any information you have about a company that you did not illegally obtain from an insider. Even in the case that the information was obtained from an insider, to convict you, the government must be able to prove that you knew that the insider both a) received a benefit (usually money) in exchange for the information, and b) breached their fiduciary duty by disclosing the information.
That said, technical glitches tend to not affect the fortunes of companies nearly as much as we (the HN crowd) think. Tradeking had the glaring vulnerability outlined in this article for years, and they are doing just fine.
Great point, I think the tech crowd may overestimate the cost of glitches, relative to everything else at play in a business.
I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)
I believe that responsible disclosure is a courtesy to the vendor and its customers. Afaik, there is nothing in the law that requires it. Exploiting vulnerabilities like the one you are discussing here yourself certainly would be illegal, and you could possibly be implicated in a conspiracy if you disclosed the vulnerability solely to one person or group that you knew would exploit it (so "I told my Russian hacker friend about this..let's short the stock before he nails them with it!" would probably be a conspiracy case, whereas a press release or HN posting would not be).
But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.
Alternatively, publish it in an obscure place online, get proof you published it in archived medium (eg Gmail or Archive.org), short the stock based on that now-public information, and then reveal it again in a way that will get stock-smashing attention. That's my hypothetical model I came up with when trying to figure out how to incentivize apathetic, but public companies, to care about security a bit. You can even follow up offering them security consulting but don't expect a yes haha.
Hm, I recall the Comodo hack. I think it Comodo was hacked twice or more times that year. It won many rewards and continued leading the CA space. The market did not work apparently...
The security market is working exactly as it was designed and evolved to. Far as when high-assurance started, the Black Forrest Group of execs of big companies convening on INFOSEC told one of INFOSEC founders they thought companies would refuse to sell them highly-assured software. The reason was they suspected they intended to make extra profit two ways: cutting QA for immediate profit; selling the fixes for later profit. This proved true with lock-in strategy combining for what was essentially checkmate to lots of companies.
The other end are buyers. Most of them don't know what to expect for security or how to evaluate it. Most attempts to solve this failed. They've been conditioned to expect constant hacks, crashes, or data loss. So, they see Comodo etc get hacked and shrug. They'll usually stay if their end of whatever they bought works. The sector that will pay for highly reliable or secure software is probably under 1% of the market or projects. It's enough companies keep forming to do real thing but tiny, tiny few struggling to justify the extra costs or less features necessary for higher security.
I don't think it's HSBC, but they do similarly horrific stuff. Almost all banks have a truly terrible online service.
I'm a happy user of N26. I very, very highly recommend it to all european customers. I'm never dealing with shitty bank service again. https://n26.com/ (Email me if you want a referral invite).
People often confuse lack of published security issues with the existence of strong security. It was the rally cry all along of techies opposing Apple's security-based advertisements.
Wells Fargo and Schwab seem ok in my experience. Wells Fargo even updated their site with slick new UI and menu options are actually findable. Amazing!
Wells Fargo seems ok in your experience??!! Is that a joke?
Your account is wide open to any of thousands of employees who conspire against you. You're ok with that?
It's people like you who keep companies like that in business and encourage such atrocious activity.
So I know this also :) I am a techie that made a bit of money and it was kept at Schwab. I made a big enough issues of it that they arranged a call with their security team. The call was good and they explained the reason why (legacy system) and their plans to update / fix it. They also address my questions about password storage (hashing/salt) - they did it correctly. They showed a great deal of knowledge and competence in their job, such that I was willing to leave my money. I applaud their willingness to have the call. My dealings with them have always been pleasant.
It's 2017, and I still have online financial accounts that are "secured" by short numeric PIN, so count yourself lucky that you can at least use some letters in your password.
C-mp-t-rsh-r-: your website's trash and you should be embarrassed with yourselves.
Just today...? Chase Bank has been case-insensitive for several years now. I even contacted them about it when I found out and they outright told me they had no plans to fix it.
I use HSBC for personal and business, can confirm personal is bad but HSBCnet (business) is the worst software application I've ever used, period. http://john.je/k7X2
So far, I count three separate replies to this article along the lines of "I also found my bank doing so-and-so thing insecurely, but LA LA I'm not going to tell you which bank it is!" These kinds of comments don't help anyone--you might as well not post them.
Who just has an attorney sitting around who is competent to handle such things? I wouldn't know who the fuck to call if I found something on my bank's website.
There's plenty of laggards who don't have home internet and only browse through e.g. a library computer. Some of them are probably doing banking too, given the recent trend of preferring online transactions
Right, most public computers I've seen would be trivial to bug with a key logger. Though with 2fa, I suppose it wouldn't be quite as bad (but then again, those using public computers might not be using 2fa).
Lesson learned: when reporting a vulnerability, record all discussions from first contact with the vendor. At least in cases where the vendor doesn't have a clear, easy to find policy and/or bounty for disclosures.
I think it's totally fair to reject an NDA but I don't blame him for fearing an overzealous reaction on their part. Even being on the right side of criminal and civil law, you really do have to be willing to spend time and money to mount an affirmative defense.
I think it may be enough to play a beep every few seconds to indicate that the call is recorded. At least that's what a bank I used to work for would do when I called offices in a two-party state.
First, IANAL but I would be very surprised if beeps alone would be considered a legal notification of recording.
Second, those beeps probably exist to reinforce that the audio is unmolested. A beep every 5 seconds means you would have to cut audio in five-second increments, which is not likely to be convenient to whatever segment of audio you actually want to cut.
I mentioned it because someone working for a big organization and making a lot of interstate calls probably hears these beeps all day and would be less likely to protest than if someone verbally announced that they're recording the call.
Interesting... So seeing that it's a federal standard, now I wonder whether it is sufficient notification of recording...
If so, as you point out it seems like an interesting way to avoid having to announce the recording to those not knowledgeable.
EDIT: I don't know how reliable this site is, but it seems to indicate the recording beep is sufficient for notification, but not sufficient for consent, which makes sense.
It looks like the beep is sufficient for recording from a one-party state calling a two-party state, since federal law supercedes the other state's law. Actual consent would be required if the recorder is in a two-party state, even if the other party is in a one-party state. But even if the recording is "technically legal" without consent, using it as evidence in the two-party state could still be problematic. So I guess it wouldn't be a good idea to rely on the beep alone.
As someone who lives in Texas, I can confirm that Texas is a one-party state. I specifically do not need to inform people of recording devices if I am a party to the conversation.
It bothers me a lot when services, such as Google Voice, announce to all parties that such recording is occurring.
> It bothers me a lot when services, such as Google Voice, announce to all parties that such recording is occurring.
Google is based in California. There is a good probability that the act of recording occurs there. California is an all-party consent state. Also, even if the recording isn't happening in California, it's potentially tricky to be sure that no party to the call is in California (even numbers assigned to landlines don't assure that the person ultimately connecting is in a particular place.)
From my naive understanding and possible spotty recollection of the law(s) involved: in the US at least, as long as the recording party is in a one-party state then it doesn't matter where the other parties are located.
It's completely legal to record a phone call in Canada as long as you are a party to that conversation. However I still cannot find an app for my Android phone to do this.
All of Canada is single party consent for recording. If you're the person doing the recording, you've consented, so you are good. Don't assume everyone that speaks English is in the US.
Just because evidence was not lawfully obtained (ie. call recorded without other the other party's consent where that is requirement of state statute), doesn't necessarily mean that evidence can't be used to protect yourself against a more wide-ranging claim. The various precedents against the use of tainted evidence are mostly used in favor of a defendant and against the state.
A $50 misdemeanor fine for unlawfully recording a phone conversation, may well be a small price to pay - if the content of that recording can successfully protect you from a potentially bankrupting civil case.
And you always have the option of not disclosing the recording if that is your lawyer's recommended advice.
Just asking for a friend, but Pennsylvania and California are two-party recording states. Is there a statute of limitations after when releasing an undisclosed recording between a Pennsylvanian and a Californian would not be considered an offense?
For anyone being as confused as me in the timeline bit: The author is called Will(iam) Entriken. So "Will" and "Entriken" is the same as "I" and passive voice.
I think they're regarding these things as weapons, because that's how they or others are using them.
It doesn't matter how we regard CVEs as a community, this is the truth of the matter outside of it. We're handing them over a bomb, and they want to know why. It feels very Spy vs Spy to me, as silly as that sounds.
That was my experience when I stumbled across a text file with several thousand credit card numbers, which included tons of details about each card holder, including SSN.
I tried reporting it to the credit card, and to the issuing bank, and to the FBI. The only thing I asked was that they cancel the credit card accounts and put a "potential fraud source" note on each customer's account. Each party I called was more concerned with threatening me, and trying to find out what kind of criminal angle I was playing, and what my ulterior motive was, etc etc. I honestly expected to hear "Oh dang, that sucks, we'll close the accounts and contact the victims", and was depressed at the hostility I encountered.
Suppose they granted your plan to "cancel the credit card accounts" and "potential fraud source" note on each account.
That's pretty much trying to shut down business with their customers. You don't see how they'd interpret that as hostile? Future actors would know how to apply similar techniques if the outcome was in their favor (e.g. Anonymous suddenly produces a large file of cc#'s and threatens bank!)
> The only thing I asked..
In fact, why were you making demands about how they handle their customer relationships, instead of simply presenting what you'd found?
When you come across a single credit card number (say, by finding someone's card on the ground), the response by most financial institutions is to invalidate that card and mail them a new one. Why shouldn't the response be the same if you come across a stack of 100 credit cards?
Because shutting down 100 credit cards has more reputation and monetary liability than shutting one down?
You're basically saying "academics can derive your social security number using public information!" And wondering why they don't reissue all of the SSNs...
So? When a website has its passwords stolen (even just the hashed, salted ones) the immediate step is to invalidate every password potentially compromised and force users to reset them. Doesn't matter how or why the passwords were lost, you start by mitigating the damage someone can do. Why isn't the response for when credit card information (which is very often more valuable) is stolen similar?
>You're basically saying "academics can derive your social security number using public information!"
No, I'm saying that if my name, social, DoB, mother's maiden name, and credit card number appear online in a csv file with 200 other people's personal information, I'd really appreciate it if my credit card company would take proactive steps to keep my accounts secure.
The response to invalidate is a choice by the bank, not the person who finds the card. Also, that is a single number. It's suspicious/threatening for a non-trivial amount of cards when the presenter also makes demands.
How is "someone has stolen your clients information and likely already sold it to nefarious actors, because otherwise it wouldn't be on the internet anywhere, so you should keep them safe by deactivating those accounts" threatening?
That is a different point. You are changing the party being considered by re-framing it under yourself, a customer, instead of considering it from the point of view of the bank.
That's ridiculous. If the bank is aware that my credentials are available online somewhere and are taking no action to protect me, they're being complicit in any harm that comes to be, because they have both the responsibility and ability to take action, and refuse to. They're being irresponsible and potentially harming their clients.
So again, how is saying "You should take action to protect your customers' data" a threat? How can it be interpreted as a threat? What is threatening about it?
> That's pretty much trying to shut down business with their customers.
That's not how credit cards work. You close that account, transfer the balance to a new card, and issue it to them in the mail. I've done it a half dozen times, and my CC company is only out for odds and ends like postage and stamping a new card.
> In fact, why were you making demands
I wrote "asked", and then you pasted that, and misquoted it as "demanded"? If you hadn't included my quote, I'd accuse you of dishonesty, but now it's just weird.
I asked them to proactively protect their customers, because my grandfather had been through hell after his identity was stolen, and I wanted to do my best to protect other people from the same.
I don't think you owe them that. Based on their history of behavior in this area, I don't believe the government, or other institutions with a similar story in this area can be trusted with that kind of kindness.
Why should we be strictly ethical in the face of behavior that is unethical? We deserve protection, too.
You could always send an anonymous, or not, tip to KrebsOnSecurity.com. Brian has the skill to handle this kind of disclosure and the street cred to avoid pitfalls.
I believe you have picked an actual nit. He reported to Zecco (his actual broker) and Penson (Zecco's clearing firm). Both were SEC-registered broker-dealers at the time, neither were banks.
Thank you and I am sorry that my blog has offended your browser. Would you like to recommend a better hosting service I could use instead of the wildly antiquated Blogger?
I would like to migrate to my own domain with Jekyll or something. But I would not look forward to implementing commenting and trackbacks even though the blog is pretty modest any way in terms of using those features.
About a month ago I noticed that my bank had a vulnerability - I could access the details and photos of every remotely deposited check. I sent them an email, they took the feature offline in about 2 hours.
My bank used to show deposited check photos in a popup with the URL viewable iirc, and sometime they switched to a modal window with base64 data as the source instead of a URL that might be manipulated. I wonder how many small banks still may have bugs like that
In Germany you can contact the CCC to walk you through the process of reporting vulns like this one. I'm sure the EFF does similar things for US citizens. A quick Google search brought up this FAQ: Coders' Rights Project Vulnerability Reporting FAQ (https://www.eff.org/issues/coders/vulnerability-reporting-fa...)
453 comments
[ 3.5 ms ] story [ 325 ms ] threadTerrible nonetheless. Reminds me of how Mt. Gox used to hand out password resets with plaintext passwords in the query string on their own forums.
Sounds like somebody should write a book about all of the missteps in that debacle.
var i = document.createElement('img');
i.src= "http://news.ycombinator.com/y18.gif";
Then look at the cookies sent over the network.
in chrome
So, I clicked over to the Network tab and viewed the headers. The request headers do not include any cookies. If Hacker News were a broker using GET requests to buy shares, and the image URL was such a request, HN would not have known whose account to buy the shares for, even though I'm logged in in another tab.
So, presumably, the hack does not work in Chrome 57.
Edit: Never mind. It's because I have third-party cookies blocked. If I unblock third-party cookies, my HN cookie does get sent.
Don't be so sure. If they didn't disclose this to their buyers they are guilty of fraud. The statute of limitations has probably run out (I don't know which state has jurisdiction here), but delayed discovery rules may apply.
If I were a betting man, I'd bet the buyer knew about the issue and basically didn't care.
This is negligent. If they are running banking ecommerce infrastructure and are unable to deal with 101 security risks then it is absolutely negligent. The "it is too complex for the average person" isn't an adequate defense.
The only thing is that there has to be someone who lost something of real value for it to go to court as negligence does it not?
In your contact with companies you should say "Failing to fix this issue would be a violation of reasonably assumed security practices as required in LAW..."
Wouldn't the FTC want to know about this though, as this would be a great way to execute a pump-and-dump scam...
Obvious failure modes are exempted. Anyone can tell you about a bad bridge after it has failed. But it would take a bridge engineer to tell you that before it fails.
https://news.ycombinator.com/item?id=8960822#8963307
https://www.designingbuildings.co.uk/wiki/The_architectural_...
Also, your definition includes itself as part of its own definition, which is a circular definition fallacy.
According to what definition?
> Anyone can work in wood long enough to say "That wooden bridge looks like it'll hold X people,"...
I severely doubt that, given the complexity of trussed bridge designs [0]. There's a lot more to it than how much weight a 4-by-4 can support.
> ... and not have any way of conveying how they came to that conclusion...
If you can't transfer knowledge in a way that other people can independently verify, you're working in magic. If such a transfer is possible, but simply not possible for a particular person because they lack the tools, then that's a professional failing. For some reason, this state seems acceptable to you when we're talking about physics and complex loads. But could you imagine a doctor describing the appendix as "that thing sticking out where the long thin squiggly bit meets the short thick squiggly bit"?
> Also, your definition includes itself as part of its own definition, which is a circular definition fallacy.
You can't just throw out "circular definition is fallacy" and dismiss the idea. That itself is a fallacy -- "argument from fallacy". [1]
Yes, I use the word "professional" twice, but that's not necessarily a circular definition and especially not necessarily a fallacy. First, the two "professionals" are not the same person. The first mention of "professional" is an individual, while the second mention is a group. What I did is tie membership of a group to a conditional ability which is dependent on the group itself.
However, I did cheat a little bit. Because what I did not define is the individual ability necessary to meet that conditional. Because, of course, that changes depending on what group of professionals we are discussing.
For backup, let's look at a definition of malpractice [2]:
> a dereliction of professional duty or a failure to exercise an ordinary degree of professional skill or learning by one (as a physician) rendering professional services which results in injury, loss, or damage
In other words, malpractice is a professional doing something which such a professional should not do... Because the mere fact of a person being a professional implies that they should know better.
It's this same logic that I am using: A professional is someone who acts in a professional capacity, and understands the practices of such profession, and thereby is capable of judging whether another person understands and acts in a professional capacity.
[0] https://en.wikipedia.org/wiki/Truss_bridge#Truss_types_used_...
[1] https://en.wikipedia.org/wiki/Argument_from_fallacy
[2] https://www.merriam-webster.com/dictionary/malpractice
The dictionary's.
> You can't just throw out "circular definition is fallacy" and dismiss the idea.
Your definition was illogical, and I dismissed it, so yes, I can.
I'm pretty sure the correct reaction on my part here is:
Good day, sir.
PS: and if you want an advice by a lawyer that accept liabilities for its counsel just pay for it, because that is the only way you get it.
In the first case you have extinguished a right that could be used against you. In the second case you have obtained nothing more than the illusion of safety.
[1] http://www.jstor.org/stable/1321438
[2] http://onlinelibrary.wiley.com/doi/10.1111/j.1468-2230.1964....
Edit:googled some more and it appears that continued employment as sufficient consideration is different on a state by state basis and isn't firmly set in stone yet
If a contract doesn't outline consideration, and the jurisdiction requires consideration, then the lawyer writing the contract was not very good at their job...
[0] https://news.ycombinator.com/item?id=14167805
You, sir, have unfortunately failed that test.
A contract is what lets you sue someone over a private transaction. That's what it does, that's all it does. If for whatever reason you're not willing to bring a contract dispute to court, then your contract doesn't do anything and you wasted your time writing it. Contract = right to sue for breach of contract.
In order to sue someone, you need to be able to describe what damages have been done to you. The goal of a lawsuit is for the responsible party to 'make you whole,' i.e. pay you back an amount equal to the damages done to you.
In a contract dispute, the 'damages' of breaking the contract is equal to the 'consideration' of fulfilling the contract. In other words, the promised consideration is the actual thing that you can sue over.
If there is no consideration, then there are no potential damages, and there is no potential lawsuit. And since the only point of a contract is to enable a lawsuit, a contract that doesn't do that isn't a contract.
This is categorically incorrect.
Damages for breach of contract are supposed to put you back in the position you'd have been in had the contract been performed. It's not related to the value of the consideration.
Consideration is one of the things needed to make a contract binding in English law (along with offer & acceptance, and "intention to create legal relations").
Jurists still debate the rationale for consideration, but the best answer I've found is that contract in English law is seen as an exchange or a “bargain”. There is no gratuitous contract, donations are not contractual right.
By comparison, a contract under French law is based on "consent of the parties" and the theory of individual autonomy. There's no requirement for consideration.
In a "mutual NDA", consideration is easy to find; each party agrees not to disclose confidential information disclosed by the counterparty.
Another way to make an agreement binding without consideration is to sign it as a deed.
https://blogs.warwick.ac.uk/anneprudhomme/entry/consequences...
I don't think mutual NDAs are typical. Typically, you sign an NDA prior to receiving information. So the consideration for signing the NDA is receiving the information that you agreed to not disclose. If you already have that information, then that's no longer valid consideration.
In this case, the reporter already knew the security vulnerability, so that knowledge could not be considered consideration. The bank would have needed to offer something else.
If I say, "I'm going to give you some apples in six months, after the harvest" and then there's a blight and I don't actually end up with any apples, society (at least in America) decided that I should be able to just say, "Oops, sorry, I'm not going to be able to give you those apples after all" and be done with it.
On the other hand, if I say, "I am going to sell you some apples in six months, in return for $100", American society collectively decided that I'm on the hook to get you those apples, regardless of whatever difficulties should ensue.
Also, you have to ask why someone chose to sign a one-sided contract. Was it signed under duress? The court shouldn’t enforce that. Was it a gift? The court would rather not get involved with enforcing every casual promise!
Yes, that is exactly right.
> doesn't seem like a gain
Why not? If you don't think that's a gain, why are you wasting your time doing the interview in the first place?
A chance for employment (over an outright dismissal) is a recognizable gain.
You are however, free to decline with the appropriate consequences.
Worth noting that just because it doesn't stand up as a contract doesn't necessarily mean a claim can't be made under breach of confidence (I doubt it would be applicable here, but just pointing out that contracts aren't the only form of legal protection provided to confidential information).
Definitely not. The bank did not disclose the vulnerability to him, he discovered it on his own. He had absolutely no obligation to the bank.
This contract might actually be egregious enough to warrant an unqualified declaration of invalidity, in which case you should go the other direction and overstate your case with conclusory statement and some word like "clearly" or "patently". "This contract is patently invalid!" and then explain why.
This isn't even an IP question!
P.S. It might be of limited correctness, only in some states, in the USA. I'd suggest you don't talk people into signing perfectly valid contracts hoping for an unlikely loophole.
You'll see what a contract needs to be valid during these courses. There is simply nothing about both parties requiring to gain something.
http://www.nolo.com/legal-encyclopedia/consideration-every-c...
The point stands. Your link doesn't infirm what I said.
LOL. Res ipsa loquitur.
A good bunch of things taught in a contract law class are subtly wrong even for a very similar neighbouring country (in EU it's now getting a bit better because of harmonization efforts) but common vs civil law changes pretty much everything.
And a semester in contract law is not really much expertise - any MBA with a semester in USA contract law would have much more relevant expertise than us Europeans talking.
You think you are qualified to determine ANYTHING about US contract law when you've taken a single semester in contract law related to an entirely different country?
By your logic I am basically a Astronomer. Except mine is more relevant since astronomy is the same regardless of where you take a "whole semester" of it.
There isn't a bright line rule.
But even if we are allowed to infer consideration, and I agree with you that we are, this contract isn't simply lacking the terms of consideration. It doesn't appear to contemplate consideration at all, which in my experience, is unheard of for these types of agreements.
Without going into the extreme details of this case. Being "considerate" in legal jargon is much more subtle than "both parties have to gain something" in engineering talk. Determining the consideration can be as hard as a NP problem, to speak in engineer :D
Back to my original point: Let's not talk people into signing perfectly valid contracts, hoping for a loophole because it didn't look nice enough to them!
But that would depend on the specific jurisdictions case law on contracts and then how the judges reading the contract.
If this were my client and he got some kind of consideration, I'd tell him to treat it like a valid contract. Though I'd trying to poke holes in it during litigation. But litigation is losing 9 out of 10 times, even if you win.
I am not saying no one has damages, but if 100s of people had damages, I expect something would have happened...
>Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.
>Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.
If you kept buying and selling on that account, including with the supposedly-hacked-purchased shares, you'd need to explain why you didn't bring it up until now.
With sufficient preparation it's likely, that the bank (and prosecutors) wouldn't be able to prove that crime beyond all reasonable doubt, and he wouldn't be convicted for it, but it still carries a risk that they could prove that (e.g. by forensic analysis of his computer) and he'd go to jail.
Furthermore, even if he manages to prevail in the criminal case, in the civil case (where the criteria is less strict) it is quite likely that after reviewing all possible evidence they'll manage to get to the correct judgement that the "unauthorised trades" claim was false, thus not getting him anything anyway.
> Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitimate transactions.
They don't have to prove that it couldn't have been someone else, they have to convince the court that it's more likely than not. Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
If data shows that the transaction is e.g. done from some Starbucks and local security cameras show the claimant near that Starbucks at that time, it's probably not enough to get a conviction but likely enough to make them lose the civil claim.
The criminal case would be expected to get much more evidence than an ordinary civil claim, so they'd likely wait for its results and use everything that the police/prosecutors gathered to dismiss their civil claim.
Again, the IP address would obviously be associated with him and the browser because that's how the vulnerability works. The attacker just has to get the victim to visit any website with a browser which has the cookies for the bank. So proving that the user's browser/machine/IP made the request does nothing to show that the user did so intentionally.
> Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
It doesn't have to be done by a fraudster. The motive for the attacker could simply be to fuck with people. They don't gain anything but satisfaction from the fact that they were able to successfully exploit this vulnerability.
In general, you make good points, they are believable and likely would be made if such a court case happened. In the absence of hard evidence, if they seem slightly more believable than whatever story the company presents, the claimant would win; if they seem slightly less believable, the claimant would lose. In a civil claim, the company needs to prove that it was authorised only just as much as the claimant needs to prove that it was not, it's a somewhat symmetric contest - simply claiming "I didn't authorise it" is effectively countered by claiming "Yes you did", and simply moves the discussion on to further investigation.
The motive could be just a prankster messing with people, but it's a lot less convincing motive than an obvious benefit. If the transaction is one where you clearly lose money and someone (possibly anonymous) gains it, it's easy to make the case that you were hacked. But, for example, if the claimant had previously unsuccessfully complained to the company about the theoretical possibility of such vulnerability, and then complained that a seemingly random transaction is unauthorized, I'm fairly sure that any decent lawyer would successfully convince the court that "a prankster did it" is comparable to "the dog ate my homework" and it's a bit more likely that they orchestrated the claim themselves to mess with the company. Getting 51% of belief is preponderance of evidence, and sufficient in a civil trial.
And in any case, all this wouldn't be "simply claim" - seriously making such a claim would require a significant investment of time and money from the claimant. It's not something most people would do for fun. Some would do it to make a point, but that's quite a niche hobby.
What is he trying to say here? How on earth would it be possible to execute the url in the context of your zecco cookies unless it's openend in a (browser) in which you've logged into zecco?
On a similar note, your web mail could fetch images in emails ahead of time, but that would still be out of your browser's context
The pre-fetching will use the user's context (and cookies) because it's executed by the user's web browser.
"Sign this NDA or we will send the FBI to arrest you because you found that our banking website's security was completely fucking broken and told us about it." Jesus fucking christ.
The researcher is lucky that TradeKing believed their NDA trick was sufficient. Even if the case here is weak, and I wouldn't necessarily assume it is, it would still seriously damage the researcher's life.
Here's how it goes when you get sued by a big company. Their lawyers essentially have a heyday doing everything possible to obstruct and delay the process so that they can maximize their time on the corporate teat. It will go on for years; they won't mind because it's business as usual for them, and they're getting paid big bucks to torment you. Your life will be ruined: assets seized pre-emptively, reputation and credit destroyed, inordinate quantities of time consumed by legal research and tedious paperwork, struggling (if not immediately blatantly failing) to keep your incompetent counsel paid at $250/hr and meet the retainer, and eventually failing to file some document or pay some fee that will cause the court to enter a default judgment against you and permanently confiscate everything you own, leaving you with the albatross of a massive outstanding judgment waiting to be enforced, bank accounts garnished any time you get any money, etc. And that's the short version!
And then guess what -- if, by some miracle, you don't lose in the first round, this whole process will repeat as they file appeal after appeal. Hunker down because the proceedings will last at least 5 years.
The corporate lawyers will be able to justify all of it to their clients without blinking an eye, who probably forgot that they even asked them to sue you. Everyone at the company and the law firm will go home and sleep soundly on their piles of money, and you'll have learnt your lesson that trying to stop the subterfuge of an online trading platform is a terrible offense.
Good reading: http://www.nissan.com/Lawsuit/The_Story.php
IANAL.
IANAL though.
Companies that run formal bug bounty programs (either directly or through a third party like HackerOne) show some recognition of this and some goodwill, especially those that include payouts of five figures or more, but those companies have to be careful that they don't accidentally create an environment where bidding wars between exploiters and companies are legitimized.
Why not? Yes prices can become high, but isn't that the work of the researcher? If the company doesn't want to have to purchase expensive bounties, they can either reduce the exposure (less legacy code, fewer APIs, more firewalls) or use more strict security rules.
I'd feel safer if LastPass' bounty was higher than the value of the assets I put in that vault. If the value of a single vault (mine, actually) is $10,000 and the bug bounty is $2500 (which it is), how can we persuade discoverers to sell to LastPass?
Otherwise, in court I'll be happy to defend myself. If it is necessary to spend time to defend yourself then that is a blessing. I have successfully sued the government (the US Army and Veterans affairs, no less) http://www.gao.gov/docket/B-413723.2 when they do things wrong. Just be persistent and be right. Then we came out with a nice settlement. Sorry GAO used to publish fulltext docket outcomes but I don't see it here.
Fuck Nissan. (Can we curse here on HN?) Because their cars suck and because of this case that I am well aware of. The sad thing is that Mr. Nissan spent so much money in defense. I should hope that he would be able to be more effective with less money.
Now, in 2017, he flouts the NDA and acts in the public interest.
For example, if you'd stolen millions of credit cards in 1983 you'd have a special session of Congress dedicated to going after you, whereas now we (rightly) blame Target.
[EDIT] I decided to log in today just to see if it's still there (was a couple days ago), and it's finally been patched. If I had used a throwaway I would gladly let you guys know the bank, but I won't since it's trivial to find out who I am from my handle.
Although I guess it could help align customer and business goals, since no one wants to lose money
Before writing his blog-post, he short-sold a bunch of Lumber Liquidator stock and made tons of money during the fallout.
http://www.pcworld.com/article/3155990/security/stock-tankin...
I don't have a problem with MedSec making money by shorting St. Jude's stock (that seems to align incentives to take care of security issues as early as possible). But if MedSec publicly disclosed specific, exploitable vulnerabilities (I'm not sure about specifics from the article), they shouldn't be able to hide behind the "doing what is best for the consumer" argument. It's definitely a clever business hack, and that's alright, but the fake sense of moral superiority isn't.
It's public information.
Now if someone who works at the bank had told you about it, you'd be in a lot of trouble.
I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).
At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.
BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.
1. conspiracy to access a computer without authorization
2. fraud in connection with personal information
This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.
Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.
According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).
I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.
Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.
Again, not a lawyer.
[0] https://www.eff.org/document/criminal-complaint
If you short it, at least you might make some money to offset any pending lawsuit. There's plenty of examples of people doing the same thing to fall back on, such as the guy who found out a newly listed company wasn't actually real[1].
1: http://www.npr.org/2015/01/30/382587945/winning-at-short-sel...
But would this case with the bank be different because the vulnerability, unlike formaledehyde, could be actively exploited? Encouraging a stock price to fall because of bad practices seems alright (like the LUmber Liquidators example), but if in the process you become an accessory to smaller-scale fraud against individual account owners, is it still "alright"?
That said, technical glitches tend to not affect the fortunes of companies nearly as much as we (the HN crowd) think. Tradeking had the glaring vulnerability outlined in this article for years, and they are doing just fine.
I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)
But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.
http://www.pcworld.com/article/3155990/security/stock-tankin...
A company discovered vulnerabilities in some medical devices, then shorted the stock of the company before disclosing them.
Hm, I recall the Comodo hack. I think it Comodo was hacked twice or more times that year. It won many rewards and continued leading the CA space. The market did not work apparently...
The other end are buyers. Most of them don't know what to expect for security or how to evaluate it. Most attempts to solve this failed. They've been conditioned to expect constant hacks, crashes, or data loss. So, they see Comodo etc get hacked and shrug. They'll usually stay if their end of whatever they bought works. The sector that will pay for highly reliable or secure software is probably under 1% of the market or projects. It's enough companies keep forming to do real thing but tiny, tiny few struggling to justify the extra costs or less features necessary for higher security.
I'm a happy user of N26. I very, very highly recommend it to all european customers. I'm never dealing with shitty bank service again. https://n26.com/ (Email me if you want a referral invite).
It's people like you who keep companies like that in business and encourage such atrocious activity.
https://www.reddit.com/r/personalfinance/comments/66n4li/i_j...
C-mp-t-rsh-r-: your website's trash and you should be embarrassed with yourselves.
When in doubt, people, call your attorney.
More easily, my profile on my firm's website: lawyernamedliberty.com. I'm fairly easy to get in touch with.
Oh, new bank? Just assume it's your bank, and do whatever you would do next.
Or, you know, poor people.
My bank (arguably) condones use from public computers by asking me if they should "trust" the computer I'm on.
I think it's totally fair to reject an NDA but I don't blame him for fearing an overzealous reaction on their part. Even being on the right side of criminal and civil law, you really do have to be willing to spend time and money to mount an affirmative defense.
Edit: looks like this could be possible without getting into trouble depending on the state you're in: http://lifehacker.com/5491190/is-it-legal-to-record-phone-ca...
Second, those beeps probably exist to reinforce that the audio is unmolested. A beep every 5 seconds means you would have to cut audio in five-second increments, which is not likely to be convenient to whatever segment of audio you actually want to cut.
I mentioned it because someone working for a big organization and making a lot of interstate calls probably hears these beeps all day and would be less likely to protest than if someone verbally announced that they're recording the call.
If so, as you point out it seems like an interesting way to avoid having to announce the recording to those not knowledgeable.
EDIT: I don't know how reliable this site is, but it seems to indicate the recording beep is sufficient for notification, but not sufficient for consent, which makes sense.
http://www.justanswer.com/criminal-law/5dj81-question-record...
It bothers me a lot when services, such as Google Voice, announce to all parties that such recording is occurring.
Google is based in California. There is a good probability that the act of recording occurs there. California is an all-party consent state. Also, even if the recording isn't happening in California, it's potentially tricky to be sure that no party to the call is in California (even numbers assigned to landlines don't assure that the person ultimately connecting is in a particular place.)
It's completely legal to record a phone call in Canada as long as you are a party to that conversation. However I still cannot find an app for my Android phone to do this.
A $50 misdemeanor fine for unlawfully recording a phone conversation, may well be a small price to pay - if the content of that recording can successfully protect you from a potentially bankrupting civil case.
And you always have the option of not disclosing the recording if that is your lawyer's recommended advice.
It doesn't matter how we regard CVEs as a community, this is the truth of the matter outside of it. We're handing them over a bomb, and they want to know why. It feels very Spy vs Spy to me, as silly as that sounds.
I tried reporting it to the credit card, and to the issuing bank, and to the FBI. The only thing I asked was that they cancel the credit card accounts and put a "potential fraud source" note on each customer's account. Each party I called was more concerned with threatening me, and trying to find out what kind of criminal angle I was playing, and what my ulterior motive was, etc etc. I honestly expected to hear "Oh dang, that sucks, we'll close the accounts and contact the victims", and was depressed at the hostility I encountered.
That's pretty much trying to shut down business with their customers. You don't see how they'd interpret that as hostile? Future actors would know how to apply similar techniques if the outcome was in their favor (e.g. Anonymous suddenly produces a large file of cc#'s and threatens bank!)
> The only thing I asked..
In fact, why were you making demands about how they handle their customer relationships, instead of simply presenting what you'd found?
You're basically saying "academics can derive your social security number using public information!" And wondering why they don't reissue all of the SSNs...
>You're basically saying "academics can derive your social security number using public information!"
No, I'm saying that if my name, social, DoB, mother's maiden name, and credit card number appear online in a csv file with 200 other people's personal information, I'd really appreciate it if my credit card company would take proactive steps to keep my accounts secure.
I'd be annoyed if my bank didn't do something.
So again, how is saying "You should take action to protect your customers' data" a threat? How can it be interpreted as a threat? What is threatening about it?
That's not how credit cards work. You close that account, transfer the balance to a new card, and issue it to them in the mail. I've done it a half dozen times, and my CC company is only out for odds and ends like postage and stamping a new card.
> In fact, why were you making demands
I wrote "asked", and then you pasted that, and misquoted it as "demanded"? If you hadn't included my quote, I'd accuse you of dishonesty, but now it's just weird.
I asked them to proactively protect their customers, because my grandfather had been through hell after his identity was stolen, and I wanted to do my best to protect other people from the same.
Why should we be strictly ethical in the face of behavior that is unethical? We deserve protection, too.
[0] https://krebsonsecurity.com/about-this-blog/
Motivation was clickbait and/or fear that people would not understand the latter.
file:///Users/fulldecent/Desktop/2008-10-27%20Will%20Entriken%20NDA%20Final.png?lastModify=1492757183
https://archive.fo/8ZpDJ
I would like to migrate to my own domain with Jekyll or something. But I would not look forward to implementing commenting and trackbacks even though the blog is pretty modest any way in terms of using those features.
No bug bounty but oh well.
Heh.