Is it just me???
"An error occurred during a connection to archive.is.
archive.is uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site."
The employee probably was too public about the issue instead of just going up his manager hierarcy. That's the professional way to do it (and if it doesn't get addressed, there's nothing more he can do).
That's the professional way to do it (and if it doesn't get addressed, there's nothing more he can do).
I'd argue that if your boss is refusing to act on a serious security concern you have a moral duty to take it further up the hierarchy yourself, and to (responsibly) disclose to the government/public if the company won't listen. Shrugging and saying "Well, I tried!" isn't good enough.
I agree - looking at the organizational directives I've worked on creating during my career, many specify that if you supervisor/manager/director does not act on an issue that is critical, that you are empowered to continue ahead and/or request followup.
There are more things and nuances specified, but the idea of "this is critical, but oh well my manager ignored me... nothing more I can do." doesn't seem to breed organizational success. (By no means I am advocating for insubordination per se.)
I was also talking about going up the hierarchy, but I'm afraid that he went to other bosses that made his division look bad.
I would never go public without going to a lawyer first, and getting enough proofs (emails) that I did everything I could to raise alert in a responsible way inside the company first.
Edit: after rereading the article I thing we just don't have enough data to know how things happened exactly.
With a company like VW (who has used engineers as scapegoats in the past), I'd just want to make sure there was a paper trail that indicates I did the right thing. Then I'd feel okay letting the business making the final call.
I once caught a director (my manager's manager) maliciously meddling with prod servers at a medium sized SV tech company, and "professionally" reported it to HR. I was sacked, but after they generously compensated me for signing an NDA. Years later, I found that the director in question still works for the same company, albeit as a senior director. :)
> That's the professional way to do it (and if it doesn't get addressed, there's nothing more he can do).
This first part of this is correct (first try through your reporting structure).
The second part is incorrect - it is precisely unprofessional to decide there is nothing more that can be done simply because your manager didn't act, which is what it sounds like you are suggesting.
Details always matter of course, but "well, I tried" is rarely going to be good enough.
I mean you have to make the decision as to whether the issue is serious enough to be worth losing your job over, and potentially being blackballed. That's a pretty tough call for most IC engineers who have bills to pay and maybe a family to provide for.
Edit: I see the title indicates the person was a "senior" employee but I don't know what that means, since I can't read the article. Perhaps he/she was more than an IC.
> 1. Engineers shall hold paramount the safety, health,
and welfare of the public.
> a. If engineers’ judgment is overruled under circumstances that endanger life or property, they shall notify their employer or client and such other authority as may be appropriate.
While of course it could truly be for unrelated reasons, the direct response from VW is inconsistent with a company trying to change a culture of coverup and fraud:
>VW said the information provided proved to be “irrelevant” and that “the employee was terminated due to fundamental differences in the way we work together”.
Better PR would be something like "While the reported issue turned out to be a misunderstanding, we appreciate and encourage all employees to speak up if they have similar concerns. Our separation from the employee was in no way related to their reporting of that incident - if anything, it was a mitigating consideration."
I am not sure that you can change a culture without firing thousands upon thousands of people.
At a minimum, you are starting with a bunch of people who default to cheating and lying as a solution to problems. You can put in new barriers to it, but these people are skilled at beating barriers.
I say this as a cheater and a liar.
It also doesn't help that careers with companies are so short. I have no stake whatsoever in whether a company I work for succeeds long term or not. Just want a nice resume line really.
I really appreciate the honesty that can be obtained via anonymity. It might be interesting to have honest discussions with "bad" people, but most of them appear either not self-aware, or refuse to be honest about things.
People distinguish heavily between intentional and accidental harm to them, so lacking self awareness is a survival mechanism.
I have worked for a company that had a data breach.
- If I said in the post mortem that I didn't report the issue as it was more work and I could not be bothered, people would be enraged, but beyond the yelling, I would probably survive in that role.
- If I said that I didn't report the issue as I wanted to seem like a hero when I fixed it (real thing my boss did from my days at another company), I would be fired.
- If I didn't report the issue due to not knowing the right channel, they criticize my lack of initiative, but it is understandable.
- If I did not report the issue due to not knowing about it, I am blameless.
You cannot admit to being a bad person without taking a lot of flack.
That's why people don't admit it to those affected. I suppose strangers chatting at the bar will be more likely to admit wrongdoing, but they are often still worried about judgement. So the only place they can completely admit things is where they're totally anonymous and that's just not the same - nor as interactive and engaging - as real life.
Interesting. I've definitely seen such people, but not often.
In my experience the people I've seen self-label this way (in a non-anonymous way) do so because they think it reflects well upon them (it's 'cool', demonstrates intelligence or superiority, etc.). It is usually the limit of their self awareness and they are never outwardly conflicted. My inner arm-chair psychologist thinks it stems from varying combinations of insecurity and lack of empathy.
Seems like more of a British thing. They're also IMHO more willing to take an honest ribbing over screw-ups without getting all pissy. They take it and dish it out.
Don't be silly, everyone knows the best way to stop fraudulent cover-ups is to make sure there's no discoveries to cover up in the first place, and ensure everyone who would make such a discovery is fired or cowed into submission before anything can be investigated at all! /s
(In seriousness, that hypothetical PR statement is one of those sentences that makes you reflect on the power that messaging has. It also means that you can't trust a PR-driven image on the culture of a company!)
At a past employer, this was a lot of the reason for a lot of the things we did. If we looked, we were accountable. If we were ignorant, that was sufficient defence to our bosses and their bosses.
I've been in a similar situation. To put it mildly, it's very hard to have a respectful professional relationship with someone who "should know better."
IE, it's hard to have a professional relationship with an experienced engineer when I need to explain things like "never trust the client because a hacker will 0wn you with Curl."
I suspect that VW has someone who's been there a long time, who is a "lead," and just doesn't understand basic security concepts. Some newcomer challenged them, and it probably grew unprofessional. It speaks poorly of their management if they need to terminate someone in a situation like this.
It's also possible that the senior employee was raising false issues and wouldn't let it go. Or he was being very unprofessional about it.
We just don't know. (Can't read the article because of paywall.)
It's like divorce. I know many, many people who've been divorced. The story from one party is usually very, very different from the story from the other party. Who knows what the actual truth is.
Something to keep in mind is that when a breakup is a corporation vs. an employee, then the former has vastly unequal PR resources.
A bit different from two ordinary individuals.
I think there is a bias a lot of people have towards believing the organization, because the idea that bad things happen to decent people is discomfiting.
I hate the phrase "just world fallacy", it's not a fallacy, but it's certainly unpleasant to contemplate misfortunes that could happen to you, or me.
Experience with corporate litigation will change your opinions on whether individuals or organizations are more to be trusted.
I've been cheated by individuals far more than by corporations. I've also been involved with corporate litigation with a company that cheated me. (I won.)
To put it mildly, it's very hard to have a respectful professional relationship with someone who "should know better."
Then leave. That's your only recourse.
Even if you think all the people around you are fuddy-duddies and "should know better" - that's no need to resort to tones of exasperation and condescension. You probably figured out pretty early on what the environment was like -- and for whatever reason, you made an adult decision to stay in that environment. When someone around you doesn't understand something -- just explain it to them with respect. And yes, patience. You're there to help, after all.
Or maybe you're not. In which case you should just leave.
Only if the culture over values conflict avoidance. By other management philosophies, it is preferable to encourage (healthy) conflict, which can include waves of emotionality which can be uncomfortable for many people. It's a business, not a therapy zone, so that seems like an occasionally appropriate tradeoff.
Whether it's "goodness", naiveté, or simply ignorance, in the end it's the result of cognitive dissonance - they've built a worldview where such perversion/evil doesn't exist (or is contained or warded by "good") so explaining to them their worldview is flawed takes a lot of effort that they will resist changing. Even those who seek to change find it difficult.
Many people for whom factual truth is anathema to their self-esteem.
> I suspect that VW has someone who's been there a long time, who is a "lead," and just doesn't understand basic security concepts. Some newcomer challenged them
I worked in Automotive for quite a while, and this wouldn’t surprise me. A lot of the roots of my company was mechanical engineering, and software at the time was very secondary. It was changing rapidly (and positively) over my last few years.
They are trying to hire 2000 more employees in software and electronics. I don't know why you would want to work there when they might fire you for raising security issues though.
It's really easy. You take interns in so you can teach them the things you want them to know and the procedures you want them to follow. Those who don't fit, you cut because "there was no cultural fit".
This way you have hordes of "software engineers" who don't raise such matters. Maybe that's the reason why those German companies find it so difficult to hore external experienced consultants?
R&D is always a cost center ironically. It is such a stupid classification that has established itself. More strictly only the sales team would be a profit center. But even customer service has to make a profit today with selling maintenance and upgrades. Of course they will be more reluctant to replace anything.
As if this segmentation would improve cooperation between departments if every department is their own little mini company.
Software development is a cost center everywhere except at actual software companies, where it is instead "production" with "deliverables", considered like the kitchen in a restaurant.
So now companies that do other things are calling themselves software companies so that their software development will not have to be a cost center. Or "technology companies", as Bloomberg, e.g., which delivers financial news, calls itself now.
It is deeply stupid, but entrenched. I don't know how software stands at SpaceX, which is a "technology company" that, nominally, makes rockets. Is the software that runs in processors physically on board a rocket production, thus a profit center, while the stuff that runs on the ground is facilities, thus a cost center?
Cultures like this are why I no longer bother with doing anything close to worthwhile code review. I would rather the defect be reported by a customer, as you cannot make their life difficult. You can make mine difficult though.
Yet another way companies encourage me to do the bare minimum.
> You ought to be able to search something on Google and get an answer to your question without signing up for some newsletter.
Why ought you? That sounds not only incredibly entitled, but also extremely one sided. The world isn’t being created for your convenience and wallet. It would be better if the bias was explicit, like “I would prefer to be able to get all information free of charge,” in which case honesty and audacity are clear.
This reminds me of the old hacker cry “information wants to be free,” which of course anthropomorphizes information and hides the bias, which is the hacker wants all information independent of everyone else’s concern.
If you want to put content behind a wall of some kind, that is fine. You can't expect to have it be indexed in search. Having it show in search results while having a wall in front of it once someone clicks is a bait and switch. You can't have you cake and eat it too.
> You can't expect to have it be indexed in search
Why not? This is just as entitled a thought as the original quote from GP. Search engines aren't a public service. Neither is The Financial Times.
There's nothing that explicitly requires every single page that a search engine displays to be accessible by the user. There isn't even an internal policy within Google and other engines that would uphold that expectation. It might be a shitty user experience, but that's on the search engine and the resulting site to deal with.
Clearly, the FT has enough subscribers to be able to "lose" customers behind the paywall. And clearly Google isn't interested in cleaning up results to not include paywalls. So it seems they've both weighed the pros and cons and chose to continue with it. Who are we to tell them otherwsie?
The "ought" can be taken quite literally with an appeal to Kantian ethics and the categorical imperative. Can you universalize the sentiment that your special snowflake information site deserves users registering and signing up for a newsletter? There are at least millions of such sites out there and each user will encounter tens if not hundreds of thousands over a lifetime of browsing and searching the web. No user can possibly maintain hundreds of thousands of unique registrations and subscriptions or read that many newsletters.
The only universalizable alternatives are platformization of everything, so people maintain registrations at Instagram, Pinterest, and Facebook and those are now the only information sources accessible to anyone, or sites that contain information allow at least some of it to be accessed without requiring a registration or subscription that is unique to their site. Potentially some sort of universal SSO could solve the problem, but it would require universal buy-in from individual sites and would make privacy virtually impossible.
Note that offering such a thing, if a user decides your information content is really worth it after getting some sample and coming to trust and know you, is different from requiring it up front to see anything at all.
If you're appealing to some higher-level philosophical ideals, then that should be both identified and supported by argument. There's no real argument here, especially one that acknowledges the autonomy of the individual gatekeepers who possess the information you want, or acknowledgement that it costs them money to create such information that you wish to consume. It's a bit like saying 'education ought to be free, food ought to be free, health care ought to be free, and housing ought to be free.' Ok sure, that sounds lovely, but how? And if you method of how is simply stealing and cheating, well, then that's not so lovely, is it?
I doubt the scale that you suggest (especially the newsletter argument, which is typically free to sign up, rather than the monthly subscription that this site is really getting around), and if that was the case, then perhaps the solution is to find a better funding and browsing model that appeals to all rather than saying the solution is to circumvent against the information providers wishes. There have been various attempts so far from Apple News, Flipboard, Brave's browser, and briefly Google's micro-transactions for news, and we probably need more innovation in this space versus less.
Would you have made such an argument previously at the magazine stand? That no one could possibly buy all the magazines to get all the information? Just because Google's index and search is free doesn't mean the rest of the world ought to be.
I disagree in regards to it being listed in search results. I believe pay-walled content should get a hit compared to sources that are unrestricted or at least it should be tagged as such. Not condemning the practice itself, writers need an income too.
But if the google bot gets access to the content, I don't see why users should expect to be blocked.
You could improve the air quality to be better than if your car existed, if you weren't generating carbon pollution and were say removing pollutants from the air as you drive. In reality this would be really hard, but if you had solar powered car and removed nox or something. But then you get into the infinite tail of the energy and pollution used to make your car.
While Tesla is ramping up their finance and insurance businesses, VW is selling theirs. Unless VW is selling it so that they can rebuild their own operation from scratch, this is yet another example of big auto missing the point
Well, it could be argued that selling 75% of such a business to a major financial firm, is better than running it yourself, if you don't have the financial and IT staff to do so in a risk-mitigating way. It's easy to get into a ton of trouble quickly in finance and insurance. VW might or might not have done this for the right reasons, but perhaps handing this over to a financial firm is, in fact, the right decision (for them).
I was responsible for system security for one of our internal systems. I found a major vulnerability - SQL injection with full schema owner privileges on all our pages. So I went to the principle/dept head to see how they wanted to staff the remediation and which of the two proposals they wanted to go with.
I was told they have a near real-time backup system and it's only and internal system (that handles obscene amounts of money), so they didn't want to address this. I asked if we have any documentation about the restore process or how long it would take. Nope. Have they ever tested this restore process. Nope.
Nobody can prove anything to their employer. And, you don't owe them anything. So, sometimes the best that can be done is to leave them to fail without you.
It sucks, though, when it is a bridge you know will collapse.
Security at a lot of large SW companies is a farce - I remember working on a huge piece of software, that had millions of lines written by 1000s of people. Everyone knew it was swiss cheese that anyone with a clue could easily exploit.
The firm hired some crack cybersecurity consultant - who was probably in on the joke. The guy mulled over the software, and found some Rube-Goldbergesque CVE-worthy exploit involving timing attacks, privilege escalation and what not. It was an impressive find, and they probably tried to insinuate, that the software was this hard to exploit.
A week later, I was debugging some memory leak - it turned out the app was hanging on to some authentication state objects, which among other things contained the username and plain-text password of every login attempt. Now, the software also had a feature of writing memory dumps when it crashed - another thing that was not terribly difficult to achieve. So the attacker could just walk up to the public computer, click around a bit, make it crash, then copy off the resultant dump file, and see everyones credentials who ever tried to log in.
I was a junior guy back then. When I told my boss, he realised that this was so embarassing, that we just fixed it - no bug ticket, no formal announcement, no nothing. This software handled very sensitive data.
89 comments
[ 1.7 ms ] story [ 275 ms ] threadarchive.is uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site."
I'd argue that if your boss is refusing to act on a serious security concern you have a moral duty to take it further up the hierarchy yourself, and to (responsibly) disclose to the government/public if the company won't listen. Shrugging and saying "Well, I tried!" isn't good enough.
There are more things and nuances specified, but the idea of "this is critical, but oh well my manager ignored me... nothing more I can do." doesn't seem to breed organizational success. (By no means I am advocating for insubordination per se.)
I would never go public without going to a lawyer first, and getting enough proofs (emails) that I did everything I could to raise alert in a responsible way inside the company first.
Edit: after rereading the article I thing we just don't have enough data to know how things happened exactly.
This first part of this is correct (first try through your reporting structure).
The second part is incorrect - it is precisely unprofessional to decide there is nothing more that can be done simply because your manager didn't act, which is what it sounds like you are suggesting.
Details always matter of course, but "well, I tried" is rarely going to be good enough.
Edit: I see the title indicates the person was a "senior" employee but I don't know what that means, since I can't read the article. Perhaps he/she was more than an IC.
On the other hand, often there are lots of options between "do nothing" and "blow up my career".
> 1. Engineers shall hold paramount the safety, health, and welfare of the public.
> a. If engineers’ judgment is overruled under circumstances that endanger life or property, they shall notify their employer or client and such other authority as may be appropriate.
>VW said the information provided proved to be “irrelevant” and that “the employee was terminated due to fundamental differences in the way we work together”.
Better PR would be something like "While the reported issue turned out to be a misunderstanding, we appreciate and encourage all employees to speak up if they have similar concerns. Our separation from the employee was in no way related to their reporting of that incident - if anything, it was a mitigating consideration."
At a minimum, you are starting with a bunch of people who default to cheating and lying as a solution to problems. You can put in new barriers to it, but these people are skilled at beating barriers.
I say this as a cheater and a liar.
It also doesn't help that careers with companies are so short. I have no stake whatsoever in whether a company I work for succeeds long term or not. Just want a nice resume line really.
I really appreciate the honesty that can be obtained via anonymity. It might be interesting to have honest discussions with "bad" people, but most of them appear either not self-aware, or refuse to be honest about things.
I have worked for a company that had a data breach.
- If I said in the post mortem that I didn't report the issue as it was more work and I could not be bothered, people would be enraged, but beyond the yelling, I would probably survive in that role.
- If I said that I didn't report the issue as I wanted to seem like a hero when I fixed it (real thing my boss did from my days at another company), I would be fired.
- If I didn't report the issue due to not knowing the right channel, they criticize my lack of initiative, but it is understandable.
- If I did not report the issue due to not knowing about it, I am blameless.
You cannot admit to being a bad person without taking a lot of flack.
Ofttimes, I think the people most willing to self-label this way are those most aware and conflicted by their behavior.
In my experience the people I've seen self-label this way (in a non-anonymous way) do so because they think it reflects well upon them (it's 'cool', demonstrates intelligence or superiority, etc.). It is usually the limit of their self awareness and they are never outwardly conflicted. My inner arm-chair psychologist thinks it stems from varying combinations of insecurity and lack of empathy.
Seems like more of a British thing. They're also IMHO more willing to take an honest ribbing over screw-ups without getting all pissy. They take it and dish it out.
(In seriousness, that hypothetical PR statement is one of those sentences that makes you reflect on the power that messaging has. It also means that you can't trust a PR-driven image on the culture of a company!)
IE, it's hard to have a professional relationship with an experienced engineer when I need to explain things like "never trust the client because a hacker will 0wn you with Curl."
I suspect that VW has someone who's been there a long time, who is a "lead," and just doesn't understand basic security concepts. Some newcomer challenged them, and it probably grew unprofessional. It speaks poorly of their management if they need to terminate someone in a situation like this.
We just don't know. (Can't read the article because of paywall.)
It's like divorce. I know many, many people who've been divorced. The story from one party is usually very, very different from the story from the other party. Who knows what the actual truth is.
A bit different from two ordinary individuals.
I think there is a bias a lot of people have towards believing the organization, because the idea that bad things happen to decent people is discomfiting.
I hate the phrase "just world fallacy", it's not a fallacy, but it's certainly unpleasant to contemplate misfortunes that could happen to you, or me.
Experience with corporate litigation will change your opinions on whether individuals or organizations are more to be trusted.
But your first sentence sounds to me like "I've been walked on by mosquitos far more than by elephants".
On average, the elephants you meet probably won't be in the mood to bite or step on you. On average.
Then leave. That's your only recourse.
Even if you think all the people around you are fuddy-duddies and "should know better" - that's no need to resort to tones of exasperation and condescension. You probably figured out pretty early on what the environment was like -- and for whatever reason, you made an adult decision to stay in that environment. When someone around you doesn't understand something -- just explain it to them with respect. And yes, patience. You're there to help, after all.
Or maybe you're not. In which case you should just leave.
Only if the culture over values conflict avoidance. By other management philosophies, it is preferable to encourage (healthy) conflict, which can include waves of emotionality which can be uncomfortable for many people. It's a business, not a therapy zone, so that seems like an occasionally appropriate tradeoff.
Yes, it can seem to sort of work for a while. But over time, not so well. Resulting in burnout, and the desire to seek greener pastures.
Many people for whom factual truth is anathema to their self-esteem.
I worked in Automotive for quite a while, and this wouldn’t surprise me. A lot of the roots of my company was mechanical engineering, and software at the time was very secondary. It was changing rapidly (and positively) over my last few years.
This way you have hordes of "software engineers" who don't raise such matters. Maybe that's the reason why those German companies find it so difficult to hore external experienced consultants?
Two more words: "run away!"
As if this segmentation would improve cooperation between departments if every department is their own little mini company.
So now companies that do other things are calling themselves software companies so that their software development will not have to be a cost center. Or "technology companies", as Bloomberg, e.g., which delivers financial news, calls itself now.
It is deeply stupid, but entrenched. I don't know how software stands at SpaceX, which is a "technology company" that, nominally, makes rockets. Is the software that runs in processors physically on board a rocket production, thus a profit center, while the stuff that runs on the ground is facilities, thus a cost center?
Yet another way companies encourage me to do the bare minimum.
> You ought to be able to search something on Google and get an answer to your question without signing up for some newsletter.
Why ought you? That sounds not only incredibly entitled, but also extremely one sided. The world isn’t being created for your convenience and wallet. It would be better if the bias was explicit, like “I would prefer to be able to get all information free of charge,” in which case honesty and audacity are clear.
This reminds me of the old hacker cry “information wants to be free,” which of course anthropomorphizes information and hides the bias, which is the hacker wants all information independent of everyone else’s concern.
Why not? This is just as entitled a thought as the original quote from GP. Search engines aren't a public service. Neither is The Financial Times.
There's nothing that explicitly requires every single page that a search engine displays to be accessible by the user. There isn't even an internal policy within Google and other engines that would uphold that expectation. It might be a shitty user experience, but that's on the search engine and the resulting site to deal with.
Clearly, the FT has enough subscribers to be able to "lose" customers behind the paywall. And clearly Google isn't interested in cleaning up results to not include paywalls. So it seems they've both weighed the pros and cons and chose to continue with it. Who are we to tell them otherwsie?
The only universalizable alternatives are platformization of everything, so people maintain registrations at Instagram, Pinterest, and Facebook and those are now the only information sources accessible to anyone, or sites that contain information allow at least some of it to be accessed without requiring a registration or subscription that is unique to their site. Potentially some sort of universal SSO could solve the problem, but it would require universal buy-in from individual sites and would make privacy virtually impossible.
Note that offering such a thing, if a user decides your information content is really worth it after getting some sample and coming to trust and know you, is different from requiring it up front to see anything at all.
I doubt the scale that you suggest (especially the newsletter argument, which is typically free to sign up, rather than the monthly subscription that this site is really getting around), and if that was the case, then perhaps the solution is to find a better funding and browsing model that appeals to all rather than saying the solution is to circumvent against the information providers wishes. There have been various attempts so far from Apple News, Flipboard, Brave's browser, and briefly Google's micro-transactions for news, and we probably need more innovation in this space versus less.
Would you have made such an argument previously at the magazine stand? That no one could possibly buy all the magazines to get all the information? Just because Google's index and search is free doesn't mean the rest of the world ought to be.
"If your site pops a newsletter modal, I will leave. If your search engine rewards this behavior, I will not use it. Good luck pal."
But if the google bot gets access to the content, I don't see why users should expect to be blocked.
You could improve the air quality to be better than if your car existed, if you weren't generating carbon pollution and were say removing pollutants from the air as you drive. In reality this would be really hard, but if you had solar powered car and removed nox or something. But then you get into the infinite tail of the energy and pollution used to make your car.
I was responsible for system security for one of our internal systems. I found a major vulnerability - SQL injection with full schema owner privileges on all our pages. So I went to the principle/dept head to see how they wanted to staff the remediation and which of the two proposals they wanted to go with.
I was told they have a near real-time backup system and it's only and internal system (that handles obscene amounts of money), so they didn't want to address this. I asked if we have any documentation about the restore process or how long it would take. Nope. Have they ever tested this restore process. Nope.
Goodbye! Posted to a different team very quickly.
Nobody can prove anything to their employer. And, you don't owe them anything. So, sometimes the best that can be done is to leave them to fail without you.
It sucks, though, when it is a bridge you know will collapse.
The firm hired some crack cybersecurity consultant - who was probably in on the joke. The guy mulled over the software, and found some Rube-Goldbergesque CVE-worthy exploit involving timing attacks, privilege escalation and what not. It was an impressive find, and they probably tried to insinuate, that the software was this hard to exploit.
A week later, I was debugging some memory leak - it turned out the app was hanging on to some authentication state objects, which among other things contained the username and plain-text password of every login attempt. Now, the software also had a feature of writing memory dumps when it crashed - another thing that was not terribly difficult to achieve. So the attacker could just walk up to the public computer, click around a bit, make it crash, then copy off the resultant dump file, and see everyones credentials who ever tried to log in.
I was a junior guy back then. When I told my boss, he realised that this was so embarassing, that we just fixed it - no bug ticket, no formal announcement, no nothing. This software handled very sensitive data.