×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Approaching Lost Clients About Security?

Cliff posted more than 12 years ago | from the a-good-approach-or-sour-grapes dept.

News 296

mgkimsal2 asks: "As a development shop, we win some bids and we lose some bids for various reasons. What we've found when following up with some prospects which we didn't win is that the development shop they went with has them on ASP/NT servers, with security holes up the wazoo (visible source code, passwords, etc) exposing these clients to massive risk. Example: I just saw a company with 500+ employee records accessible to anyone who feels like connecting to them with SQL Server Enterprise manager. Hire dates, fire dates, SSNs, the works. Should we show these companies how easy it is to get in, and try to win them over as a client? Or just walk away? I've read some heated debates about this - if you break in, even as a demonstration, you're a criminal. But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers! We can't be the only people going through this sort of dilemma." The key here is approaching the company in a way that lets them know you are serious and not trying to spread lies about your competitors. If anyone here has been in this position, your thoughts would be appreciated.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

296 comments

For the love of god be careful! (1)

Anonymous Coward | more than 12 years ago | (#231903)

You need to be *absurdly* careful how you handle this, as you can get your ass sued in two seconds flat.
Do not probe the security of your competitor; if they notice, they can sic the FBI on you. Probably the best you can do is to analyze the PUBLIC information on their solution (eg: View Source, and nothing else), write up a whitepaper that has been *sterilized* and use it as a client-recruitment tool.
Once you've lost a client, let 'em go. Certainly don't try to chase after them. Just be polite, thank 'em for their time, make sure they've got your business card, and move on.
When the NEXT client rolls around, start talking about security on day one.
But do not *ever* name names. Don't speak about your lost client, don't speak about the miserable security at your competition, and don't try to change the world. If they wanna get hacked, let them get hacked -- but you don't want to be anywhere near them when that happens, or they'll go after you out of mere vindictiveness.

Junkies are like electricity... (1)

Anonymous Coward | more than 12 years ago | (#231904)

I have been a professional "Security Consultant" for some years... read that "Locksmith."

One pretty effective tactic we use is the free "Security Audit." This is where we show the importance of deadbolts and window locks... we dont break in, but we list the vulnerable spots.

This same tactic can work for you. Offer a "Security Evaluation" to the people, free of charge. Sure, some of them will take your list of defects and go back to the people that sold them the defective product before. But if you are professional, and can show restraint at "digging" at the competitors, and simply SHOW the weaknesses in a "content neutral" way... you will impress the heck out of many. These will be your repeat customers.
The ones that DON'T call you in to fix things--- these people will reap their own reward at the hands of a script kiddie...

Dont' touch this without a lawyer (5)

bluGill (862) | more than 12 years ago | (#231913)

I can't belive /. responses have ignored this important point: There are many things that can be done, some of which are right, and some of which are legal. A few are both.

Don't touch this situation without a lawyer who knows this area of law. Most likely you will be told to keep your mouth shut as even if you can win the law suits, the cost isn't worth it.

There is also a possibility that you could find a lawyer willing to do a class action law suit against your compititor if you can prove several customers have been left open like that. This is again dangerious gorund, but you can potentially pull it off. Don't bad mouth any compitition who doesn't misconfigure things like that.

Whatever you do, make sure your lawyer is informed. their job is to save your rear end, but they can't do that if you don't tell them what is going on.

Could be dangerous (1)

jCaT (1320) | more than 12 years ago | (#231917)

You run the risk of hitting people in their IT department that don't know better and think they do, at which point they'll be even more pissed at you. Granted they probably would not have had you as a client at that point anyways.

This approach will definitely be hit and miss- it's sort of like the vacuum cleaner salesman that dumps dirt on your floor and then shows you how he can clean it up- or tells you that your house looks like shit. :) The key will be to find people at the company who will be accepting of your position- usually middle to upper management types, where some soft scare tactics can really make a big difference.

Here's how I would go about it:

-Work out a standard set of procedures for testing their servers. Probe but don't modify.
-Work out a standard report you can deliver to them. If you put lots of PHB-compliant pie charts and stuff like that in there, you're almost guaranteed to get in.
-Keep on top of bad vulerabilities, and perhaps deliver reports on that as well. It would be tough to keep this from being spamish, but you never know.

The biggest thing is to make sure you present yourself REALLY well. To most of your target audience the presentation you give is very important.

If they didn't want to listen before... (3)

jd (1658) | more than 12 years ago | (#231921)

...They're not going to want to listen AFTER they've paid a vast sum of money for junk.

Ego, image and the ineffability of the Boss are absolute, in corporations. Challange these at your own risk.

On the other hand, you can use these as examples (anomymized, though!) in future bids. Especially if these companies -do- have their security breached. Companies are like sheep, in that they follow the leader. But they're totally unlike lemmings, in that if one plunges off the cliff, the others will =usually= hesitate.

pretend not to notice and market security like mad (3)

Forge (2456) | more than 12 years ago | (#231924)

If you really want to keep ever get business from that client again then let the security problems sit. I know it will grate on your conscience but this is like seeing your friend cheat on his wife. If you report it you will be called a lier.

How you proceed is to keep contact with all your clients ( including those you lost ) in a generic way. Offer them new services. Send them brochures for security audits etc... Let them know this is something you are selling to everyone.

I.e. Have a special. A demo of some security tool or other along with a discount if they are impressed and a full audit all for one low price. Do it that way and you might make more than you expect and maintain the respect of all involved.

Remember also to include the VAR you lost to in this mailing because they are a potential customer. If you really care about your lost clients not getting hurt then teaching the goy _they_ chose is not a bad idea.
--
Quidquid latine dictum sit, altum viditur.
Whatever is said in Latin sounds profound.

(in)security of non-clients is not your concern. (3)

isaac (2852) | more than 12 years ago | (#231925)

First, IANAL, this is not legal advice, etc.

If self-preservation is an instinct you possess, you should not be probing any site that has not contracted you to do so. You are probably opening yourself and your company to liability when you do so. Most computer crime statutes criminalize "unauthorized access", where unauthorized simply means you didn't have permission from the owner to access the computer resources that you did.

Now, it may certainly be true that a company that has a published link on the front page of their website to a document X (where X is information that the company would prefer remain private) probably would see their case against an entity Y accused of accessing X without authorization dismissed almost immediately. But that doesn't mean that it hasn't cost Y anything, even though the case never went to trial.

Further, the vulnerabilities you are discussing require you to access your non-client's sites in... unconventional ways. Courts do not understand technology, but by now many judges understand that your average consumer is not going to be firing up SQL Server Enterprise manager to make authorized access to any given internet site that they have no contract or agreement with.

If you have already come forward to one of your lost clients and merely been called a sore loser, you're either lucky or have no significant assets. From a legal standpoint, you should not be making unauthorized access to any site, for any reason.

You already made unauthorized access to the site of at least one non-client, that you've mentioned. It sounds like your actions went beyond a simple portscan, which is probably ok, to retrieving database records (the hire dates, fire dates, ssns you mention), which in court would quite possibly be actionable - at the very least, you won't get a summary dismissal.

Unless you'd *LIKE* to get sued by a lost client with a grudge, you shouldn't be probing their sites.

-Isaac

Re:Personally... (1)

Casca (4032) | more than 12 years ago | (#231926)

How long do you suppose it will be before we see this joker in the news?

Ask Permission (1)

jjr (6873) | more than 12 years ago | (#231929)

To do a Free Audit of thier security of thier site. After it is done explain to them you know all about these security risks and would have never put your company at risk like this. I think this is the best approach do not talk to the webmaster(s) go directly to the top guys.

Use the exposed information (1)

c (8461) | more than 12 years ago | (#231930)

If all you care about is fixing the problems and aren't really trying to drum up business for yourself, anonymously contact some of the individuals whose information is being exposed. Sure, technically your breaking the law getting the information, but I imagine that a couple employees getting seriously pissed about their personal information being wide open might solve the real problem pretty quickly.

c.

what we found following up... (2)

trb (8509) | more than 12 years ago | (#231931)

What we've found when following up with some prospects which we didn't win is that the development shop they went with has them on ASP/NT servers, with security holes up the wazoo...
They are not your clients until you win a bid. It is hard for me to distinguish "following up" from simply "probing their network for holes."

This is the same question as: "Should I probe people's networks and then offer to fix their security holes?" The business about lost bids is irrelevant.

You're asking whether you should let stupid people know that they are leaving their SUV parked with the keys in the ignition and the engine running and the kids sitting in the back. Well, it's probably a righteous idea to try to help them, but if you're not careful, like if it looks like you're jumping in the car and driving off, you could get into some trouble.

Think of a safe and discreet way of letting them know, and I think it would be ok. For instance, probe for some benign problem and offer to help them out with a simple security audit, telling them that "the sorts of systems they use" are quite prone to problems, etc.

It's No Longer Your Problem (1)

Bloodshot (8999) | more than 12 years ago | (#231935)

I can't believe you would even *think* of telling them that their competitors aren't using the best tools available. If they didn't pick you, anything that happens isn't your fault and you have *no* obligation to tell them what they are getting themselves into.

People need to find things out for themselves.

What you could do... (4)

rnturn (11092) | more than 12 years ago | (#231939)

(in response to:)

``Should we show these companies how easy it is to get in, and try to win them over as a client? Or just walk away? I've read some heated debates about this - if you break in, even as a demonstration, you're a criminal. But how do you show people they're in danger? Alert the current webmasters? In this particular case it did no good - we were accused of being sore losers!''

... is pretty much what you've done: point out the insecure setup. If they don't tighten things up they'll be the sore losers... when some customers or former employees sue their sorry butts for allowing that information to be divulged. Wouldn't it be fun to be called to testify against them? ``Yes. We informed XYZ, Inc. about the flaws in their security but they just laughed at us and called us sore losers.''

Wouldn't immediately help your problem in gaining new clients but it would be helpful if you could say that you have testified in court as a security expert.

The problem with the companies you've encountered is that you have to convince these people who know only Windows as an environment. I refer to this as the ``fly in the vinegar bottle'' syndrome. They like what they know and reject anything else. It's almost as though they'd rather be out of a job than switch from their comfortable little realm.


--

Forget about it (2)

Detritus (11846) | more than 12 years ago | (#231940)

You lost the bid. It isn't your problem. Anything you say to the company will be taken the wrong way.

Re:Happens every day (2)

josepha48 (13953) | more than 12 years ago | (#231941)

To true

One thing I'd add is that is why you review the site. Maybe a line like when we loose contracts we review what the winner did to see where we may have weakness so that in future business with the company we can better server there needs. I.E. It is a learning process for 'our' company.

Oh and don't spend all the effort on mentioning money try mentioning it only once (not sure what the exact letter looks like). It may seem like you are making up these holes just to get some of their business. you can even give an example of what you think is a securty hole in the letter and what the result of that being exploited could potentially be. This is not to say that you need to hack in, but that you need to show that you are not making it up and that they can check it out on their own and say 'oh my you are right' then call you up.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Anonymous tips (2)

Jethro (14165) | more than 12 years ago | (#231942)

Well, an anonymous tip is one way, providing you are actually trying to help and NOT trying to make yourself look good by making the competition look bad.

I'm tempted to say that you really shouldn't do anything. They chose to go with the other guys, it's not really any of your problem or concern anymore.

Also, be very paranoid and careful. Do not send them "proof", as in lists of employees or any data obtained through hacks. You could quite easily be sued for anything like that, despite the fact that you're trying to be helpful.


--

Well, it does sound like sour grapes (1)

Zico (14255) | more than 12 years ago | (#231943)

If you're seeing all these holes, it sounds like you're snooping around on your competitor. Not saying that there's anything good or bad about this, but why wait until you've already lost the sale? Point this out to the company you're trying to win over while you're making your pitch, not after it's all over. If you've already lost the sale, I'd suggest hunting for new customers instead of badgering old ones. If there are holes you know about, I would (and have) call the client up, ask to speak with their main tech guy, and give him the scoop. Unless you're desperate for customers, I wouldn't try to turn it into a sales pitch. Just leave your email address in case he needs to ask you any questions about how you found the holes, if he needs any help patching it up, etc. He might keep you in mind in the future, and now he knows how to get hold of you.

As a side note, your mentioning of NT/ASP also seems to point to some sour grapes, since they can be locked down quite nicely — if your own company has any competency, you guys already know this.


Cheers,

Re:Well, it does sound like sour grapes (1)

Zico (14255) | more than 12 years ago | (#231944)

If that happened, I'd do what I mentioned. Just give the client's main tech guy a call and let him know that he's exposed right now. Proooobably you should call your competitor, too. I'm not in the same position as you, and I can imagine that it'd be pretty tempting to leave your competitor high and dry, but letting them know would probably be the good samaritan thing to do.


Cheers,

My POV (1)

JoeLinux (20366) | more than 12 years ago | (#231948)

Out here at Cal Poly Pomona, we have an Electrical Engineering Head who loves RAMBUS and Intel Pentium 4. What I've started to do is simply print out the articles that point out how the Pentium 4 is going to suck, and RAMBUS is going/in the process of going down. Slowly but surely, he is starting to come around. Tell him how his boxes are in danger if you see a security hole on their server that isn't fixed. Email what it would enable someone else to do. Explain to them that you are doing it because you still wish to maintain them as a prospective client, even though you lost the account. Be nice, not forceful. As if it were a friend you were helping out. When they come across enough of these "Anyone with a mouse and 30 seconds worth of time can gain root access to my entire box.", she'll turn around and ask about linux. It may take time. But be cheerful, helpful, and you'll win just about anyone over.

Then again, this is my prospective, I could be wrong.

Joe Carnes

Re:Ask Slashdot! (1)

JoeLinux (20366) | more than 12 years ago | (#231949)

Isn't it "Move every '.sig'" "For Great Justice"?

Just another /. nitpicker.

JoeLinux

Keep your hands clean (5)

Ralph Wiggam (22354) | more than 12 years ago | (#231951)

I think the best way to play that is to set up a meeting with the client who turned you down. Get a couple business people and their best tech guy in a room with a computer. You sit at a table with your hands in front of you. Talk their tech guy through the "crack" and make it clear to the business guys that in place of their tech guy it could have been any 15 year old on the planet. If the competing company gets pissed because they lost business over the incident, you didn't actually do anything. The client company merely viewed their own data using a nonconventional access route. If the competing company tries to go after thier former client for "circumventing security", threaten to send a copy of the court papers to all of the rest of their clients, showing everyone what crappy security they have.

That should teach your competitors to bid against you.

-B

What to do.. (3)

Rombuu (22914) | more than 12 years ago | (#231953)

1) Document their problems
2) Date the documents and get them notarized by a public notary
3) Send them a copy and offer to do some work for them for a reasonable price
4) When they get broken into or h4x0r3d, send them your documents again and offer to do some work for them for a much less reasonable price.

Why are you poking around on their site anyway? (1)

crimoid (27373) | more than 12 years ago | (#231955)

Why are you poking around on their site(s) looking for security problems? They aren't your client; you have no right (or duty) to attempt to exploit ANY problem that they have. Doing so may violate the company's rights, leaving you open to legal action.

easy solution (1)

Rinikusu (28164) | more than 12 years ago | (#231958)

Get on #l33t or whatever on IRC. or AOL. AOL is probably better.

List the site in question and the vulnerability.

I guarantee you that the company will know the error of their ways within a couple days, max.

Demonstration... (1)

Fishbulb (32296) | more than 12 years ago | (#231959)

When you present your bid, set up a system with a configuration that you've seen competitors use, and show them right there how easy it is to access the data (fake stuff that you've setup) and then show them how much more secure yours is. Make security part of your sales pitch, because apparently your competitors aren't. When your competitors can't answer clients' questions about security that you've made them aware of, you'll have a much better chance of winning the bid.

For what it's worth... (2)

Rocketboy (32971) | more than 12 years ago | (#231960)

If I were you, I'd leave it alone. You can't win: the client won't appreciate knowing that they made the wrong choice and the hosting company won't enjoy having their flaws pointed out to a customer. You'll catch shit from both sides and could well get sued out of the deal.

Yeah, I know: it'd be great if you could just get them to fix their security holes. But in my opinion, you won't get that done and all you will end up with is a client who thinks you're a sore loser and a competitor who hates you. If the world were only rational... :)

Get consultant fees... (5)

Gen-GNU (36980) | more than 12 years ago | (#231972)

If you have already lost these people as a client, let them go. Hanging around and nitpicking is a sure way to get them to think less of your company.

What you should do is wait for the site to be up a while, (6 months to a year), and approach them as a "security consultant." Get permission to poke around, before you do it. Get paid consulting fees to do it.

In the end, they may be impressed and switch over to you. Don't suggest yourself as the company to switch to, though. This will come off as sour grapes. Suggest that they either revamp the site, or choose a different server type altogether.

Bottom line, if you impress them with the small amount of work you do for them, they will think of you as a 'good' company, and speak of you that way. If you upset them, they will never do business with you, and you risk losing other business as well.

walk away. (1)

Zurk (37028) | more than 12 years ago | (#231973)

trust me on this one -- its better to walk away. ive seen this situation numerous times and ive seen that the companies usually - [1] dont want to know and [2] management usually takes the blame so even if you *do* win them back the management guys will try and sabotage you.
wait for em to figure it out and contact you after they get hacked or let em go bankrupt. ive seen companies do both.

Re:Keep your hands clean (1)

Mr. McGibby (41471) | more than 12 years ago | (#231975)

I think the best way to play that is to set up a meeting with the client who turned you down.

Good idea. While you're at it, you should get them to pay you consulting fees just for giggles. Oh, and you could, like, totally get them to spend their precious time with someone that they already turned down.

Meetings are expensive and you aren't going to able to to just "set one up". Especially with a client who has decided that he doesn't want your help.

Emphasize early and often (3)

Flounder (42112) | more than 12 years ago | (#231976)

Why wait until after you lose the bid before pointing out something that could sway the bid your way? In the contract bid, point out your design and server structure and how it's more secure than the SQL/NT structure.

If you don't bring up important items like security until after you lose the contract, you'll be viewed as the sore loser, not as somebody concerned for their well being.

If they still go with the competing company with the poor security, they have only themselves to blame.

The Free Market At Work (2)

jazman_777 (44742) | more than 12 years ago | (#231984)

Those who choose inferior solutions will pay the price, and lose to competitors. Shouldn't try to prop them up with unsolicited help. Though the chance to make some money off them sure is tempting. Got any spare bridges you could throw into the deal?
--

A whacky idea (5)

Monte (48723) | more than 12 years ago | (#231986)

This just popped into my head, perhaps it's nonsense, perhaps it's workable (given somebody with a legal background to pull it off):

What if you asked them to sign a document that certified (1) you company did not do any work on the system(s) identified and (2) they have reviewed the list of security vulnerabilities attached and agree and certify that they are not the fault of your company and (3) that your company has provided due dilligence in notifying them of the gaping holes.

The idea is that you're approaching from a CYA angle instead of a "look at what those twits have done to you" angle.

let it go, but prepare for next time (1)

laslo2 (51210) | more than 12 years ago | (#231991)

once the contract is rejected, there's nothing you can do but plan for the next one. I'd suggest that you include security as part of your product pitch, emphasizing that you use such-and-such technology over asp/iis/sql server because [insert standard reasons here], or that your people are highly skilled, etc. you'll also need to present that you can develop in whatever you're using as fast as the visual bozos down the street .

whatever you do, *do not* probe their servers, databases, or anything else. you have no legitimate business reason for doing so (no matter how much the bastages deserve being called out for being dumbasses and going with someone else). also,, be nice to them, they may need your services in the future.

win lose win situation (2)

joq (63625) | more than 12 years ago | (#231999)


If security isn't your main line of work then its sometimes better if you contacted a security company and had them speak to the other company after working out some sort of deal with the security company for the following reasons.

If you were doing some other work for the company, then was cut off they could think you were illegally looking for holes in their systems, or were pissed off at them, and helped yourself to take some form of actions by auditing them (think about what the company would see in this situation) to find ways of screwing them.

Contacting a security company could benefit you in other ways because if they know of something your company does, they'd likely turn to you for passing on business to them so you create a network for yourself. Now the security company on the other hand could present it in the following fashion to the primary place.

salesman of sec. co: "A previous vendor of yours contacted us out of concern for your company as they suspected you may have some vulnerabilities but they were unsure of this so they turned to us since we focus in security...."

As stated if security isn't your main field of work your better off (IMHO) going this route since it also saves face and doesn't seem like your fetching for bones. It may also help win back "brownie points" should the company have to reconsider vendors, and they're likely to remember your actions if they went ahead and had the security company audit them and fix their holes.

my two cents...

FreeBSD spoof [antioffline.com]

Treading on very dangerous ground (5)

phutureboy (70690) | more than 12 years ago | (#232002)

I would not go near there with a 10-foot pole. There is really no way you can pull that off without generating a lot of ill will for your company from at least one of the parties involved. I also don't see how that will convince them to switch to your company immediately, no matter how right you are.

Let them reap the consequences of choosing a lame dev shop, and perhaps next time they will choose you instead, having learned their lesson. Think long term!

--

I don't understand how some of this is illegal. (5)

AugstWest (79042) | more than 12 years ago | (#232006)

If I fire up an MSSQL client and connect to someone's database which is sitting wide open on the internet, how am I breaking the law?

I'm using a client to access information which is publically available on the internet. How is it any different to use a DB client instead of an HTTP client?

You Can Lead A Horse to Water... (1)

gyges (79472) | more than 12 years ago | (#232007)

But he will probably kick-you. No one, especially after telling their managment they just went with the "best" contractor is going to risk getting fired over what you are telling them.

You have obviously invested some time in getting up to speed on security analysis. Wait a few months and then notifiy the company (CIO, or someone higher up the food-chain) of you "new" security practice/business, and that a you will give them a two hour consultative session free.

In other words, take your talents, build a business and NEVER attack the winner in a bid process unless it is something that you can go to a court with (i.e. violation of process, etc.), otherwise you will be turning the client off. Do, request a de-brief where you ask them how you could have meet their needs better and they can explain deficiences in your proposal.(This is often done on government contracts but is only worth it if you want them as a client).

as an employee (1)

kootch (81702) | more than 12 years ago | (#232009)

as an employee at a company that recommends that all of our clients use NT and M$ products, I resent the fact that you would actually approach MY clients and talk trash to them about the security holes which I didn't patch up because they didn't feel like paying me money to patch them.

Okay, so maybe we didn't code it the best way possible... and yea, you can see database records with an anonymous account, but do you think the client knows this? HELL NO! You know why? Because we know they're morons, because we know they'll never look at the code or pay $5 more towards development, and because if a hack happens and nobody is there to know about it, did the hack ever happen?

Yea, it's bad business. Yea, it happens all the time. But it's all about getting paid now, isn't it?

You lost the bid, ... (5)

Speare (84249) | more than 12 years ago | (#232011)

I agree with the sentiments here that "You lost the bid, so just move on."

If you want to find out WHY you've lost the bid, a questionnaire is a good idea. Give them some meaningful but neutral questions, and give them a chance to respond in their own words. Assume that you will get no results, but if you DO get feedback, consider it carefully in future bids.

  • With regards to security, why did you find a competing product more valuable?
  • CompetitorCo's track record for security seemed stronger.
  • OurCo has not demonstrated suffient regard for security.
  • Cost outweighed security concerns.

    With regards to interoperability, why did you find a competing product more valuable?

  • CompetitorCo's products have a higher degree of interoperability with your other systems.
  • OurCo's products have not demonstrated interoperability with established standards.
  • Cost outweighed interoperability concerns.
And so on. If your questionnaire smacks of propaganda, and not of honest "how can we serve you better" fact-finding, then it will land in the recycle bin.

fuhgetaboutit (1)

Dalroth (85450) | more than 12 years ago | (#232012)

Seriously man, just forget about it. If they want to leave themselves with suck risk, so be it. They're the ones who will suffer in the end. Meanwhile, you guys have time to put towards more worthwhile customers and projects. Find the customers who do care. Make a better product, and show them by example.

Don't consult for free. (1)

dave-fu (86011) | more than 12 years ago | (#232013)

Why are you wasting your time crying over spilled milk? This isn't a playground dick-measuring contest: telling everyone just how bad the other guy is won't win you any friends or business. Showing everyone just how good you are will at least win you the latter.
Furthermore, mind your own goddamned business. Show a little class. There's only so much money you can make from behind bars. If you pull an end-route on a competitor and hack their system "just to show their clients how much danger they're in" and the guy whose system you just busted into gets wind of it, you'd better hope he doesn't have a good lawyer, because it sounds like a pretty open-and-shut case of corporate espionage.
Concentrate on locking down your own systems and building good faith and solid products with your own clients and don't do anything but have yourself a chuckle when they show up on attrition.org.

Do you lack all people and professional skills? (3)

Amokscience (86909) | more than 12 years ago | (#232015)

Just use common sense. It's against the LAW to break into another site.

Send them a professional letter detailing how you're sorry that they didn't choose you but am glad to see that their business is progressing. Politely point out that they have a security flaw that's easily exploited. Tell them up front what data they have exposed and the basic steps to exploit the problem. Let them know that you felt it was important enough to tell them this even though they chose X company over you.

yadda yadda yadda... These problems are all alike: "I want to do the right thing but it's awkwards because of XYZ". If you're a grown up it's something you should have learned to deal with politely and courteously. If they reject you then it's their fault not yours. Certainly don't try to turn it into a flame.

One option that occurs to me is to report them to the Better Business Bureau or some other consumer agency. This approach should only be used when serious problems are ignored (exposing a million credit card numbers, etc). Just remember, unless you feel like it it's pretty hard to help everyone all the time.

Golden Rule (1)

Tayknight (93940) | more than 12 years ago | (#232020)

I think the Golden Rule applies here. You would want someone to discretly tell you if you had a problem. If they other shop won't tell their client about the problem, tell them yourself. Don't try to make the other company look bad. You are doing your business a favor, you look like a helping, kind company. You are also helping the internet by altering poor admins to problems like this. Take the high ground, be the good samaritan, then pat yourself on the back.

Post ip addresses to alt.2600? (2)

MattW (97290) | more than 12 years ago | (#232022)

I'm sure someone will find the time to point out their security vulnerabilities :P

Ask the client (2)

skwog (101252) | more than 12 years ago | (#232027)

for a ten minute meeting in their own office, during which you will demonstrate to htem just how vulnerable the site is. Be sure to promise and deliver a brief but resounding follow-up addressing how you would elimnate the problem if you were employed by them. Deliver sales pitch to illustrate your positives even while demonstrating the competition's negative's right in front of the customer, with their permission.

Why not put it in the Bid in the first place? (1)

Reik (101256) | more than 12 years ago | (#232028)

Giving you the benefit of the doubt, it seems like security is an honest selfless concern and that anyone's vulnerability is more worrisome to you than losing a bid, as it should be...

So, why not add this to the bid in the first place:

Legalized, of course, but put a clause that states that acknowledged receipt of this bid grants our company the right to do a preliminary external secuirty audit in oh...6 months or something. With a simple report on any findings for free. You can of course attach offers to fix their problems for a nominal fee at that time.

I would think if you enveloped it in an honest slant of promoting a safer and securer internet, which is of course good for everyone then you would have minimal risk of anyone refusing to review your bids.

Probably not much you could do for the present case, but maybe in the future some kind of clause like that could be leverage to get all kinds of 2nd chance business whilst at the same time heavily tarnishing the reputaion of those firms who complete these jobs with such poor attention to security.

just my 2 cents...

Eric

Re:I don't understand how some of this is illegal. (5)

BradleyUffner (103496) | more than 12 years ago | (#232033)

I didn't break in! I walked through the guys back door which he forgot to close.
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\ =\=\=\=\

Do it right. (1)

aralin (107264) | more than 12 years ago | (#232036)

Well, you definitely don't go, hack their site, get the employees SSN and then show them how stupid they are. Thats a way how to face charges, but... you can do it right.
  1. What about:
  2. Contact the manager of the site with your concerns about their solution's security.
  3. Ask them for a permission to demonstrate the weakness.
  4. Then go to the site and show them all these breaches, preferably with one of their managers always present to ANY access of their site.
  5. Collect consultation fees :)

Re:Give them instructions (1)

ahaning (108463) | more than 12 years ago | (#232037)

Perhaps, rather than laughing, you could pull an "I told you so." and offer to fix the problem. Assuming the kiddiez were smart and hid themselves well enough, they won't get in trouble, you'll get the job, and the company your working for will be better off for it.


kickin' science like no one else can,
my dick is twice as long as my attention span.

Lets them crash (1)

y86 (111726) | more than 12 years ago | (#232041)

It isn't your problem, your not responsible for their security. Let them crash, it'll show other potential customers that your competitors suck.


-- MMMM...... Tomacco --

Re:Treading on very dangerous ground (1)

shpoffo (114124) | more than 12 years ago | (#232043)

Let them reap the consequences of choosing a lame dev shop, and perhaps next time they will choose you instead, having learned their lesson

there is no next time, really, though. companies often go with their current solutions developer regardless of how bad they are screwing up and the reason is predictability. it often doesn't matter how good the hired company is, so long as their ETAs are accurate and predictable. It's only in the face of gross incompetence that developers are nixed, and that's not too often (we'd like to think =)


-shpoffo

Professionalism (2)

shpoffo (114124) | more than 12 years ago | (#232044)

If the client is at massive riska dn your business is security then dealing with these problems should be something that you dont' ignore just becasue you lost a contract. You might want to pick one particular example of their lacking security issue and point it out to them as well as some of the important details. if the problem is fixed in a week and you still haven't heard back from them they're obviously not interested in going with you; let them fend off the sharks themselves. If they're smart they'll realize whose the better pony and get back to you. -shpoffo

Don't tell them what's vulnerable (1)

Emnar (116467) | more than 12 years ago | (#232047)

Say you give them a list of vulnerabilities and recommend that they employ you to fix them, but being fools (or just strapped for cash), they take no action. Six months later, an anonymous email hits every employee in the company with everybody's SSN, salary, performance reviews, etc. Finger-pointing ensues, and the IT managers look for somebody, anybody to pin the blame on besides themselves. "Maybe it was a disgruntled ex-employee," they say -- "or maybe it was that security guy who was trying to get our business! Look, he even gave us a list of what he could do to our machines!" Wham, lawsuit and criminal charges against you! Sure, you would know you didn't hack their site...but you'd have to prove it in court, which is expensive as hell, not to mention very hard on the reputation.

Be businesslike, dignified, build confidence. (4)

TheMCP (121589) | more than 12 years ago | (#232051)


When you're dealing with a company that you bid to and they went with somebody else, anything you say is going to be a little bit suspect to them, because as far as they're concerned you're just trying to wheedle your way into doing business with them by elbowing away your competition.

The key thing you should remember is, they're right. You are trying to wheedile your way into doing business with them by elbowing away the competition.

So, if you're going to do this, do it with dignity and class. Be honest and up-front about it, and tell them bluntly "we noticed that the company you hired used X and Y technolgies and we have some concerns about those technologies. Here's a list of known problems with those technologies. We think you might have some of these bugs, and we'd like to talk to you about how we can help you fix the problems." Don't go into specifics of their implementation, let them figure that out. If they don't care to look, or to ask you for help, then they just don't care and the argument is futile.

Of course, if you're really running into this multiple times, you should consider making it part of your sales pitch. "We use technologies X and Q. We believe they're safer and more secure for your business needs. Here are some of the problems we've observed with sites implemented with the other technology, Technology N. A site one of our (unnamed) competitors recently did for the XYZ Company with Technology N seems to have these problems..."

If the client cares about the security (and stability) issues you can bring up in the sales pitch, great, this could help you make the sale. Also, by bringing concrete recommendations to the client in the sales pitch, you show them that you're serious about helping them and make them feel that you're already on their side, which is important in managing their perceptions of the working relationship. Sometimes the potential client can come away from a meeting like that feeling that you're already working for them, so when you hand them a contract to sign they feel like it's just a formality.

Again, if they don't care about this stuff when you bring it up, that's their problem, and if in the future they hire one of your competitors and you discover that the competitor did a lousy job... well, you warned them, and it just becomes another case study of what not to do.

Re:Give them instructions (3)

SuiteSisterMary (123932) | more than 12 years ago | (#232054)

That's why you include in the list the specifics of what can be gotten.
After logging into the SQL Server using the above methods, credit card information from clients can be extracted, which is in direct contravention of the following laws, which carry the following penalties....

Give them instructions (4)

SuiteSisterMary (123932) | more than 12 years ago | (#232055)

Don't break their boxen, but give them step by step instructions of what a sample vulnerability is, how it can be exploited, what it exposes, and what it can be used to get from, or do something nasty to, the box/lan/company.

or you couldlearn a lesson from the FBI... (2)

tinyuan (124449) | more than 12 years ago | (#232056)

and use them as another Invite, Inc. then some poor russian idiot can hack it for you, thereby revealing the weakness in their database security.

Tell them beforehand (1)

wfaulk (135736) | more than 12 years ago | (#232065)

If you're competing with other companies to provide a service, it should be in your best interest to tell them what sorts of security issues they can be open to, in general, when pitching your service. Then demonstrate how your system does not have those holes. This should encourage them to ask the same questions of the other vendors. If it doesn't, then no amount of prodding after the fact will make them change their minds.

You might even demonstrate a security hole on your own system (open it up for testing) and then show them that you can (and do) close it. Then, perhaps, encourage them to try the same thing on the competing vendor's solution. Don't do it yourself, but get them to do it or get them to request the competing vendor perform the same test.

If they choose the other vendor, then you cannot feel guilty about not telling them about the security holes of their chosen vendor because you've already prodded them to the point that they should already be aware and concerned, and you can't feel bad about losing their business, either, since the ``additional'' security you provide was obviously not of enough concern to them.

Definitely don't press anyone in any way after you've lost the bid, though. There's nothing that leaves a worse taste in a customer's mouth than perceived sour grapes or even general pestering. If you don't bother them, then you leave yourself as a possible new vendor when the one they chose falls down on them. You already made it to their short list once.

You need an unrelated 3rd party as well (1)

idgrad (137342) | more than 12 years ago | (#232066)

Although I'm not an IT worker, I do have a couple suggestions.

First off, your primary issue: "SORE LOSERS". While you might want to protect this ill informed possible client, you dont want to generate a bad name for yourself in doing so. You don't want this label for yourself or your company. So this is my suggestion: accreditation/testing by an unrelated 3rd party. Similair to the (crappy) movie "sneakers" you're going to pay people to mess with your security to prove that you have a secure implementation, likewise recommend the same to this client. As others have suggested, contact your old client/almost client. Have a short meeting, mention that you notice that they have some serious security vunerabilities. Next, rather than you show them those vunerabilities, give them a list of the vunerabilities and some references for some TRUSTWORTHY sucurity firms that are not related to your company to test them out. That way, they're hearing the same message from somebody that has nothing to gain by pointing out the flaws of their implementation. You'll get around the sore loser issue, and hopefully they'll come back to you for buisness. Just my 2 cents...

Have them do it (1)

austinij (139193) | more than 12 years ago | (#232067)

Offer up your time and visit them. Have management and a techie from thier orginization present, and have them go break into thier system, with your step-by-step instructions, of course.

When they see what kind of info is available, hopefully their horror will get them listening to you. At this point, offer up your suggestions of how *you* would go about fixing this. Don't put down thier system(s) saying ASP/NT sucks or whatever, because they probably put a lot of work into it, and the last thing they want to hear is how they made bad decisions.

if you play the good guy, hopefully they will drop thier current development house in favor of you. If not, at least you have made them aware of the problem, and they should do something to fix it, saving personal data of many many people.

Be the good guy and take the higher road, even if it dosen't directly benefit you, your actions will speak louder than words.

Be careful... (4)

blackdefiance (142579) | more than 12 years ago | (#232073)

If you're in the US, the risk of your actions being considered criminal is real. The FBI does not have a sense of humor, and doesn't care what your intentions are. Federal judges can't give you a lighter sentence because you mean well.

Consider this: what if your actions are construed as destructive or intrusive, just through some freak accident because someone's having a bad day, or there's an asshole or an idiot in the client's company or in the consulting firm that's leaving everything wide open?

Do you have the time or the money to explain yourself to some feds? Multiply some small but non-zero probability factor by several hundred thousand dollars plus whatever value you'd assign to a year in prison. That's how you should do the cost/benefit analysis.

I'm advocating a grim, "being nice gets you nowhere" sort of position, but the potential downside to the situation is horrible. There's an Assistant US Attorney somewhere itching to make a name for him or herself by prosecuting a "hacker" case. Don't put yourself in a position where you could make it onto their radar screen. The deck is stacked completely in their favor. Read a register article about the feds' tactics [theregister.co.uk] if you want get scared.

Watch your ass if you want to be nice.

Help on evaluating the work... (2)

thrillbert (146343) | more than 12 years ago | (#232074)

The best thing to do would be to write up some sort of a form letter. Pay attention to the problems you have encountered and document them. Do not mention specifics, nor methodologies used, just state the problems such as Employee records vieable by the world, etc.

You may even include some examples on how to check the system. Of course, this letter should include the regular Thank you for the opportunity , yada yada yada..

This method will not only show that your company _IS_ aware of security measures, but will also demonstrate gracefullness and genuine concern.

Waste of time? (1)

lanclos (150352) | more than 12 years ago | (#232076)

Wouldn't you be better off courting new customers rather than spending any more time trying to win over lost customers? I mean, sure, point out the mistake, and leave your card; at that point, if they're willing to stick with a bad decision, let them learn the hard way.

Don't scan lost clients! (1)

evildead (150474) | more than 12 years ago | (#232077)

1) Poking at systems that you don't own; don't have responsibility for; and aren't doing software work on can cause very serious problems for you and your company.

At worst, it can lead to a criminal investigation; and somewhere in the middle is damage to the reputation of your company.

2) It makes your company look like a sore loser, if you complain about the other companies implementations.

If you lose a contract, maybe you should follow up with an offer to do independant verification and validation, a security audit, or maintenance -- which would allow you to scan the systems for exploits.

3) That said, you may be better off sending anonymous email to them, and notifying them of the problems, or otherwise forgetting about it.

offer a free security review as a "teaser" (5)

bluebomber (155733) | more than 12 years ago | (#232080)

Simple: Offer to perform a smallish security review. For free. No strings attached. If there are gaping holes, it will only cost you a few hours worth of work (and maybe a couple of hours of sales pitch), and has the potential for gaining the client as a customer. I'm not suggesting that you do a full security audit, or even that you hold yourselves out as such. Just that you offer to perform a small service for those customers that you've lost in the past, as a gesture of good will and to demonstrate the quality of the service that you can provide.
-bluebomber

Happens every day (5)

dada21 (163177) | more than 12 years ago | (#232081)

I've found that a standard 'form letter' has worked for me in the past. I've probably won back some lost clients because of security issues. Generally, my letters have been written to whomever accepted the bids for the original contract, along with a repeated thank you for allowing our company to bid on the project. We hope we can be of use in the future on similiar projects, and want to be kept abreast of any upcoming work that will be taking bids. On another note, we would like to mention that we review the your website as it currently stands, and have found some serious security issues and risks that go beyond being "potential problems." If you would be interested in hiring our security team to show you the current security breaches and issues, we would be happy to draft up a competitive bid package for the consulting time and documentation time needed to review all the security problems as your system currently stands. Then go on to say how security is as important to your firm as the end product, and that it is quite possible the reason your bid package on the original contract was higher than the winner was because of differences in opinions about Internet security. Don't be afraid to blast their price, not their service. If you get a follow call (I've gotten them more than 75% of the time!) you can explain that many websites on the Internet have security issues, that you are well versed with how to handle them, and many companies haven't taken the time because the chance of getting hacked SEEMS slim, while in reality it is not. I've lost some clients who have returned to the bid winner to clarify security issues and have gotten some of them fixed (without us telling them specifically what the problems are). Even if you don't get the contract, you may end up with more lucrative time and material work pointing out the bugs in the code. I prefer T&M at full rate rather than contract at discount rate anyway. Plus, there's no warranty involved in T&M consulting. Good luck!

alert the people at risk (2)

twistedfuck (166668) | more than 12 years ago | (#232083)

Screw the client and the competing development shop, alert the people whose information is being exposed. If companies leave security holes, its the consumer who is at real danger. If the negligence is exposed publicly then the companies will act. Also, if something is viewable without authenticaion on a website, and you figure out how to see it, I don't think this can be classified as a criminal act. TWF

Print and Mail... (1)

Marty200 (170963) | more than 12 years ago | (#232088)

I'd print out all the information that is availible put it all in an envelope with an note saying "I bet you wish you hadn't taken the lowest bid"

MG

You can lead a suit to... (1)

Ho-Lee-Cow! (173978) | more than 12 years ago | (#232092)

But in the end, you honestly can't make them think. A lot of these managers don't want things to be done right, which honestly a process. Security is an area where most people think about in terms of like putting a padlock on the toolshed door--it looks nice and shiny, even if the wood is rotted out underneath. Probably one of the biggest challenges in IT is overcoming the quick-fix, instant gratification mindset of the managerial class.

Remember that most of these people honestly believe that a problem can be fixed if you throw enough money and/or lawyers at it. Sad as it is to say it, you can certainly -try- to make them aware of the problems, but most of the time, that flashy, slick, Microsoft promise of security is all they need. As said before, they still live in a world where they think you buy one thing and it fixes the problem. You can take them through a step by step process and show them the flaws in their purchase, and maybe prevail to become the supplier, but in the end, they may well have to have a breach and a few lawsuits to get the clue. Even then, to cover their asses as fast as possible, they may still choose to go for another quick fix and put a bigger padlock on the rotten shed door.

Re:Give them instructions (3)

HughsOnFirst (174255) | more than 12 years ago | (#232093)

About five years ago I hacked into the web site of a subsidiary of a certain international business machines company and was able to see customer info, source code etc. But when I did it I was sitting in their offices with the product manager of a product I was consulting on watching. The ***** folks were surprised to say the least, and were appreciative. You might try hacking into these peoples web site with them watching, as an educational exercise.

White papers (2)

Alien54 (180860) | more than 12 years ago | (#232100)

Put up on your website a number of white papers that include security analysis of several "typical" obviously fictional companies, but which have some resemblence to the clients involved. The fictional companies could be in another country (all names, etc have been changed to protect the guilty). Include with this news stories from reral agencies and companies that hand security failures. Especially if some of these had systems similar to the clinet in question.

finally - [START JOKE] post the company name to a hacker newsgroup as vulnerable. do this some months after giving them the warning. Then send a reporter around to them after about a month, "I am doing a story on hackers, and I am interviewing typical companies about their internet security" [END JOKE]

I do not, and I will never condone the abuse of a personal or corporate computer system for fun and or profit, etc.

Check out the Vinny the Vampire [eplugz.com] comic strip

Re:For what it's worth... (2)

Alien54 (180860) | more than 12 years ago | (#232101)

You can't win: the client won't appreciate knowing that they made the wrong choice and the hosting company won't enjoy having their flaws pointed out to a customer. You'll catch shit from both sides and could well get sued out of the deal.

Heh - I know of one company that has two computer shops - one side that has running the business on some multidimensional DBMS since the dawn of time, and the other newer MS shop. The MS shop has several dozen people, and the old shop has a small handful.

The MS shop is terribly mad at the old small shop, because the MS shop is producing substantially less than the old new shop. - Of course the old shop is run with just a handful of gurus, where the MS shop has lots of (fill in the blank)

Bottom line - sometimes it pays to know what you are doing. And when You don't it costs you money.

Check out the Vinny the Vampire [eplugz.com] comic strip

Free is good (1)

scott1853 (194884) | more than 12 years ago | (#232105)

Send them a follow-up with an offer for some sort of free review of their security. Just be nice and professional. That way there shouldn't be any bad feeling since they would have asked you to look at things. Maybe make some points about 3rd party reviews, point them to some articles or something.

Re:Well, it does sound like sour grapes (4)

mgkimsal2 (200677) | more than 12 years ago | (#232109)

Yes we do know this - the NT/ASP issue was that there are some extremely well-known OLD (>1 year old) hacks known against this configuration, which require about 5 seconds of 'hacking' (if you can call it that). The deeper story in this situation is that we weren't directly following up on a lost bid - we were following up on something else, stumbled on this security hole, and found that a lost bid was affected. So we weren't directly probing them right after the fact, it was somewhat incidental to some other stuff that we were doing.

Careful and Indirect! (1)

Ocelot Wreak (203602) | more than 12 years ago | (#232110)

Advice from a security consultant.

Never attack the site. Never badmouth the winner when you are the loser. Never "demonstrate" the lame security and security breaches to them, because they will know that you had to have tried it already (thus possibly breaking local or federal laws).

Better you send it a trusted third party, like the people you currently use to do your company's external audit. Tell them to approach the client on your behalf. They will know who to talk to at the appropriate management level in the food chain, and let them know what a lame choice they made for developers. The lost client can then be gently redirected to look back in your direction after the twerp who hired the dummies is called to account for their bad decision. The external consultant is then doing their job as "the messenger delivering the bad news", and you are seen as the company who can solve their BIG problem and do it properly, as it should have been done in the first place.

It should all look like a properly managed business decision, not a techno-shoot-out between rivals. Hope this helps...

Easy. Don't make it a sales pitch. (2)

ColdGrits (204506) | more than 12 years ago | (#232112)

Rather than tell them "You went with one of our competitors and look how
easy it is to break their security as opposed to ours" which is guaranteed
to make you look like a bad loser (not saying that IS your approach, btw!),
you may want to make it more of an advice thing.

E.g. ask them if they are aware that just by doing x, y, z (feed them
detailed instructions they can use themselves to see), any mallicious-minded
individual could gain access to a, b, c (give them details of what it means
to THEM).

Then, rather than end with, for example, "whereas our system has none of
those problems" which is a blatant sales pitch, you might want to consider
making it totally non-sales.

E.g. end by hinting to them that they may wish to take this matter up with
their existing SP immediately so as to minimise the risk to their data, or
they may wish to look around other suppliers, including yourselves, with
this additional concern in mind and see how those various SPs react and how
their services seem in light of these new concerns.

OK, some will still think it is just sour grapes, but at least you are
phrasing it more along the lines of "OK, you went elsewhere, that's no
problem. Just make sure your SP fixes blah blah blah" rather than "Ha! You
went with THEM and they are crap, you should come to us." iyswim.

Hope this helps!

--

Lets Get This Straight (1)

bitva (206067) | more than 12 years ago | (#232114)

They are not security holes. They are features.

You forget who's making this software.

sheesh!

Caution (1)

mborland (209597) | more than 12 years ago | (#232116)

As a sometime web developer and sysadmin type, I run into this very situation you describe a lot. I will preface the rest of my comments by saying that just using ASP/NT isn't a security threat; the security of a system is relative to the overall security measures of the developers and architects. I am personally interested in this discussion because I'm thinking of focusing more on become a computer security professional

First, if you are competing with a place you feel is providing insecure solutions, then you should treat the entire matter with kid gloves. That is, don't go out publicly and accuse them of bad practices--that can lead to court battles and the like. And certainly, if there are specific vulnerabilities you know of you are obligated to report them to the developers privately (and don't just say "'cuz you're using NT.")

Second, clearly the organizations which are hiring these less-secure firms are less security-focused themselves. What can you do about that? Tattle-taling and bad-mouthing the competition doesn't work. If you have any other professional work you do for the organization, maybe promote a seminar or security newsletter. However, if the organization is unresponsive to security issues, and many are, then your concerns will fall on deaf ears. The market for developers, in other words, does not yet have strong support or understanding of 'security.'

I've been in the same boat as the poster and at times and it can be really disappointing for someone more attuned to security matters to see someone else ignore such problems. On the other hand, your disappointment is not unlike that of the annoying Fire Marshall, who, at your house for a family visit, is abhorred by how many loose wall hangings and covered lamps you have! Yes, they are right, your house is a fire trap, but on the other hand, that's how you like it!

But we -are- techincal people, and the results of bad security are arguably more likely or more disastrous than a fire, and certainly the criteria for safety in computing is less regulated.

Sadly, like with anything else, I think people, and by that businesses, will eventually learn to pay heed to issues of security, once they hear real stories of damage. Such cases are already in existence, but because no business wants their names associated with such a faux pas as a security breach, these stories rarely make the news.

Finally, to your questions, from a marketing standpoint, it's hard at this point to claim a better grasp of 'security' than anyone else--and to what degree that qualifies you for the rest of the work you are bidding on. I am even now skeptical of what you, as a developer, bring to the table if your very first concern is security. I absolutely agree that it is a baseline requirement, and that gives you an advantage over others, but it is hardly a trump card. Let's say the 'less-secure' firm gets hired. Were they cheaper? Did they have more resources? Do they deliver more inventive solutions? So in reply: How can your solutions top their solutions? (And don't just whine: 'security!')

The fact is that organizations that hire developers are often leaving out an important aspect of planning, which is security, and perhaps if that is your interest, you should focus on it and figure out how to market that to organizations. Maybe you run network-security audits for people. Maybe you establish intrusion detection systems. Either way, I agree that the industry should become more aware of actual risk--but that's separate from OS-bashing, or competitor-bashing.

Re:Do you lack all people and professional skills? (1)

Alatar (227876) | more than 12 years ago | (#232124)

Use of any computing resources is restricted to authorized personnel only. Are you authorized? If not, it's a crime.

Re:Give them instructions (1)

Karma Sink (229208) | more than 12 years ago | (#232127)

WHile that sounds like the best, and most responsable choice, it won't work with the average person who can make managerial decisions. They'll think you're just nitpicking, because they can't conceptualize it.

Personally, I'm all for the 'criminal' behaviour of just showing them... But it can certainly get you into legal trouble. The best plan, overall, is to let it go, and then laugh your ass off when skript kiddiez get into their machines using well known exploits...

Re:Do you lack all people and professional skills? (1)

techno-at-nni.com (236771) | more than 12 years ago | (#232132)

Just a quick thought, is it illegal to make simple sql queries to a site openly on the internet? It would be similar to a telnet connection.. I've telneted to places for the simple fact that I was first telnetted to from them..

I've heard of comparisons of this with ppl snooping around a house with unlocked doors.. Well, I wouldn't make that comparison.. I'd say it's closer to a service being offered like a bank or supermarket.. Their doors are open and they are providing a service that doesn't even need to be munipulated/hacked.. And when they don't want to provide the service they lock up shop.. My long stupid point being that if they offer sql services like a couple of ppl (even the music database sites offer stuff like this) then it's a service that you should be able to access legally.. Now circumventing firewalls and spoofing should be illegal.

and I believe the original poster said that the site had easy access to database info (without hacking or being malicious). Food for thought anyways, otherwise I think that yes, he should just walk away from these guys...

sore losers? (1)

DankNinja (241851) | more than 12 years ago | (#232145)

Well, you tried to help them and they were a$$holes about it, let your local script kiddies in on it.

Machiavellian Attitude (1)

Art_XIV (249990) | more than 12 years ago | (#232151)

Unless you have a vested interest in pointing out the security to your almost-a-client, I wouldn't bother alerting them.

Rather, remember - and document to the extent the laws (yecch!) and ethics allow - then use it as ammo to take down the competitor in future competition.

Make sure you present the case as the competitor offering a shoddy product, rather than the competitors being a bunch of dorks. This is a diplomatic maneuver.

This is both cunning and doing future clients a favor.

Aim for the future clients (2)

Crayola (250908) | more than 12 years ago | (#232152)

There's not much you can do about clients you've already bid for. If you bring up potential security problems with their new vendor, you just look like you're badmouthing in the competition after the bid. In any case, you may stir up resentment that may make it hard to do future business.

The thing to do is prepare a informative document during the bid process explaining the importance of security and what measures your company takes to insure it. By phrasing your presentation in the form of "whatever vendor you choose..." and recommending outside audits, attention to common security holes, good basic procedures, etc., you educate your customer. Even if they don't go with you, you've given them some things to think about, and you're being constructive and helpful. If they get hacked later at some other place, they may remember you and come back.

Wow...that's tough. (2)

ocbwilg (259828) | more than 12 years ago | (#232156)

First off, don't crack their servers. Don't break them or otherwise doink with them. In fact, my first instinct is to say just let them go gracefully. It doesn't matter what you say now, it's pretty likely that you're going to come off looking as a sore loser. If you point out specific exploits to their sysadmins and later someone uses those exploits then not only do you look like a sore loser, you look like a sore loser who was out for revenge. That could be even worse.

All in all you're probably best off to just shake hands and part ways with the customer. Keep in contect on a regular basis to see if they might be interested in your services (or switching to your services), but come to terms with the fact that they're someone else's customer.

If you have a strong business relationship with this company, you might vary your approach. You might take the CIO or whoever is in charge of this deal aside and tell them "as a friend" that there is potentially a problem, but even that's iffy. If you were going to say anything to begin with you would have been better off pointing out how important security is in the stage where you were pitching the product to the company. After you've lost the sale it's too late to worry about it. Even then it can be a double-edged sword though. Badmouthing your competitors, even if it is true, is still going to look like mudslinging. A prospective client should be doing some research on people bidding for the work before they make a decision. If they aren't, then they're just asking for trouble down the road. More than likely they wouldn't end up being that good of a customer anyway if they aren't willing to do due diligence.

Just use your head. The last thing that you want is for them to go with your competitor's services and then you end up constantly giving them free security consulting.

Re:Don't tell them what's vulnerable (2)

ocbwilg (259828) | more than 12 years ago | (#232157)

Sure, you would know you didn't hack their site...but you'd have to prove it in court, which is expensive as hell, not to mention very hard on the reputation.

Actually, they'd have to prove in court that you did it. Remember, innocent till proven guilty. Of course, by the time it gets that far you've already suffered a pretty substantial hit to your professional reputation to begin with...

Re:Do you lack all people and professional skills? (1)

papskier (263483) | more than 12 years ago | (#232161)

It's not that simple though. You could do something that is for absolutely no gain of your own, but merely to only help the client. Consider the following possible scenario:

You : "Mr. X, you happen to have a possible security problem on your website. It just so happens that you have the SQL Server port listening and awaiting a request."

Client : "What do you mean that SQL Server is Listening"

You : "Well, the SP that developed your site and is now hosting it left the SQL Server port open and listening. This means that anyone with a common piece of software can grab every byte of data from your database."

Client : "Everything?"

You : "Everything"

Client : "And how do you know this?"

Your Possible responses:
1) "Um... err... well.. " - Boom, ass in jail.

2) "I ran a port scan on it.." - he answers "Does that mean that you can break into my database? What's a port scan?" To which you reply that no, just because the port is listening doesn't mean that you necessarily CAN break into the machine, just a good possibility.. now you look like you really are a sore loser.

Either way, you're gonna look bad. You'll find that a surprisingly small number of people will actually pay you to watch while you break into their machines.

Put their ip on alt.2600, and check their site for defacements/intrusions/etc. When something happens, send them a follow up "Thanks for the opportunity to bid on your project..... " note.

Its Capitalism and Darwinism - Do Nothing :-) (1)

Flabdabb Hubbard (264583) | more than 12 years ago | (#232163)

The strongest will survive.

Has it occurred to you that you are pitching yourselves as a premium solution where the customer wants an 'economy' solution ? Are you telling me you never misconfigured anything ? Are you telling me that the OS you use has no exploits ?

It really does sound like sour grapes. Think of it as a learning experience about the quality that the marketplace demands. Bill Gates is famous for only delivering the absolute minimum quality that the customer will accept.

It sounds like you guys should do more quantity of work, with less of the quality. After all, in 3 years time, everyone will be working somewhere else, and noone will care.

Non-Tech Selling... (2)

cavemanf16 (303184) | more than 12 years ago | (#232164)

A friend uses this strategy for people saying they've already got a stock broker (my friend is a broker):

My friend: "Mr. Smith, I'm not asking you to fire your current broker, I'm just asking you to invest through my company on this particular stock/bond/etc."

He tells me it works pretty well, but not all the time. I would think the same would work when telling companies why they have security holes:

"Company X, we don't want you to abandon your previous contracts and decisions. What we would like is to help you build a more secure system using some of our development talent. Here are security holes that the previous company has not fixed, and we would like to provide you with some solutions for fixing said holes."

If nothing else, it leaves a good impression with Company X because they know you want to help and get the job, but not at the expense of reworking their entire system of doing things.

Let us help. (5)

iluvpr0n (306594) | more than 12 years ago | (#232166)

I think you should not try to approach the company. They probably won't believe you, and you're not exactly a neutral voice on the matter. So, sign on AOL and go to my friends and my chat room. It's called private room "l33t" (I'm not sure what that means- my step-sister told me about it though). We'll approach the company from an outside standpoint and using our sophisticated Windows ME programs, can demonstrate the faults in their programs.

Please allow us to help; we are only in it for the greater security of everyone. Because last year my personal information got stolen from Burger King, where I work. It wasn't a computer problem, but my manager, José Esposito, left the filing cabinet open because he got grease stuck in the closing mechanism. It was so embarassing having my personal information (including details of my police record and photos of my sister) in the hands of whoever took it. I'm still shaken by the thoughts. Luckily America Online is there to help.

And we want to also help, so please come to our chat room today.

.

Obligation to those whose privacy is threatened? (5)

melquiades (314628) | more than 12 years ago | (#232171)

I'm tempted, like many of the other posts, to say "screw the bastards; they dissed you, so you can do the same back."

However, if there is a hack, it's not just the decision-makers who will feel the pain. You said a hacker has access to employee names, SSNs, fire dates...and most of these belong to people who had nothing to do with choosing or implementing this bad system. OK, probably the hack will come from some kid with no malicious plans for the compromised data...but what if this personal information lead to identity theft? What if information about a firing were leaked to a potential employer?

Forget the contract -- you lost it. But you have information about a serious potential threat to several hundred people. Isn't there some ethical obligation to the innocent employees whose privacy is on the line here?

4 Easy Steps (1)

GreenJeepMan (398443) | more than 12 years ago | (#232175)

1. Hack, take over, and copy their entire database

2. Tell them you have their passwords, their usernames, and full access to their servers.

3. Tell them, if they tell anyone, or ever use another vendor you'll destroy their business.

4. Retire

Common Sense (1)

glenkim (412499) | more than 12 years ago | (#232179)

I think this should be fairly common sense. If somebody has a vulnerability on their system, notify them of it. You don't have to break into the box, obviously. Just tell them that you were following up on them as potential clients, and you found that no-brainer vulnerabilities were left unfixed on their machines. You don't have to do it as a sales pitch saying how much better you are, but rather that as former potential clients, you were looking at how they were doing. If they decide going with you would be a better idea, that's great, but if they merely get on their web masters' asses for being lazy, then oh well.

Re:Obligation to those whose privacy is threatened (1)

haruharaharu (443975) | more than 12 years ago | (#232184)

I agree, there is some obligation. However, the threat is potential and they aren't your client.

If you know of an impending action based on this threat, then yes, drop them a line along with all the other people you are going to be notifying. Even that may be unwelcome, and they are big boys, able to look after themselves, at least niminally.

Re:I don't understand how some of this is illegal. (1)

haruharaharu (443975) | more than 12 years ago | (#232185)

The main thing i can think of is that nobody's started a SQL client war.

yet...

A *really* bad idea! (1)

cobol4me (444373) | more than 12 years ago | (#232188)

Hmmm....to follow your logic, that's like a car salseman plowing into a lost prospect's new car with a cement truck then putting a flier about *his* vehicle's 5-star safety rating on whatever's left of the smoldering wreck.

Personally... (1)

RALE007 (445837) | more than 12 years ago | (#232190)

I have an opinions, the thing is my opinions get my @ss in a sling frequently so take them with a pinch of salt. What I would try is speaking with an executive, someone above the current webmaster of these insecure sites, and you'll be surely told "we already have someone who does that for us". Now comes my idea, challenge them, tell them you have seen *obvious* security holes, and get their permission to exploit them and show them exactly what is available to anybody with a little bit of nohow. Not only would you gain contracts but you would put one more dumbass out of a job who jumped into this industry just for the cash anyways (c-mon he called you sore loser for not getting the contract as apposed to actually listening to what his box's are doing). Anywho, just my 2 cents, I would approach it in a manner to challenge the company and get their permission to exploit away. Almost everybody has a hard time backing down from a challenge and it'd be the easiest way to get their consent and also show them exactly what you're talking about.

Re:I don't understand how some of this is illegal. (2)

0dB (446021) | more than 12 years ago | (#232192)

Simply because you can't do it by accident - or at least you are extremely unlikely to do so. Focusing on the technology involved would be a mistake. Simple analogy: if you walk up to someone's house, try the door and it happens to be unlocked, it is not an innocent act to then go inside and rifle through their drawers for confidential information.

Now, at least in Europe, were you able to do this then the company may be held liable for not adequately securing their data. But that just makes you both breaking the law (although I would have thought that for an individual, the consequences would likely be minor for a first offense).

Bear in mind, too, that there is a profit motive for a development house poking about another company's site for holes, so it would probably not be viewed in a favourable light either by the law or the (self-righteously offended) company concerned. You are acting as a corporate entity, not a concerned citizen, in this scenario.

But really, apart from the legal side, it's the business aspect that's important. If you find less secure competitors winning contracts when you're going head to head, make security part of your pitch. If you still loose, that's their choice, and any consequences are for them to deal with. In asking the question, it's clear that you want to handle the situation properly, but at the end of the day you get a better reputation by not criticising or hacking your competition (damning by faint praise can be rather effective). Actually, scratch that last, that can vary from culture to culture. But once a deal is signed, be wary of trying to overturn that decision at all. It smacks of desperation.

Were they breaking the law? (1)

blang (450736) | more than 12 years ago | (#232194)

In some countries, such sloppy keeping of sensitive personal data is illegal and a serious offense. I know US law is much weaker than EU laws on this, but how weak is it?

Could you have reported these customers to some government or state agency? That would definitely be the thing to do if the deal was already lost and you took the customer on their word, and acted as a sore loser. At least revenge is sweeter than nothing.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...