Ostrich Inc. - Of course we're secure!



  • I am a software consultant, so a lot of different businesses of all shapes and sizes come to me for various things.

    Some time ago, Ostrich Inc. (multimillion dollar annual revenue) asked me to evaluate their e-commerce platform and its integration with an internal system used by sales reps.  Specifically, all transactions stopped syncing between systems, they couldn't process certain payments, and they wanted us to update their internal credit card processing screen with some new features.

    The client stressed in initial conversations how important it was that everything I do be PCI compliant, and that security is extremely important to them; it's one of their "core values".  They outsourced the development of their systems and custom software to an American firm which advertises they employ American developers, so the quality of their code is very high and they are trust-worthy.  Ostrich Inc. expects me to respect that and does not think there is going to be much at all that I will need to do to correct their issues.  They have a "limited budget" for this project, and it should be quick and simple.

    First stage of a project like this is systems discovery, figuring out how all their systems work together and how much work I'd need to do to get it working how they want it to.

    I was given all the admin credentials, and started going through their servers.  Correction - server.

    WTFs:

    1. Order sync was broken because sync code was originally written 3 years ago, and the queries had hard-coded datetime values which were only good for 3 years worth of syncs.  No one would still be using this in 3 years, right?
    2. Order sync was also broken because the server HDD was filled up with hundreds of gigs of order sync log files which were little more than "Order sync completed 2011-01-05" repeated over and over again. And reported successful syncs even when a sync failed.  Someone had commented out the error handling code, so it was only ever capable of reporting success.  Our system never fails.
    3. Both the public facing web store and the internal business system (where credit cards are processed) are on the same public facing web server.  Why pay for another server when we already have a perfectly good one right here.
    4. The web server is littered with random PHP files that were written by someone who clearly was just learning PHP; making beginner mistakes all over the place, and copy/pasting code taken straight from the PHP documentation without making the changes necessary to get the code to actually work. 
    5. There was a script on the root of the public facing web server which allowed anyone to upload any arbitrary file directly to another publicly accessible folder on the web server, among other things that exposed all kinds of vulnerabilities.
    6. All the systems on the server were years out of date, and had multiple, widely known, vulnerabilities.  But they couldn't be upgraded since the outsourced developers didn't know how to properly customize the systems, so they modified core code files, making it impossible to install updates without having to redo everything from scratch.
    7. Comments in the code listed names and email addresses of the outsourced "American" developers.  I was able to track them down to their Twitter and Linkedin accounts, and learned that this American company who's major selling point is that they "are right next door" is actually contracting out to developers in India.
    8. Their credit card processing "system" was crudely bolted on to an open source business system, following none of the upgrade-safe coding conventions, was filled with spaghetti code that looked like it was obfuscated (but was just written poorly), and used AJAX to pass credit card data back and forth to the server.  Non-encrypted AJAX (no SSL).  To endpoints that required no authorization.  Which sent back plain text credit card numbers.
    9. Their "internal" credit card processing application developed by the outsourced developers stores credit card numbers and the CVV codes (which is absolutely non-PCI-compliant) directly in the database.  Unencrypted.  For long after the transactions were complete (thousands of CC numbers and auth codes, spanning years).
    10. Using the non-encrypted, non-auth, URLs used by the credit card processing system, anyone could hit the web server and get all credit card numbers and authorization codes for all customers in conveniently formatted JSON.

    Suffice to say, these are some of the WTFs that stuck out.  There were plenty more.

    I fixed the order sync issue (for another few years at least), and proceeded to write up my report and submit it to Ostrich Inc.  I tell them that their systems are leaking exploitable information like a sieve, the systems are in no way shape or form PCI compliant, that if any of the major credit card vendors did an inspection they would be legally liable for millions of dollars in fines and penalties, not to mention the potential lawsuits from customers whose information could have been stolen (or may already have been). And I recommend an immediate effort to migrate to properly developed and secured systems, presented three different levels of response with different costs, while stressing that these issues must all be addressed at some point, even if they are only able to afford to address the most critical issues now.

    Ostrich Inc. was happy their order sync was fixed, and did not inquire any further about the other issue.  After all, with their limited budget, they couldn't afford to make unnecessary optimizations on a system that is working just fine.  And, since they were assured by their reputable outsourced development firm that everything was fully secure and PCI compliant, they had no reason to believe otherwise and could not be blamed for being deceived should their system ever be compromised.

    They quietly dropped me as a consultant before I could point out the legal fallacy of that way of thinking, and they went about their business as usual.

    This was not the first company like this I have ever worked with, and it won't be the last.  It often takes every last ounce of effort I can muster just to convince some of my clients that storing credit card numbers in publicly facing web servers is a bad idea.  Often they drop me as a consultant, go elsewhere for that component of the project, or merely grudgingly accept what I tell them, thinking I'm just being lazy or incompetent for not wanting to do it, despite my explanations.

    How so many businesses, so many business people, accountants, sales people, executives, can still not get this simple concept and be so resistant to the idea of just not storing plain text credit card numbers on public-facing systems is mind boggling. And it seems like everyone wants to do it.



  • Look like a job for the clue bat. The same one as the one used on Sony.

    (of course, it won't help in the long run)



  • I don't exactly see why you couldn't report them anonymously to one or all of the credit card companies.

    Honestly, stuff like that is what whistleblower laws are for.



  •  Seriously, it's your friggin' *duty* to report this company.



  • As much as i agree with the "report them!" crowd, what does this do the OP's ability to get clients?   Over time, his resume of past work experience starts to look like a "who's who" of famous security breaches and whistleblower cases.  This makes it hard for a new company to provide the OP with all of their secrets, and reasonably so.  

    The way forward is not to be heavy-handed (threatening), rather there must be some way that you can make the "contract development" out to be a bad guy here.  Then the company can feel good about itself by moving from the 'bad guys' to the 'good guys (OP)'.  If the company still has any shred of faith left in their development system, they're going to stick with it, and I can understand that also as a salaried developer.  I have years to entrench myself, while the OP only has days or weeks to make a case.  

    So the OP has to undermine the confidence in that shady development contractor to the point that this company calls him back to fix these things like it was their idea.  

     



  • @KrakenLover said:

    How so many businesses, so many business people, accountants, sales people, executives, can still not get this simple concept and be so resistant to the idea of just not storing plain text credit card numbers on public-facing systems is mind boggling. And it seems like everyone wants to do it.

    That would be because PCI compliant systems are a royal pain in the ass to use, for the most part.

    Try telling them that they need to require their third party vendor to sign the PCI compliance forms (there's a form specificaly for that). Tell them that relieves them of most of the liability for any breach, and places it on the third party. Of course, that's only useful before the package is deployed.



  • IANAL, but I doubt that whistle-blower laws would be of any benefit to me in this case.  I'm not an employee of this company, and PCI compliance isn't legally required in the industry Ostrich Inc. belongs to, nor do they hold an actual PCI compliancy certification.  Although in theory credit card companies should be doing random inspections of any business who processes credit cards, they are not required nor equipped to do so (lots of businesses out there).  These inspections typically only happen with very large enterprises, if at all.  In practice, the massive fines and penalties are there as a discouragement to business doing what Ostrich Inc. does, but these fines are rarely applied except in the case of major breaches, and pro-active application of the fines is very rare (I've never heard of that happening, but I'm not an expert on this).

    I agree that reporting this to some agency or a credit card company would be great.  I'd love to do it.  But I'd be throwing away my career because doing the right, ethical, moral thing is punished heavily; while doing shady business, treating your customers (and their data) with disrespect, and being ignorant of best practices are rewarded.

    If your company is more nimble to respond to changes in the market because you're cutting corners and not doing your due diligence, you are rewarded with greater profits.  But a company who does things the right way needs to make a greater investment up front for competent developers, has less money then for marketing, is going to be slower to respond to market opportunities, and loses out in the end. A lot of the businesses I work with were small start-ups not long ago; they didn't have the money or knowledge to do things the right way.  And they were successful, in part, because of it. Why would they suddenly feel obligated to start doing things the right way now?

    Granted, that's a rather jaded perspective, but it's hard not to be when you get to see the inner workings of so many businesses and realize how many of them are doing things that make your skin crawl.

    And, regardless, who is going to hire a consultant with a history of being a whistle-blower, even if he or she did have a legal obligation to report the misconduct to some authority? Why would any company hire anyone with that history?  If hiring that person could mean that your company can be destroyed if the whistle-blower finds something wrong, then why would any business take that risk?

    I'm not commenting on whether that's right or wrong. What I'm saying is that in this case, I have absolutely everything to lose and nothing beyond some measure of moral superiority to gain. And I'm not saying there aren't perhaps causes for which I would risk my livelihood, but this just isn't one of them.

    @taustin said:

    @KrakenLover said:

    How so many businesses, so many business people, accountants, sales people, executives, can still not get this simple concept and be so resistant to the idea of just not storing plain text credit card numbers on public-facing systems is mind boggling. And it seems like everyone wants to do it.

    That would be because PCI compliant systems are a royal pain in the ass to use, for the most part.

    Try telling them that they need to require their third party vendor to sign the PCI compliance forms (there's a form specificaly for that). Tell them that relieves them of most of the liability for any breach, and places it on the third party. Of course, that's only useful before the package is deployed.


    That is true - they are a pain to use, and a huge pain to develop systems for.  But I don't think that's a valid excuse, and I can't see how any thinking person could see it as such. I'm not saying that you're saying it's a valid excuse, but the idea that people see something difficult as automatically being unnecessary is deeply depressing.

    Even if they had those forms signed, per the language of the PCI compliance contract that Ostrich Inc. signed (inherently by working with credit card numbers), having that document does not absolve them of their responsibility to to due diligence.  You can't just pass off your responsibility wholesale with that document.  Nor would it absolve them of potential repercussions for civil suit.  If they wanted good protection, then they would need to get actual PCI compliance certification.  Since that is not cheap or easy to get, few businesses are going to opt for it unless legally required to do so.



  • @KrakenLover said:

    How so many businesses, so many business people, accountants, sales people, executives, can still not get this simple concept and be so resistant to the idea

    There's no reason for any of those people to understand the technical details, nor why they matter. From their perspective, any explanation of why a WTF of this caliber is a Really Bad Thing is only going to sound like you're trying to fleece them, and hey, they're just not gullible enough to fall for that one. Perhaps TRWTF is their legal department.




  • The lack of PCI compliance also implies their payment processor is also lacking in confirming PCI compliance. Unless they have people entering the transactions by hand...

     



  • @Kittemon said:

    @KrakenLover said:

    How so many businesses, so many business people, accountants, sales people, executives, can still not get this simple concept and be so resistant to the idea

    There's no reason for any of those people to understand the technical details, nor why they matter. From their perspective, any explanation of why a WTF of this caliber is a Really Bad Thing is only going to sound like you're trying to fleece them, and hey, they're just not gullible enough to fall for that one. Perhaps TRWTF is their legal department.

    I rarely have this problem with companies who have IT staff.

    But this issue comes up a lot with companies who either have no IT staff or who completely outsource their IT services.  Those ones tend to have the attitude that computers are magic and can do anything and everything they want; and if you tell them something can't or shouldn't be done, it's your fault.

    Regardless, when there are so many stories about credit card theft and data breaches, you'd think that these people might be able to connect the dots.

    Also - what legal department?  Many of these companies don't have one.  Just like they don't have an IT department.  After all, the business is selling widgets, why have anyone on staff with any technical or legal knowledge?

    A business should focus on their core competency, and outsource everything else. </business-major>

    @zipfruder said:


    The lack of PCI compliance also
    implies their payment processor is also lacking in confirming PCI
    compliance. Unless they have people entering the transactions by hand...

    The payment processor has a blanket statement in the contract the business signs with them.  This statement says something to the effect of "you are responsible for assuring that any business-side systems feeding out systems are PCI compliant, and we take no responsibility for anything that you do wrong on your side of our API".

    Which I think is perfectly reasonable for the payment processor to state.  They can't and shouldn't need to verify the PCI compliance of those who use their API.  That should fall squarely on the business.

     



  • @_leonardo_ said:

    As much as i agree with the "report them!" crowd, what does this do the OP's ability to get clients?  

    There is such a thing as an anonymous tip off



  • @OzPeter said:

    @_leonardo_ said:

    As much as i agree with the "report them!" crowd, what does this do the OP's ability to get clients?  

    There is such a thing as an anonymous tip off
    Because, certainly, nobody would guess that the one person who wrote a report on the lack of PCI compliance, and heavily recommended addressing the issue, would also be the person who sent in the anonymous tip.

     



  • @KrakenLover said:

    I'm not commenting on whether that's right or wrong. What I'm saying is that in this case, I have absolutely everything to lose and nothing beyond some measure of moral superiority to gain. And I'm not saying there aren't perhaps causes for which I would risk my livelihood, but this just isn't one of them.

    And yet you lambaste them for their supposed villainy?



  • @KrakenLover said:

    Because, certainly, nobody would guess that the one person who wrote a report on the lack of PCI compliance, and heavily recommended addressing the issue, would also be the person who sent in the anonymous tip.
     

     

    Except you can send the tip in 15-50 months, to avoid people making the connection. (they will likely have forget, or have someone else said them the same thing, or simply believe it being slander)

     



  • Was the outsource developer Avion or Thirdware, by any chance? I've seen some of their code, its BEYOND hilarious/sad (depending on who you are) LOL

    I could fill, easily, a weeks worth of daily WTFs just with what these eyes have seen, hah.



  • @SamC said:

    I could fill, easily, a weeks worth of daily WTFs just with what these eyes have seen, hah.


    Please do!



  • This got me thinking about what brick and mortar contractors do almost in every country: if you want to do some work in your home/office/local and the contractor finds any security hazard (like a broken pillar, lead pipes or asbestos) they're required to fix it before continuing with any other work because they could be liable for it. This is another reason why software engineering is in the state we're today.

    Now, I got go and write myself a feed reader which doesn't require a cloud provider... arg!



  • @KrakenLover said:

    @OzPeter said:

    @_leonardo_ said:

    As much as i agree with the "report them!" crowd, what does this do the OP's ability to get clients?  

    There is such a thing as an anonymous tip off
    Because, certainly, nobody would guess that the one person who wrote a report on the lack of PCI compliance, and heavily recommended addressing the issue, would also be the person who sent in the anonymous tip.

     

    So, to be frank, why exactly do you think that you're better than them? You're actually supporting their way of doing things.

    If you let them continue in those ways then you have no place in complaining about those business tactics. Makes you an accomplice in my eyes.

    If this was a crime, you'd be accountable for that crime due to your insider status and face jail time. Think about that.



  • @KrakenLover said:

    They outsourced the development of their systems and custom software to an American firm which advertises they employ American developers
     

    Always the same shit with this outsourcing to America.



  • @Rhywden said:

    So, to be frank, why exactly do you think that you're better than them? You're actually supporting their way of doing things.

    If you let them continue in those ways then you have no place in complaining about those business tactics. Makes you an accomplice in my eyes.

     

    The problem is, to stop being an "accomplice" he have to take great risk to his financial security. He may have (or want to be able) a family to support, which may be more important to his eye than the potential outcome of this hack.

    In a perfect world, random inspection would be common enough to prevent anonymous tip off from being easy to spot. In this one, it mean taking care to avoid being too obvious.

     



  • @TheLazyHase said:

    @Rhywden said:

    So, to be frank, why exactly do you think that you're better than them? You're actually supporting their way of doing things.

    If you let them continue in those ways then you have no place in complaining about those business tactics. Makes you an accomplice in my eyes.

     

    The problem is, to stop being an "accomplice" he have to take great risk to his financial security. He may have (or want to be able) a family to support, which may be more important to his eye than the potential outcome of this hack.

    In a perfect world, random inspection would be common enough to prevent anonymous tip off from being easy to spot. In this one, it mean taking care to avoid being too obvious.

     

    Well, a fraudster will also take a financial hit when stops committing fraud. That's not exactly an excuse.

    Protip: If your current line of work requires you to do morally questionable things on a regular basis, you should really consider getting out of this line of work.



  • @Rhywden said:

    Well, a fraudster will also take a financial hit when stops committing fraud. That's not exactly an excuse.

    Protip: If your current line of work requires you to do morally questionable things on a regular basis, you should really consider getting out of this line of work.

     

    In which way the OP is a fraudster and in which way do he morally questionable things ? He is paid to audit, not to enforce the law. In fact, mandatory denunciation of fraud is one of the sign you are in a dictatorial state.

    In any case, assuming he have wife and children, risking his job is also a morally questionable act. Being an hero is never mandatory, especially when you put the burden of risk also on other people. Protip : in robbery, especially if you work in the robbed entity, you are expected to fully comply with the robber, not to try anything funny.

     



  • @TheLazyHase said:

    In which way the OP is a fraudster and in which way do he morally questionable things ? He is paid to audit, not to enforce the law.
    Given that you know how PCI non-compliant that Ostrich Inc. is:

    1. Would you buy stuff from them?
    2. Would you warn your friends and acquaintances to not buy stuff from them?
    3. How would the customers of Ostrich Inc. respond if they knew how cavalier Ostrich Inc. was with their credit card details?
    4. How will the customers be protected in the future if Ostrich Inc. doesn't want to change its ways?
    5. And how can Ostrich Inc be compelled to change its ways if no-one reports them?


    And Ostrich Inc. could be eligible for these prizes:
    • Fines of $500,000 per data security incident
    • Fines of $50,000 per day for non-compliance with published standards
    • Liability for all fraud losses incurred from compromised account numbers
    • Liability for the cost of re-issuing cards associated with the compromise
    • Suspension of merchant accounts


    Finally, the actions of Ostrich Inc. is akin to person knowing they have an infectious STD and continuing to have un-protected sex with others and not informing them of the risk they are taking.


  • @OzPeter said:


    Finally, the actions of Ostrich Inc. is akin to person knowing they have an infectious STD and continuing to have un-protected sex with others and not informing them of the risk they are taking.

    ...And who can harm you if they notice you're the one who told on them.

    Therefore I'm with TheLazyHaze here: Send the anonymous tip, but only after a reasonable CYA delay.



  • @OzPeter said:

    @TheLazyHase said:
    In which way the OP is a fraudster and in which way do he morally questionable things ? He is paid to audit, not to enforce the law.
    Given that you know how PCI non-compliant that Ostrich Inc. is:

    1. Would you buy stuff from them?
    2. Would you warn your friends and acquaintances to not buy stuff from them?
    3. How would the customers of Ostrich Inc. respond if they knew how cavalier Ostrich Inc. was with their credit card details?
    4. How will the customers be protected in the future if Ostrich Inc. doesn't want to change its ways?
    5. And how can Ostrich Inc be compelled to change its ways if no-one reports them?

    .

     

    Ostrich is a fraudster. The one who isn't one is the OP, who do not even work permanently at it.

     



  • This is the reason why I use throw-away pre-paid credit cards for online transactions.


  • Considered Harmful

    @garrywong said:

    This is the reason why I use throw-away pre-paid credit cards for online transactions.

    What? But those were invented solely for russ0519.



  • The real issue is that reporting a company that is comitting blatant security violations and empowering identity theft would come to bite you in the ass.  IMHO any company that would hold that as a black mark against the OP is probably just as criminal as this "Ostrich Inc." company is.  The sad reality is I bet a lot of them are.

    This is similar to having repeatedly quit jobs because the environment is run by clueless people, and having a potential company blacklist you when you mention in the interview that you're looking for a shop that does things right; it's a clear indicator that the company you're talking to does NOT do things right, and you wouldn't be happy there.  Same thing here.  A company that blackballs the OP because he reported a major security violation is probably doing those same violations.



  • @dhromed said:

    Always the same shit with this outsourcing to America.

    Sending the work to a third-world hellhole like Belize is also "outsourcing to America". Technically. Pedantic dickweedally.

    Assuming he meant "the United States", hey there's like 350 million people here, we can't all be top-notch. Especially those in West Virginia who are only top-notch when weighing themselves on airport scales.



  • @TheLazyHase said:

    In which way the OP is a fraudster and in which way do he morally questionable things ?
    The company made/isn't fixing the security violations to make more money.  He isn't reporting the violations to make more money. You can't say "I'd report it except I'd never get a job again" and expect to be morally superior to them since they didn't spend all their money to fix it.



  • @Sutherlands said:

    The company made/isn't fixing the security violations to make more money.  He isn't reporting the violations to make more money. You can't say "I'd report it except I'd never get a job again" and expect to be morally superior to them since they didn't spend all their money to fix it.
     

     The fallacy is that the OP is not required to do its job to report thoses violation, while the firm is required to do its job to have decent security. In other words, it's not about money, it's about law.

     As I said, mandatory violation when it's not your job to inspect for the governement is something dictatorial, not something expected.



  • @TheLazyHase said:

    dictatorial
    @TheLazyHase said:
    fallacy
    I'm not sure you know what these mean.

    Regardless, you can't claim the moral high ground when you're not doing the moral thing, regardless of whether you have to or not.



  • @Sutherlands said:

    Regardless, you can't claim the moral high ground when you're not doing the moral thing, regardless of whether you have to or not.

     

     I know what both mean, and personal attack is another form of fallacy.

     Fallacy because your reasonment is wrong : you equate the legal obligation of a firm and a non-mandatory behavior from a consultant, and try to hide the fact that they are fundamentally different with rhetorics.

     Dictatorial because each and every country I know where anonymous tip-off were mandatory were dictatorial (for example; France under Nazi occupation, Communist China, East Germany).

    And a third fallacy on your post : you consider each and every thing you claim "amoral" to be the same. It's plain wrong ; the perenial example is that a thief have the moral high ground over a child rapist. Ostrich did not rape children (yet ?), but it did have done something a lot more important than chickening out.

     



  • It is my understanding that doing what Ostrich Inc. does is not illegal.

    PCI compliance is not mandatory nor are they legally obligated to be PCI compliant by government law (whether it be local, state, or federal).  PCI compliance is a recommendation not a legal requirement.  There were efforts to make it a legal requirement at one point, iirc, but they failed due to industry complaint that to make it legally required for all businesses would place undo burden on businesses.

    Ostrich Inc. is, however, obligated to be PCI compliant per the terms of their contract with the payment processor.  But that's a matter of contract law, as I understand it, and I am in no way required to enforce a contract that two other entities agreed to.

    @Rhywden said:

    So, to be frank, why exactly do you think that you're better than them? You're actually supporting their way of doing things.

    If you let them continue in those ways then you have no place in complaining about those business tactics. Makes you an accomplice in my eyes.

    If this was a crime, you'd be accountable for that crime due to your insider status and face jail time. Think about that.

    I never said I was better than them.  I'm not an objectivist, but I have a family, and responsibilities that I can't just toss aside.

    And this is not a crime (as far as I am aware), I am not an employee of Ostrich Inc., and I am not accountable for the choices of Ostrich Inc.  If I were legally obligated to report this, then I probably would.

     @OzPeter said:


    And Ostrich Inc. could be eligible for these prizes:
    • Fines of $500,000 per data security incident
    • Fines of $50,000 per day for non-compliance with published standards
    • Liability for all fraud losses incurred from compromised account numbers
    • Liability for the cost of re-issuing cards associated with the compromise
    • Suspension of merchant accounts
    Absolutely true.  And I explained this to them.

    Ostrich Inc. had the money to make the necessary changes, it was in their own best interest to do so; and if they didn't want to pay me to make these changes because they felt my quote was too high or that I was trying to scam them, they could have gotten a second opinion or gone with someone cheaper (granted, that's what got them into the mess in the first place).

    @Rhywden said:

    Protip: If your current line of work requires you to do morally questionable things on a regular basis, you should really consider getting out of this line of work.

    Point me to a perfectly ethical, moral, business who always does the right thing, doesn't lie to customers (that rules out any company with a marketing department), follows all applicable laws and regulations, never engages in morally dubious activities, always follows best practices, is altruistic, and so on and so on.  Do you work for one?

    I have never worked for a company either as an employee or as a consultant that I couldn't find something morally suspect with.  Or that someone else couldn't find something morally suspect with.

    I've worked in public education, and that made me feel worse about myself and my ethics than this PCI compliancy mess.

    A friend of mine works in fast food, and he feels guilty for serving obese people piles of cholesterol-laden slop that's just putting nails in their coffins.

    What's the alternative?  Just lay down and die in a gutter to ensure you never involve yourself with anything morally dubious?

    I don't think such a perfect, moral, place exists and that everyone has to deal with that some how in their own way.  I do what I can to steer my clients in the right direction, but at the end of the day, they are the ones who will make the choice of which path to follow.  I can't force them to do the right thing, I'm not legally obligated to and have no authority to force them to do certain things that they don't want to do, and I can't be some kind of crusader for proper systems design, staking my livelihood and the welfare of those who rely on me for something like this.  I'm sure a more brave person would, but I never claimed to be all that brave either.

    @Sutherlands said:

    Regardless, you can't claim the moral high ground when you're not doing the moral thing, regardless of whether you have to or not.
    I agree.  And I never claimed that I had the moral high-ground in this case.

    @ObiWayneKenobi said:

    The real issue is that reporting a company that is comitting blatant security violations and empowering identity theft would come to bite you in the ass.  IMHO any company that would hold that as a black mark against the OP is probably just as criminal as this "Ostrich Inc." company is.  The sad reality is I bet a lot of them are.

    This is similar to having repeatedly quit jobs because the environment is run by clueless people, and having a potential company blacklist you when you mention in the interview that you're looking for a shop that does things right; it's a clear indicator that the company you're talking to does NOT do things right, and you wouldn't be happy there.  Same thing here.  A company that blackballs the OP because he reported a major security violation is probably doing those same violations.

    Even if a company does do things the right way, some employers still see whistlebowers as being disloyal and not trustworthy.  No one is going to want to hire someone who has any kind of history of going above the head of their employer and talking to the government/agency/whatever and causing legal and financial repercussions, regardless whether or not the whistle-blowing was justified.  Maybe there are employers like that.  Not sure if I've ever met one.  I have met a lot of petty, egotistical, ones who would view any kind of breach like that as some kind of cardinal sin, though.

    @TheLazyHase said:
    He is paid to audit, not to enforce the law.
    And in this case, there is no law for me to enforce even if I were being paid to enforce the law.  As far as I can see, what Ostrich Inc. is doing is not illegal.  It is a violation of trust, a violation of a private contract they entered into with their payment processor, and a scummy thing to do.  But it isn't illegal.

    Again, PCI compliancy is not a legal obligation.  It is not government enforced.  It is purely a standard which credit card companies reference in contracts that they have payment processors and client business sign and agree to.  It was established to help reduce fraud, and ensure that when fraud occurs, it's not the credit card companies who get stuck with the bill.

    If a company violates the contract, and is not PCI compliant, then it is up to the credit card companies to pursue.  If individuals have had their identity stolen as a result of negligence on the business' part, then those individuals have a right to sue for damages.

    But general PCI compliance is not enforced by any governmental body in the USA.  It is a matter of contract law.

    If the citizens of the USA want it (or equivalent regulations) to be legally required, then that's a voter issue.  A new law would need to be made, and passed.

    As far as international law goes, I don't know anything about that.  Would the Indian developers who designed and programmed the non-PCI compliant system in the first place and lying about it to the US-based Ostrich Inc. be held personally liable?  How far reaching would the law be?  Could it be circumvented by merely outsourcing to foreign countries for the development work and have them sign an unenforceable contract taking responsibility for the fallout?

    Until any kind of law gets passed, if ever, it's all just speculation where the liability would fall in this situation.

    And right now, no one has broken the law as best as I can tell.

  • Considered Harmful

    @KrakenLover said:

    Point me to a perfectly ethical, moral, business who always does the right thing, doesn't lie to customers (that rules out any company with a marketing department), follows all applicable laws and regulations, never engages in morally dubious activities, always follows best practices, is altruistic, and so on and so on.  Do you work for one?

    Call me naïve, but I think I actually do (to the best of their ability). It's one of the reasons I plan to stick around here.

    Ethics was covered fairly extensively during orientation, and from what I've seen the company practices what they preach.



  • @joe.edwards said:

    @KrakenLover said:
    Point me to a perfectly ethical, moral, business who always does the right thing, doesn't lie to customers (that rules out any company with a marketing department), follows all applicable laws and regulations, never engages in morally dubious activities, always follows best practices, is altruistic, and so on and so on.  Do you work for one?

    Call me naïve, but I think I actually do (to the best of their ability). It's one of the reasons I plan to stick around here.

    Ethics was covered fairly extensively during orientation, and from what I've seen the company practices what they preach.

    It's entirely possible you do.  I am rather jaded, but I'm not saying it's beyond the realm of possibility.

    It's just that I've done work for places that had a similar public-facing presence.  But admin access to account and email systems, and being responsible for things like system audits and debugging, kind of penetrate that veneer and tells the real story.

    Maybe someday I'll find a place that really lives up to its image and practices what it preaches.   Maybe I've just been really quite unlucky so far in my career.

     



  • @TheLazyHase said:

     I know what both mean, and personal attack is another form of fallacy.
    Saying that you are using words wrong is a personal attack? News to me.

    @TheLazyHase said:

    Fallacy because your reasonment is wrong : you equate the legal obligation of a firm and a non-mandatory behavior from a consultant, and try to hide the fact that they are fundamentally different with rhetorics.

    The closest thing I said to what you're claiming is that he is not in a position to claim the moral high ground.  Strawman is ACTUALLY a fallacy.

    @TheLazyHase said:

    Dictatorial because each and every country I know where anonymous tip-off were mandatory were dictatorial (for example; France under Nazi occupation, Communist China, East Germany).
    Very well, mandatory tip-offs may be dictatorial. But you're the only who has mentioned anything about them being mandatory. Everyone else is talking about what the moral thing to do is.@TheLazyHase said:
    And a third fallacy on your post : you consider each and every thing you claim "amoral" to be the same.
    immoral, not amoral.@TheLazyHase said:
    It's plain wrong ; the perenial example is that a thief have the moral high ground over a child rapist. Ostrich did not rape children (yet ?), but it did have done something a lot more important than chickening out.
    Considering "each and every thing [...] to be the same" when we're only talking about two things is perfectly valid.  I consider these two things to be such that in this instance, neither one is more moral than the other.  That is also not a fallacy, though you are free to disagree with it.

    @KrakenLover said:

    I agree. And I never claimed that I had the moral high-ground in this case.
    Looking back I see that it is true.  I can't even say I would do something different in your place.  I hope you'll consider placing an anonymous tip sometime in the not-so-distant future, though.



  • Although it will cost you some nominal money, here is what I think makes sense.

    Go to a lawyer, and have them write a letter to PCI Security Council, saying that it came to your attention "while visiting the company" that there is a consultant report "written by the outside analyst" listing the following violations. Formulate them as if you memorised them imprecisely. Have as much as possible information about the report title, date, etc.

    The lawyer cannot be requested to identify you. Good luck.

     



  • I'm gonna go ahead and compare not reporting this to the Penn State scandal. Knowing and not reporting makes you an accomplice.

    Imagine if tomarrow, someone managed to hack into them, and downloads/publishes the info.

    Who's to say they wouldn't blame you for the attack? You already 'confessed' that you know about the vulnerabilities, they ended their contract with you, and your motive is retaliation.



  • @KrakenLover said:

    information could have been stolen (or may already have been).

    This is why most security breaches aren't reported - the company doesn't even know that it has been breached. It isn't like in the movies - when the good guys steal some data from the bad guys, the bad guys don't have it any more and they know they've been hacked.

    I keep trying to think of some good example that will make it obvious to the pointy-hared ones how serious this stuff is. If you hire a plumber to look at a problem in your house and on the way in he notices that the builder never installed a front door on your house, then you would start making some frantic phone calls right away. Some of these ostrich companies are carefully locking the really complicated lock that the builder installed, without the ability to see that the lock isn't attached to a door. Or perhaps there's no walls on the home, just a really impressive front door lock.

    In software, there's no equivalent of a building code to ensure that the system is built correctly. I know lots of people who will actually check the spacing between the studs in the walls meets the building code but there's no equivalent measurement to check for SQL injection vulnerabilities.



  • @KrakenLover said:

    If your company is more nimble to respond to changes in the market because you're cutting corners and not doing your due diligence, you are rewarded with greater profits.  But a company who does things the right way needs to make a greater investment up front for competent developers, has less money then for marketing, is going to be slower to respond to market opportunities, and loses out in the end. A lot of the businesses I work with were small start-ups not long ago; they didn't have the money or knowledge to do things the right way.  And they were successful, in part, because of it. Why would they suddenly feel obligated to start doing things the right way now?

     

    I haven't read this all carefully, but perhaps this is an assumption that you have made which stops you using a better approach for you to sell further contract work. 

    What the company is looking for is to be efficient.  Perhaps you could let them know that what they did at the start allowed them to be flexible as a small company, but now there are so many limitations and workarounds it is inefficent (have some examples from finding out about issues that have stalled management).  Then make your recommendation that it is time to reorganize the system setup to be flexible, take out the workarounds and invest in the future with a system that will continue to scale on a larger basis.  Oh and as an additional 'freebee' they gain a 'tick in the box' of being EVEN MORE secure.


     


Log in to reply