Responsible Disclosure and PASS’s Security Vulnerability

I’ve only been at the DBA thing for the last six months. I’m as close to an Accidental DBA as it gets; and I’m the first to admit that. I’m learning fast, I’m learning on the Job, and (full disclosure), the Brent Ozar Unlimited team has helped with that, tremendously.

I’ve been following Brent Ozar‘s blog for a long time now, and more recently started paying attention to the PASS debacle(s). Before, it was idle curiousity, now it’s because I’m working day in and day out in that sphere. I can’t afford to be ignorant.

Today, Brent blogged about PASS’s lack of security surrounding their voting system. In essence, it worked like this:

PASS sends you to a third party site to vote, you input your PASS credentials on this third party site, and voila, you’ve voted.

See the problem? No?

How about now?

PASS sends you a postcard with an address to go to. You go to that address, give them identity information (Social, birthdate, whatever they need to act as you), and they mail it back to PASS with your vote.

Would you do that in real life? No. Then why would you do that online?

At first, it was fun and games. Everyone have a laugh at terrible security. Then, I took an action on the PASS site, and noticed that rather sensitive information was leaking out. I even dug into the developer tools to be sure I wasn’t making it up — but even after that, I still thought there was something I was missing. I had to be. I posted an offhand comment on Brent’s blog because quite frankly, I thought I was wrong.

I was so sure I was wrong that I didn’t even think about the ethics of disclosure. It didn’t cross my mind. I was hoping someone would reply with, “Hey, you’re not seeing X, or Y — they’re actually doing it correctly.”

So I posted a comment.

I shouldn’t have done that, because in this case: I was right. Oops.

I’m sorry.

Brent and others are already in contact with the PASS people to get this vulnerability fixed. For my part: lesson learned.

Note: If you’re trying to raise me on twitter, I’m taking a break from social media for the next 9 weeks. Catch me through a comment on this site or through email.

Additional note: If you have a link to a template for Responsible Disclosure that isn’t vendor specific, link to it in the comments. An internet search turns up a lot of separate “responsible disclosure policies“, but I haven’t seen an authoritative template on the subject that should govern our actions, or ethical actions in the case a company doesn’t have a policy on their site. Troy Hunt’s take on the subject is relevant.

Update 1: The vulnerability on the PASS site affects your user credentials (login/password). The site has been vulnerable for an unknown amount of time — but it’s not one of those things that work and you accidentally break one day. My supposition is that it’s been broken for a very long time. If you use the same username/email + password combination anywhere else, change it on that site immediately. ( I include email because that’s part of the sensitive information that leaks out, and some sites use your email address as your login instead of a unique username).

Do not change your PASS credentials until they fix the vulnerability on their side. Doing so will only cause you pain, without actually fixing the issue.

Update 2: You may wonder why this is a problem. After all, it’s not like it’s your bank, right? I mean, it’s just an association website! The problem is, that association represents professionals that have the keys to the kingdom in their own little world. Depending on what email address is used, a potential attacker not only has a company to target with user credentials, but potentially active directory passwords as well.

Good security practices are to use different passwords for each site; but how many people actually do that? I know I don’t always do that (though I do segment ‘non-critical’ sites from critical sites, and I use a different password for each critical site).

If this were a fantasy football site, I wouldn’t be as worried. However, this is a site where DBAs congregate — and in any revenue generating organization, the DBA sits right next to the goods.

Update 3: It looks like SQL Pass has purchased an SSL certificate and set it up. The affected pages are now being served over SSL; potentially negating the vulnerability.

Here’s how their SSL Setup rates:

Sql Pass SSL Setup Grade
SQL Pass’s SSL Setup

If you use an SSL certificate (and you should, but that’s another story), it’s always a good idea to have a tool that can tell you where you’re vulnerable. The SSL Labs tools do just that.

I’m presenting at Hug Super Forum 2014!

I’ll be presenting at Hug Super Forum 2014; going on today and tomorrow at the Marriott Gateway in beautiful* Crystal City, Virginia.

I’m presenting on the new Higher Logic Widget Builder. It’s a way for you to take your Connected Community content and place it on any non-Connected Community site. For the techies amoung you, it’s a native-JavaScript powered widget (the temptation to use JQuery was strong, but the potential issues with compatibility clashes kept it from being the way to go)

I’m excited to be able to talk about something that has been in private beta for the past few months, and has the propensity to take content from behind the walled garden and make it possible for others to enjoy it.

I’ll also be talking all things tech at the tech table during open house at 3pm. If you have questions about anything related to your connected community site (tech wise, and even not so tech wise), we’ll be on hand to help you out.

*It’s an urban beauty.

Testability is the canary in the coal mine

Your homegrown framework is only as flexible as it is testable.

If you can unit test that framework without craziness, it’s flexible.

If you can’t, it’s not.

Even if I accepted that TDD and Unit tests were bunk for all other reasons, the fact that they result in a flexible design makes up for any other perceived flaws.

It also cuts through the bullshit. The next time someone tells you their code is flexible, ask them to write unit tests for it.

Bad software

Bad software is an avalanche, waiting.

“We don’t need to worry about that for Version 1, let’s defer that to <version n>”.
“What can we get away with for what now?”
“Do we really need to worry about Cross Site Scripting? Who would want to hack us anyway?”
“Just get this bug fixed. Next time we build a new feature we’ll do it right.”
“Our customers don’t care about whether or not the software is good or bad, they just want it to be flexible.”

Once the avalanche starts, that’s it. There’s no going back. Sometimes that avalanche is launch day, sometimes it’s when the New York Times reviews your product. Sometimes, it manifests as the bankruptcy the company files because of a security breach.

You can get away with bad software for a while. But only for a while.

Favorite Websites, 2014 edition

Since I’ve given up twitter for the next ten weeks, I still need some way to keep up to date on news and technology.

Normally, I’d just check twitter. Anything I need is on there. Without it, I find myself having to remember to visit different websites.

For Tech News:

It doesn’t update with new topics as much as I’d like, and it has a terrible user interface for mobile, but otherwise it works.

For snail news:

It’s less inflammatory than FoxNews, and as long as I stay away from the opinion pages, I don’t feel the need to throw my computer.

The home for Brent Ozar Unlimited; a boutique SQL Server consulting firm. I’ve attended their SQL Server Performance Troubleshooting class in Chicago, and I worked with them when Jeremiah consulted with us on how to improve our SQL Server performance. They have daily blog posts about the world of SQL Server. It’s a must follow if you’re at all tangentially exposed to it in your daily work.

Brent Ozar’s personal blog. All of the above still applies, of course.

A GIF driven Database Learning site. I’ve submitted a few reactions, but I’ve learned a whole lot more from the ones there. It’s learning disguised as funny.

Scott Hanselman’s blog. He’s one of the premier technologists in the .NET World, and blogs daily about different tech related topics. Sometimes it’s .NET, sometimes it’s wearables.

Jamie Zawinksi’s blog. He’s one of the guys responsible for Mozilla. His blog is sometimes educational, but always funny.

Joey Devilla

The Accordion Guy. Equal parts Canadian, Funny, and Insightful.

Eric Lippert

Used to be part of the C# compiler team. Now works for Celerity. The only thing I know about them is that they hired Eric Lippert.

Miguel De Icaza

Xamarian founder; founder of Mono.

Jeff Atwood

The man behind the Coding Horror blog. Founder of Stack Overflow, Discourse, and one of the principal proponents behind Standard Common Markdown.

Stack Overflow

Probably the best place on the internet to find answers to programming problems. type before your programming question to make sure you’re only getting answers from Stack Overflow.

Of course, there are others; but these are the sites I check daily.

A Day of Twitter

It’s 6am.

My alarm is blaring. I turn it off, open twitter, and pull down the top of the screen to refresh.  A new blog post about Go comes across my twitter feed, along with the newest tech controversy. There’s not enough there to figure out what’s going on. I scroll on. A few more twitter posts down, there’s a screed on how the world’s going to pot because of the Republicans. The next one says the same thing about the Democrats.  Both have replies that start with “Thanks, Obama.”  One of them is Ironic. I’m not sure which one.

After breakfast, I pull my phone out again, and this time I see an update to the #Ferguson shooting on my twitter feed. @AntonioFrench is relaying the latest.  Being 1,000 miles away, I can do little but Retweet.

I check my follower count.  Lost two in the past day. Was it something I said?  It’s probably the confusing nature of my political tweets: Conservative leaning one second, liberal the next.  All libertarian, of course.  No one wants to follow a libertarian. We’re nutjobs.

I head to work.  On the metro I read the latest tweets I’ve favorited over the last few days. There’s a new blog post about SQL Server restore strategies, and something about another security breach, this time affecting Home Depot.  #GamerGate is still going strong; although with the subtweets, I don’t understand what’s going on.  Someone is mad about something someone else did, but no one links to it, so I have nothing to read more about. I take their anger at face value. Anything I say will be misconstrued, so I say nothing.

At work, I settle in, today I’m working on automating restores with 500 databases across 4 servers.  There’s a new post from SQLServerCentral, and working on the script it provides, I find out it doesn’t do what I need it to do. I look to see if the author is on twitter. They’re not.

Frustrated, I look for their blog and leave a comment detailing the problems I’m seeing.  I don’t know enough to know if I’m wrong or if the script actually has a bug.  The author isn’t on twitter so I can’t send them  a quick note.  Instead, I reply to their blog post. I get a reply a day or two later. Definitely not twitter speed.

After lunch, my @ParallelsMac installation decides to crap on me for the second time this week.  I tweet with pictures, and their support people get back to me and ask me to submit a bug. I do, and then they ask me to try to reproduce it. As a programmer, I know that’s a not so subtle brush-off. No one wants to work on a bug that only exhibits itself sometimes, on some configurations, and only when the moon is full. No one.  The twitter rant makes me feel better though.

Write code. Compile. Wait for launch. Check Twitter. See funny post. Ctrl+tab back to development site. Still JITing. Go back to twitter. See twitter post I want to RT; remember that the original tweeter still has me blocked for a snarky comment I made in 2010. Manually ReTweet. Back to code now. Realize there’s a runtime error in the String.Format() call. Back to twitter.  Open new Tab. This time to Linked In. Yet another recruiter wants to tell me about an ‘Amazing opportunity’. Doesn’t say what. Check Facebook. Facebook’s a mess. Log off of Facebook.

Back to code. It’s almost the end of the day, and I’ve spent most of my time on the internet. Scramble to get some productive work done. It’s going to be another nighttime of coding.

My wife picks me up with the kids in the car. They’re always happy to see me, giggling and laughing as they see me approach the car. I get in, kiss my wife, and ask how her day has been.  She responds with a perfunctory ‘good’, and we take off for home.  “Let it go ipone, daddy?’ My 2 year old wants to watch Frozen on the iPhone. I say no; partly because I don’t want her to use up our data plan that’s already at its limit, and partly because I really want to have my phone on me in case anything happens on the internet.

We’re almost home now, and I check my phone under the guise of making sure the servers haven’t melted down in the 20 minutes since we left the office. They haven’t, although there are some issues with the code I checked in right before I left.  I tell my wife I’ll need to work for a few minutes when we get home to correct the problem.  As I say this I switch to Twitter, and see if anyone’s replied to me today.  I feel validated when I see people Retweeting my tweets or replying to me.

At home, my daughter repeats her demand for “Let it go ipone”. We settle on the iPad, and she starts the movie. She’s pretty apple savvy, she can open the app, find the movie she wants to watch, and she can skip around to her favorite scenes. I don’t know whether to think it’s awesome or to be horrified.  My youngest daughter plays at my feet while I fix the code I messed up earlier.  While the build is running, I check Twitter again.  Four Retweets today, that’s a good day.

After dinner, we play for 30 minutes.  I show my daughter how to do a back flip in my arms. ‘AGAIN?’ she asks, for the 6th time.  My youngest daughter, almost a year, wants to do the same.  I oblige, and my wife chides me, reminding me that she’s not a toddler.

After the kids are in bed, I check Twitter again.  Sometimes I make what I think are funny jokes, only to have them fall flat. Other times they play off of the humor.  It’s hard to gauge humor on the internet.  I decide to work on some of my side projects, whether it’s the HTML5 based game, or one of the stealth ones.  Twitter again.

I look up, and it’s 10pm. In 8 hours I have to be up. Time for bed.

Walking into the bedroom, I see my wife on her phone. She’s waiting for me. She can’t sleep unless I’m in bed too. She’s on Facebook, letting me know about the latest drama in my family. There’s always drama. I set my alarm, check twitter, and confident that I’m up on everything, I plug in my phone.  I need the battery for the morning commute.

Taking a break from Distraction

I check twitter thirty or forty times a day. Numbers wise, I check twitter more than I interact with my family on a given day.  I check twitter more than I interact with coworkers.  I almost check it more than the lines of code I produce in a day. Facebook, LinkedIn? Same story.

I fear being disconnected, to not be ‘in the know’.  I told my wife once that I needed to be on twitter because “That’s just how things work in the software world. That’s where all the “Who’s who” hangout. ”

More numbers: I’ve checked social media enough over the past three years to ship at least one project, maybe more.

I’m an addict. I’m addicted to the now. To what people are saying.  I’m not addicted to the doing.

I want to be an addict to doing.

For the next ten weeks, no Facebook, no Twitter, no LinkedIn. Just my family, my Work, and my project.

Since this auto-posts to my twitter, I’ll keep that around; but I won’t be posting or reading twitter, Facebook, or checking Linked In.

I’ve deleted all the apps from my phone, shut down all notifications.

The only thing stopping me from finishing what I’ve started is me. No more excuses. No more social media.

I start now.