Responsible Disclosure and PASS's Security Vulnerability

I’ve only been at the DBA thing for the last six months. I’m as close to an Accidental DBA as it gets; and I’m the first to admit that. I’m learning fast, I’m learning on the Job, and (full disclosure), the Brent Ozar Unlimited team has helped with that, tremendously.
I’ve been following Brent Ozar‘s blog for a long time now, and more recently started paying attention to the PASS debacle(s). Before, it was idle curiousity, now it’s because I’m working day in and day out in that sphere. I can’t afford to be ignorant.
Today, Brent blogged about PASS’s lack of security surrounding their voting system. In essence, it worked like this:
PASS sends you to a third party site to vote, you input your PASS credentials on this third party site, and voila, you’ve voted.
See the problem? No?
How about now?
PASS sends you a postcard with an address to go to. You go to that address, give them identity information (Social, birthdate, whatever they need to act as you), and they mail it back to PASS with your vote.
Would you do that in real life? No. Then why would you do that online?
At first, it was fun and games. Everyone have a laugh at terrible security. Then, I took an action on the PASS site, and noticed that rather sensitive information was leaking out. I even dug into the developer tools to be sure I wasn’t making it up — but even after that, I still thought there was something I was missing. I had to be. I posted an offhand comment on Brent’s blog because quite frankly, I thought I was wrong.
I was so sure I was wrong that I didn’t even think about the ethics of disclosure. It didn’t cross my mind. I was hoping someone would reply with, “Hey, you’re not seeing X, or Y — they’re actually doing it correctly.”
So I posted a comment.
I shouldn’t have done that, because in this case: I was right. Oops.
I’m sorry.
Brent and others are already in contact with the PASS people to get this vulnerability fixed. For my part: lesson learned.
Note: If you’re trying to raise me on twitter, I’m taking a break from social media for the next 9 weeks. Catch me through a comment on this site or through email.
Additional note: If you have a link to a template for Responsible Disclosure that isn’t vendor specific, link to it in the comments. An internet search turns up a lot of separate “responsible disclosure policies“, but I haven’t seen an authoritative template on the subject that should govern our actions, or ethical actions in the case a company doesn’t have a policy on their site. Troy Hunt’s take on the subject is relevant.
Update 1: The vulnerability on the PASS site affects your user credentials (login/password). The site has been vulnerable for an unknown amount of time — but it’s not one of those things that work and you accidentally break one day. My supposition is that it’s been broken for a very long time. If you use the same username/email + password combination anywhere else, change it on that site immediately. ( I include email because that’s part of the sensitive information that leaks out, and some sites use your email address as your login instead of a unique username).
Do not change your PASS credentials until they fix the vulnerability on their side. Doing so will only cause you pain, without actually fixing the issue.
Update 2: You may wonder why this is a problem. After all, it’s not like it’s your bank, right? I mean, it’s just an association website! The problem is, that association represents professionals that have the keys to the kingdom in their own little world. Depending on what email address is used, a potential attacker not only has a company to target with user credentials, but potentially active directory passwords as well.
Good security practices are to use different passwords for each site; but how many people actually do that? I know I don’t always do that (though I do segment ‘non-critical’ sites from critical sites, and I use a different password for each critical site).
If this were a fantasy football site, I wouldn’t be as worried. However, this is a site where DBAs congregate — and in any revenue generating organization, the DBA sits right next to the goods.
Update 3: It looks like SQL Pass has purchased an SSL certificate and set it up. The affected pages are now being served over SSL; potentially negating the vulnerability.
Here’s how their SSL Setup rates:

Sql Pass SSL Setup Grade
SQL Pass’s SSL Setup

If you use an SSL certificate (and you should, but that’s another story), it’s always a good idea to have a tool that can tell you where you’re vulnerable. The SSL Labs tools do just that.

I'm presenting at Hug Super Forum 2014!

I’ll be presenting at Hug Super Forum 2014; going on today and tomorrow at the Marriott Gateway in beautiful* Crystal City, Virginia.
I’m presenting on the new Higher LogicĀ Widget Builder. It’s a way for you to take your Connected Community content and place it on any non-Connected Community site. For the techies amoung you, it’s a native-JavaScript powered widget (the temptation to use JQuery was strong, but the potential issues with compatibility clashes kept it from being the way to go)
I’m excited to be able to talk about something that has been in private beta for the past few months, and has the propensity to take content from behind the walled garden and make it possible for others to enjoy it.
I’ll also be talking all things tech at the tech table during open house at 3pm. If you have questions about anything related to your connected community site (tech wise, and even not so tech wise), we’ll be on hand to help you out.
*It’s an urban beauty.

Testability is the canary in the coal mine

Your homegrown framework is only as flexible as it is testable.
If you can unit test that framework without craziness, it’s flexible.
If you can’t, it’s not.
Even if I accepted that TDD and Unit tests were bunk for all other reasons, the fact that they result in a flexible design makes up for any other perceived flaws.
It also cuts through the bullshit. The next time someone tells you their code is flexible, ask them to write unit tests for it.

Bad software

Bad software is an avalanche, waiting.
“We don’t need to worry about that for Version 1, let’s defer that to <version n>”.
“What can we get away with for what now?”
“Do we really need to worry about Cross Site Scripting? Who would want to hack us anyway?”
“Just get this bug fixed. Next time we build a new feature we’ll do it right.”
“Our customers don’t care about whether or not the software is good or bad, they just want it to be flexible.”
Once the avalanche starts, that’s it. There’s no going back. Sometimes that avalanche is launch day, sometimes it’s when the New York Times reviews your product. Sometimes, it manifests as the bankruptcy the company files because of a security breach.
You can get away with bad software for a while. But only for a while.

Favorite Websites, 2014 edition

Since I’ve given up twitter for the next ten weeks, I still need some way to keep up to date on news and technology.
Normally, I’d just check twitter. Anything I need is on there. Without it, I find myself having to remember to visit different websites.
For Tech News:
It doesn’t update with new topics as much as I’d like, and it has a terrible user interface for mobile, but otherwise it works.
For snail news:
It’s less inflammatory than FoxNews, and as long as I stay away from the opinion pages, I don’t feel the need to throw my computer.
The home for Brent Ozar Unlimited; a boutique SQL Server consulting firm. I’ve attended their SQL Server Performance Troubleshooting class in Chicago, and I worked with them when Jeremiah consulted with us on how to improve our SQL Server performance. They have daily blog posts about the world of SQL Server. It’s a must follow if you’re at all tangentially exposed to it in your daily work.
Brent Ozar’s personal blog. All of the above still applies, of course.
A GIF driven Database Learning site. I’ve submitted a few reactions, but I’ve learned a whole lot more from the ones there. It’s learning disguised as funny.
Scott Hanselman’s blog. He’s one of the premier technologists in the .NET World, and blogs daily about different tech related topics. Sometimes it’s .NET, sometimes it’s wearables.
Jamie Zawinksi’s blog. He’s one of the guys responsible for Mozilla. His blog is sometimes educational, but always funny.
Joey Devilla
The Accordion Guy. Equal parts Canadian, Funny, and Insightful.
Eric Lippert
Used to be part of the C# compiler team. Now works for Celerity. The only thing I know about them is that they hired Eric Lippert.
Miguel De Icaza
Xamarian founder; founder of Mono.
Jeff Atwood
The man behind the Coding Horror blog. Founder of Stack Overflow, Discourse, and one of the principal proponents behind Standard Common Markdown.
Stack Overflow
Probably the best place on the internet to find answers to programming problems. type before your programming question to make sure you’re only getting answers from Stack Overflow.
Of course, there are others; but these are the sites I check daily.