Security Researcher Threatened With Vulnerability Repair Bill 231
mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
Re:Patrick Webster email to IT staff (Score:2, Funny)
Having read this story, I sent the following email to the contact posted on the Pillar website.
Dear Mr. Blair,
I am writing to inform you of a serious security flaw within your organization. Please forward this email appropriately.
Given the letter of 12 October 2011 from Minter Ellison (acting for FSS Trustee Corporation) to a Mr. Patrick Webster (who has previously alerted you to another, less serious, vulnerability in your systems' security), I regret to inform you of the following deficiency: Your organization is apparently staffed by morons.
This is a serious issue.
My understanding of the first security flaw suggests that anyone who was capable of pouring water out of a boot was capable of accessing other accounts via your systems. When brought to your company's attention, the reaction to this knowledge was to threaten the security researcher who provided the warning, shooting the messenger as it were.
Furthermore it was suggested in the letter of 12 October 2001 that Mr. Webster has somehow volunteered to take the place of an apparently absent Information Technology Department Security Office, or its equivalent, completely without salary or compensation for this further service to your organization.
The only reasonable conclusion under the circumstances is that Pillar Administration, First State Super scheme fund, FSS Trustee Corporation, and Minter Ellison have a combined I.Q. south of a warm bowl of yogurt.
I do not, by bringing this to your attention, in any way volunteer to re-staff your organization with competent, capable, or otherwise sentient beings.
I have honest sympathy for the challenges your organization faces. Since news of its shortsightedness has reached around the globe, it should be painfully obvious that the original "flaw" in security (read: complete absence of), could have easily been broadcast by Mr. Webster, who instead only tried to help.
I, and others, will continue to monitor this situation with great interest, in the hopes that the spark of intelligence will somehow ignite.
Personally, I give it 50-50.
Yours Truly,
Grant Austin