Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker'

An anonymous reader quotes Ars Technica: People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer.

What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.

The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.
Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps."

A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."

Re:

[nitehawk214]

Casinos were more civil when they were run by the mob.

Casinos are shitholes.

[Anonymous Coward]

Just sell it and let the casino get robbed instead. Casinos are shitholes, addicts are the product as soon as they walk in the door.

Re:

[Anonymous Coward]

Casino to hackers: If you find a vulnerability then you're better off exploiting it and stealing our money than trying to help us. Noted.

A casino refusing to pay out?

[Moryath]

Gee, it's not like we haven't seen casino orders try that one before, even trying to create fake evidence of 'machine malfunctions' or other fraudulent claims trying to get out of paying a jackpot.

It's a casino. Assume it's corrupt and run by criminals.

Re:A casino refusing to pay out?

[sjames]

Funny thing about that. Back when the mob owned the casinos, if someone got carried away and was wiped out, the standard was to give them dinner and a flight home. Now that they're corporate owned, the standard is to have security throw them out, bodily if necessary.

Re:

[Krishnoid]

Reminds me of this video [youtube.com] of how Las Vegas has changed and keeping focus on what's important to you.

Re:

[HornWumpus]

Anytime you want to extort someone legally, you need a fucking lawyer. They know exactly how it's done. It's a legal specialty, some lawyers make careers out of it.

As always, get a good one. Find someone with ADA experience.

Re:

[Comrade Ogilvy]

Well, a clearinghouse could have the expertise to formulate boilerplate agreements under the advice of lawyers, that would bear legal scrutiny from both parties. And there could even be clauses about an arbitration process in case of dispute, that could go to a recognized third party expert to analyze.

I agree that thinking you can make the "sell" your maybe threat for good money is not something for amateurs.

Re:

[HornWumpus]

Q: How is legal extortion like being in the Mafia and eating pussy?

A: One slip of the tongue and you're in some shit.

I know...old. The point is there are traps everywhere. One slip and 'shit'.

Get a mouthpiece and shut-up. It can save you. Let the lawyer split the legal hairs.

If not paid, release the bug or sell it.

[Anonymous Coward]

It is simple common sense. If a company does not adhere to its promise, release the bug and let them suffer the consequences.

There will always be people who try to screw you. Always make them pay.

what are the labor laws on stuff like that?

[Joe_Dragon]

what are the labor laws on stuff like that?

Re:

[imidan]

I can't see how labor laws would enter into it, since the person has no employment relationship with the company. On the other hand, 'pay me or I'll make this information public' is almost the definition of blackmail. I feel like in any bug bounty situation, there should be a contract between the person and company before things go too far, to avoid situations like in the article. I'm not sure how to propose or negotiate such a contract while avoiding implications of blackmail.

Re:

[wierd_w]

I would say it is in the realm of contract law.

"Hey, I will give you money if you disclose flaws directly to me, so I can fix them before the word gets out!"

Is an offer for a contract.

Creation of a bug bounty program, with rules and verbiage on how to participate, how to submit a bounty, et al-- are all terms and conditions established for the transaction of that contract.

Creating a bounty program, and telling a researcher that "Hey, I will tots pay you if you tell me first, and then keep it under wraps for

Re:

[sfcat]

I can't see how labor laws would enter into it, since the person has no employment relationship with the company. On the other hand, 'pay me or I'll make this information public' is almost the definition of blackmail. I feel like in any bug bounty situation, there should be a contract between the person and company before things go too far, to avoid situations like in the article. I'm not sure how to propose or negotiate such a contract while avoiding implications of blackmail.

That's not blackmail. Blackmail is I know you did something wrong and I will tell unless you pay me. This is more like a whistle-blower where you need their expertise to fix the problem. The researchers telling the public about the flaw is more akin to warning people that a bridge is defective. Also, there is an easy fix to this problem and somehow I think it will get used quite quickly against this casino. What idiots....

Release it regardless, to avoid extortion/blackmai

[raymorris]

Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.

Colloquially, it's called blackmail, though in federal law blackmail is only if you threaten to tell about a crime they committed.

To not commit the crime of extortion, one would need to be clear you WILL release a warning to customers so that customers can protect themselves - whether or not the company pays. The company would be paying for details of the problem, not paying to prevent information from being released. Alternatively, don't mention releasing the information at all. You don't want to give the impression that you'll release it unless you're paid, because that's extortion.

If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation. Is it extortion if the "victim" proposes it? Probably not at the federal level. At least if the communication accepting the NDA offer is kept short - "I accept your offer". You wouldn't want to restate the offer "if you pay me I won't release it", because that could be considered a threatening communication (extortion).

I haven't read the text of the law in every state. It could still violate state law if you accept an NDA in exchange for payment after you've already mentioned releasing it.

Re:

[sfcat]

Threatening to release it unless they pay you is extortion, a felony. At the federal level it carries a prison sentence of up to three years.

No, no it fucking isn't. If what you say was true, there would be no way to expose an employer who was putting their workers at risk as then you would be extorting your employer for better treatment. Blackmail is when I know you are fucking your neighbors dog and unless you pay me I will post pictures of the act. This is more like an engineer knowing a bridge is defective and telling people not to use it. The fact that that same action also makes the casino more likely to be hacked is irrelevant because

Unless they pay up

[raymorris]

> This is more like an engineer knowing a bridge is defective and telling people not to use it.

If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.

That's why I pointed out you'd either a) release the information regardless of whether they pay or b) don't mention anything about releasing the information.

Here's the federal statute, 18 U.S. Code $â875 (d)
-- ... any money or other thing of value, transmits in interstate or foreign commerce any communication

Re:

[sfcat]

If you said "I'll tell people the bridge is defective unless you pay up", that would be extortion.

Which is why I didn't say that. The bug information will get out. Its already in the hands of an independent entity. And that's the nature of information with financial value. The casino is paying for knowing earlier and before potential attackers. They didn't pay up. What do you expect to happen next?

Here's the federal statute, 18 U.S. Code $â875 (d) -- ... any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee

First, the researchers had already given the information to the casino, the casino was reneging on payment. The casino was a deadbeat who wasn't paying up. The researchers said, well we know about a bu

Changed your mind or really unclear?

[raymorris]

Did you get a better understanding after you read the statute I quoted, because it sounds like you're now saying something very different?

Your original comment:

>> Threatening to release it unless they pay you is extortion, a felony.
>> At the federal level it carries a prison sentence of up to three years.

> No, no it fucking isn't.

So you said that threatening to release embarrassing information unless someone pays isn't extortion. "No, no it fucking isn't", you said.

Now we know federal law de

Re:

[bsolar]

If company comes back offering payment in exchange for an NDA, that would be an interesting legal situation.

Isn't that exactly the situation described in the article?

According to the article the original deal between the casino and the researchers did not include any monetary compensation, but neither did include any NDA: the researchers planned to disclose the vulnerabilities found in a security conference.

It's the casino which, without being prompted by the researchers, at some point initiated a negotiation to get a NDA from them. The researchers then provided a quote for it and things seemed to proceed toward

Re:

[raymorris]

The article says that the vendor asked "we'd really like to own this information ... what will it take to make that happen?" The people who discovered the vulnerabilities then replied with the $60,000 figure.

It probably would have been better for them to not quote a price or even mention money, especially since the FBI was on the call. Instead they could ask "what do you have in mind?" The vendor brought up "own the information", let THEM make a cash offer if they choose to go that direction.

Quoting a secur

Sufficiently for this discussion

[raymorris]

The US inherited English law, then added the Bill for Rights, and that formula means in most areas of long-standing general law, law will be similar modulo Constitutional rights - meaning if it's unlawful in the US, it also probably unlawful in England and Wales.

That matters because by treaty a defendant can be extradited only if it's illegal in BOTH places. Hence, a US citizen can't be extradited to the UK for exercising their 1st amendment rights, a UK citizen who broke US law in this regard aomost certai

Re:

[Moryath]

"Exploit it myself" = prosecutable criminal activity.

"Sell it" = accessory to grand larceny.

Some people actually have consciences.

Re:

[HornWumpus]

His UID is pretty low. Likely beyond help. He's just going to have to work around his defect.

Re: This whole "ethical hacker" thing puzzles me.

[Zero__Kelvin]

Except selling it constitutes nothing of the sort. If that was the case the publishers of "The Anarchists Cookbook" would be in jail for life.

Re:

[HornWumpus]

You have broken ethics if they incorporate legality.

There are many cases where it is unethical to follow the law. e.g. Paying taxes on unreported income. That often requires you to snitch out the source of the income (unethical).

A classic story, you see..

[wierd_w]

"Once upon a time, there was a wonderful and profitable company that made perfect products that never failed, and were perfectly secure. They had an iron-clad confidentiality framework to protect the privacy and anonymity of their customers, and data breaches never happened to them. They made lots of money, and the investors lived happily ever after."

But Grandpa, what about that time when --

BILLY! WHAT DID I JUST SAY!? -- I said IRON CLAD, PERFECTLY SECURE, and BREACHES NEVER HAPPENED!

But Grandpa, that's not..

BILLY, GO TO YOUR ROOM!

[This is essentially what goes on with security disclosures, except instead of a senile patriarch insisting on an absurd bedtime story's plot, you have corporate leadership refusing to budge even an inch in the face of reality about their companies, their products, and their business practices-- Lest the investors get scared and withdraw their investments. They treat every bit of truth or fact that detracts from their carefully manicured narrative as a direct personal attack, because it is worth more to them than the losses incurred by the problem itself. A researcher asking when their bug bounty payment will be sent, is immediately 'EXTORTION!!', because "disclosing the dirty secret!" that their product actually is not fairytale perfectly secure, is a deadly thing to their corporate image, don't you know! Because lying to investors is an industry staple these days, apparently. They would rather send Billy to his room and keep him there forever, than admit that the fairytale is a fairytale.]

Re:

[wierd_w]

Indeed; The fear is that their customers would lose confidence in their products, if it became well known that the products in question had a severe vulnerability that changed their payout rates.

A natural fear, since casinos RELY on those rates, and the magic of statistics, to always be profitable, even when making payouts.

The games maker, however, only has incentive to smile like a slimy used car salesman, and lie their asses off about how amazing and uncheatable their games are. They might have a token b

Re:

[TheRaven64]

A natural fear, since casinos RELY on those rates, and the magic of statistics, to always be profitable, even when making payouts.

It's worse than that. In a lot of jurisdictions, the payout rates are mandated by law and there can be serious legal consequences if the advertised payout rates are not the real ones.

Short

[Ann Coulter]

The proper way to profit from vulnerability research is by shorting the stock of the publicly traded company before publishing your results. The capital gains can be used to fund more research. https://arstechnica.com/inform... [arstechnica.com]

Re:

[rtb61]

Technically legal, as you are simply conducting open research into a company and it's products in order to make investment choices with regard to the company and simply releasing the research, the reason for your investments after your made your investment. It would be criminal if you got that information from a company employee, any employee, that is insider information.

Re:

[wierd_w]

I get the impression it was more

"hey man, I understand that you are the top guy in the operations of this company and all that. I am a bounty program participant that has presented findings to claim one of your bounties, and I was in contact with one of your underlings about that process, but they suddenly stopped responding to my inquiries. Can you give me some heads up? Did you cancel the bounty program or what?"

To which the response was

"HOW FUCKING DARE YOU DEMEAN MY COMPANY AND OUR PRODUCTS BY IMPLYING

Re: WTH did he expect?

[Type44Q]

I get the impression it was more

You sure it wasn't like?

Jerry Springer for nerds

[SlaveToTheGrind]

Seriously, is there nothing of real value to read, think, and talk about anymore?

Common sense, people!

[Ol Olsoc]

A bug finder is just like a whistleblower. Report a bug, and it's likely you'll end up in trouble. A casino? lucky the bug finders are still alive, andnow that it is in the open....... And if you do manage to get paid, the reason is that you are supposed to keep your damn mouth shut

Don't do it. Let them find out the hard way - which serves them right.

Newsflash

[easyTree]

Company which makes money from exploiting the weakness in others accused of behaving unethically.

^_^