I Respond to Joe's First Email

By the way, what's Joe's Last Name?

Wednesday, 20 June 2001

Someone presumably from LJ Systems, a business somehow associated with ComputerHQ.com, calling himself only "Joe", responded to Michelle Delio's Wired.com article by email. Michelle passed on the text of that message to me.

This is my public response.

From: Joe [mailto:joe@ljsystems.com]
Sent: Monday, June 18, 2001 5:54 PM
To: [Michelle Delio, Wired.com]
Subject: security issues

We're trying to find out what and when it happened.

They know precisely what happened.

Our web development firm has been looking into it, and it seems like it may have been an error by a local sysadmin removing the login requirement for a folder when moving the site to a new server.

As Joe says below, they were accessing the server from remote. This means access to the errant script had to be possible over the Internet.

The script's URL is: http://www.computerhq.com/store/print.asp . The /store/ folder on that server is accessible without a password as I write this, on 20 June.

If password protection of the folder were what needed fixing, they'd have fixed that. It would require only moments to implement, and they still haven't done it. They only changed the script.

That folder was in my opinion, never at any time password-protected. I believe Joe knows this, and lied about it intentionally.

This was, by the way, not in a part of the site where somebody could get to it unintentionally. A "hack", which is illegal, would have been necessary in order to access it.

This statement is absolutely, utterly, intentionally and inexcusably false.

I told them at every contact precisely what the problem was. The fact that they finally did revise the script is proof positive that they know what the problem was.

I invite Joe to answer "yes" or "no" to this question: Is it a "hack" for one of your customers to type a URL into his browser, a URL that YOU SENT OUT to THOUSANDS OF PEOPLE on printed orders?

While we certainly want our site to be secure, and appreciate the work of pchelp, ...

You have a hell of a way of showing it, Joe.

... we don't feel that this is much different from Microsoft having a security issue with internet printing a few weeks back. Microsoft is notified about it and then issues a fix.

Knowing all the facts, I suspect even Microsoft would hold this comparison in contempt.

Something we do not appreciate is any forwarding of confidential information ...

Something Joe preferred to assume I did. Michelle got her own "confidential information" from their website, and did so almost two days after they were informed of the problem.

I (and Michelle and everyone else for that matter) had every reason to believe they would never put their wide-open site back online unrepaired.

... from a hack ...

There's that word again. Send the gendarmes.

... to anybody else before the security hole is closed.

It was closed. Your site was offline for the second time in response to my detailed disclosure of the exact problem. Never in a million years would I have believed that you'd put it back online unremedied. Never!

This is *at best* irresponsible.

I daresay, Joe, that you and your "programmers" could give lessons in how to be irresponsible.

We were in contact with pchelp and he knew we were working on it.

I knew beyond a shadow of a doubt you would never be so abysmally stupid and irresponsible as to put your wide-open database back online unremedied.

I didn't know who I was dealing with.

The reason you were able to hack into it this morning was that the fix was in place ...

Odd phrasing, Joe. Very odd. And again: a hack?

... at approximately 8am Pacific Time, and since the programmers were working from a remote location all Sunday night the site would from time to time be accessible ...

Between 6:30 and 8:00 AM Monday, any brain-dead script-kiddie could have downloaded you entire database, Joe. Now you tell us they had the site up all night?

It required programmers (in plural!) to deal with one little script? It took them all night?? They had to put a vast database of confidential information online for all that time in order to do so?

Where do you find programmers that stupid? Do you pay these people?

... - but only for those that knew about the hack - ...

How many people have seen your invoices for the past year, Joe? That's how many people YOU TOLD about this "hack"!

... we would not expect a web security firm to release that information to anybody, so I hope you don't put in your article that you got the information on how to hack our site from a web security firm - that would sound very strange to me.

You make a good point, Joe. You should indeed have hired a web security firm.

The security hole is plugged at this time, and the programmers are looking at all options and ways the site can be hacked - including issues with IIS 5.0, ASP and Windows 2000 itself.

I have a problem believing this, but it makes good copy. It's certainly the first sensible thing Joe has said.

Issues like these actually makes us lean more towards ISAPI DLLs, which we have never had any reports of breakins through - not even through MS Security holes. We generally use Delphi for making the ISAPI DLLs, if that is of interest to you.

Why is he telling us this? To seem techno-savvy? Do you hand out technical information about your supposedly secure server's programming on a regular basis, Joe?

If you have any other questions, please feel free to email me: mailto:joe@ljsystems.com

Thank You.

In my dealings with commercial concerns, principals of those concerns, and especially whenever I have seen responses by company officials to the media, I can think of not one single instance ever, that that person has failed to identify himself by his full name, and his company by its full and correct name.

Until now.