From: Joe [mailto:joe@ljsystems.com]
Sent: Monday, June 18, 2001 5:54 PM
To: [Michelle Delio, Wired.com]
Subject: security issues


We're trying to find out what and when it happened. Our web development firm
has been looking into it, and it seems like it may have been an error by a
local sysadmin removing the login requirement for a folder when moving the
site to a new server.

This was, by the way, not in a part of the site where somebody could get to
it unintentionally. A "hack", which is illegal, would have been necessary in
order to access it.

While we certainly want our site to be secure, and appreciate the work of
pchelp, we don't feel that this is much different from Microsoft having a
security issue with internet printing a few weeks back. Microsoft is
notified about it and then issues a fix. Something we do not appreciate is
any forwarding of confidential information from a hack to anybody else
before the security hole is closed. This is *at best* irresponsible. We were
in contact with pchelp and he knew we were working on it. The reason you
were able to hack into it this morning was that the fix was in place at
approximately 8am Pacific Time, and since the programmers were working from
a remote location all Sunday night the site would from time to time be
accessible - but only for those that knew about the hack - we would not
expect a web security firm to release that information to anybody, so I hope
you don't put in your article that you got the information on how to hack
our site from a web security firm - that would sound very strange to me.

The security hole is plugged at this time, and the programmers are looking
at all options and ways the site can be hacked - including issues with IIS
5.0, ASP and Windows 2000 itself. Issues like these actually makes us lean
more towards ISAPI DLLs, which we have never had any reports of breakins
through - not even through MS Security holes. We generally use Delphi for
making the ISAPI DLLs, if that is of interest to you.

If you have any other questions, please feel free to email me:
mailto:joe@ljsystems.com

Thank You.
Joe