There was an article the past week of a research getting access to content via a security hole.    He didn’t take advantage of the exploit, but notified and then posted his findings.   Soon after he found himself in a lawsuit, which could remove years off his life if found guilty; jail time for hacking.

And it remind me of the time I was working on a contract over 10 years ago.   It was web base app, using JSP and servlets.   I signed a NDA agreement that had a no hacking clause.   Fine.

One day while debugging an issue, I hooked up a network sniffer to see what was actually getting sent from browser to server (it was test server with bogus data).   The problem was eluding me and the only way I could see what going on was viewing the chatter between my browser and the server.

That is when I noticed that the login/security code was authorizing the user then redirecting to another port.   So my curiosity got the better of me (as it does with all developers), I cleared out my session and I connected to the port directly.     Bam, I was accessing the data without the prompt of authenticating.

Now I was extremely concerned as this data was medical data; actually AIDS related medical data that was tracking new cases and the progress of current AIDS patience.     Thus, extremely sensitive data.   Granted, the final website never had a public presence;  it was for use by field agents.      But it was accessible by anyone on the internal network; and that was a lot of people.

I sent an email to the security officer, stating that there was a concern.  And he set up a meeting for a few days later.

You know nothing good can come out of this meeting when the security officer comes late and starts off — after introductions — with:  “Why did you call me to this meeting?”

My mouth must have been wide open as I gasped.   “It is your meeting to discuss what I found, remember?”.

I went through what I was doing, what I found, and my concern.    His mind went right to “Why are you hacking our software?   You do realize that is grounds to have your contract revoked?”    Again another gasp.

What the eff’n hell was wrong with this guy?     A security officer not concerned about the ability to access the data without authentication?

I said my sorrys, said I won’t do that again.   He came back with some bullshit lame excuse that this wasn’t the production server.   But I knew the process is the same in production, redirecting the user to another port.

My mind raced now: am I getting  put on some list to watch me closer, monitor my access?   Are my movements getting tracked and the security guards are going to randomly stop me one night, on the way out of the building, to see if I taking confidential data?

I kept my head down and coded away, as was expected from me.

Shortly after that incident, I discovered that the security package was putting the username and password unencrypted in cookies under “doctor/procedure”;  like that was secure.   I kept my mouth shut;  not my problem or concern.

And that brings me to the point, that patients data getting out in the wild was less important than having a paycheck.   I didn’t code the exploits and I sure as didn’t dismiss them when I was notified that they existed.  If this happen today, I could have been charged with a crime due to the wording in CFAA.

I don’t feel good about taking that cowardly stance, but when the agencies own security office cares more about people exposing the flaws in the security pattern than fixing them, what was I suppose to do?  I guess I could have blown the whistle on the agency, but that never ends well either.