Author Topic: Sometime All it Takes is to Say Something  (Read 985 times)

Remember the post I made a few days ago about the website with terrible security?

So after poking around their system a but more (and accidentally shutting down one of their databases using SQL injection), I decided to make another attempt to contact them and warn them about the issues with their security.

I managed to find the number for their support desk and I called it.
Amazingly, I immediately got a real person! (I was so shocked I just stood there in disbelief for a few seconds before saying anything.)
So I told them that there was an issue with security and that I wanted to speak with someone from their IT staff. Their tone instantly became one of concern, and they went to find the person I needed to speak with.
Unfortunately the person I needed wasn't available, but they told me where to send an email and assured me that they would get it where it needed to go (Yes I was skeptical of that too).

So I wrote an email giving a detailed description of my concerns and the issues I had encountered.
I waited a couple days to hear back. But finally, I got a reply.

After receiving this I waited a few more days for the issues to be resolved.
Today when I checked, they had disabled all but TLSv1.2 (Unfortunately, the sever they're running doesn't currently support TLSv1.3.), and the SQL injection code, no longer worked.

This is the sort of thing I love to see.
While I wouldn't say that they fixed everything, this is certainly a step in the right direction.
All it took, was for someone to speak up.

and then everyone clapped

I LOVE REDDIT!!!!!!!!!!!!!!!!!!

very kind of you. glad to hear things turned out all right

you could apply there and probably get a pretty big step in the door for pointing out such a big issue

While a nice thought, they're in another state, and I don't think they're hiring (or at least there's nowhere to put in an application).

While I could live with a telecommute job, they're also using Windows servers, as evident by the fact they're running Microsoft SQL Sever and IIS.
Even when I had machines running Windows, I never really used them to host anything. I only ever used Windows for user machines, especially since I never exactly had a copy of Windows Sever Edition lying around that I could play around with (and I did actually want a copy). The few times I did experiment with using Windows as a host OS, I still never played with IIS or MSSQL (Actually I've never needed to use SQL in general, but I should be implementing logins into my personal site soon, so I'll get to figure it out then).
Maybe if I convinced them to switch to nginx as their web server, but even that seems like a stretch.

its unlikely anyone ever really gets a job doing something exactly what theyve done before. you may not have windows experience, but you definitely have enough background/domain knowledge to pick it up relatively quickly. it doesnt hurt to ask if they have openings.