To tell or not to tell
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
If you are going to buy from him tell him, if your competition are buying from him, don't. :suss:
Semicolons: The number one seller of ostomy bags world wide. - dan neely
-
If you are going to buy from him tell him, if your competition are buying from him, don't. :suss:
Semicolons: The number one seller of ostomy bags world wide. - dan neely
Why that's so dishonest. I like the way you think.
I'm largely language agnostic
After a while they all bug me :doh:
-
Why that's so dishonest. I like the way you think.
I'm largely language agnostic
After a while they all bug me :doh:
I have no beef with the vendor either way. We have no desire to use what was demonstrated due to cost, even moreso after witnessing the 'holes' online. My thought is two-fold. Mention my discovery but perhaps only the SQL Error lest they believe we're doing something malicious by using an unauthorized login. Or, to keep quiet knowing my little discovery is proof enough not to use their services. Or would it a stretch of imagination that perhaps they'll discover this faux pas or our inadvertent login.
-
I have no beef with the vendor either way. We have no desire to use what was demonstrated due to cost, even moreso after witnessing the 'holes' online. My thought is two-fold. Mention my discovery but perhaps only the SQL Error lest they believe we're doing something malicious by using an unauthorized login. Or, to keep quiet knowing my little discovery is proof enough not to use their services. Or would it a stretch of imagination that perhaps they'll discover this faux pas or our inadvertent login.
If they're that bad then why even get round to considering how much they cost. Even if they fix this little faux pas, what about others in their system?
Vincent www.pub-olympics.com
-
I have no beef with the vendor either way. We have no desire to use what was demonstrated due to cost, even moreso after witnessing the 'holes' online. My thought is two-fold. Mention my discovery but perhaps only the SQL Error lest they believe we're doing something malicious by using an unauthorized login. Or, to keep quiet knowing my little discovery is proof enough not to use their services. Or would it a stretch of imagination that perhaps they'll discover this faux pas or our inadvertent login.
JimP_07 wrote:
lest they believe we're doing something malicious by using an unauthorized
I once (and only once) pointed out a descriptive sql error for a time card application. I was accussed by a member of the IT department of "white" hacking the app after reporting the error, which is punishable by dismissal and can be prosecuted, as I was so informed by this in-DAH-vidual. Of course I was not trying to "hack" thier application, just using it to enter my information. Lesson learned.
MrPlankton
-
JimP_07 wrote:
lest they believe we're doing something malicious by using an unauthorized
I once (and only once) pointed out a descriptive sql error for a time card application. I was accussed by a member of the IT department of "white" hacking the app after reporting the error, which is punishable by dismissal and can be prosecuted, as I was so informed by this in-DAH-vidual. Of course I was not trying to "hack" thier application, just using it to enter my information. Lesson learned.
MrPlankton
I actually landed a job like this a few years ago... I was trying to complete the online registration process and it kept giving an error and wouldn't allow me to complete the form. So I surfed around the site and found the "contact us" page. I then sent a copy of my resume and a short letter to the IT director explaining that I would love to apply for the advertised position but I was unable to complete the online form. The message I wrote contained a comment something along the lines of "it would appear that you are in need of a competent software engineer to maintain your existing sytems". I can't remember the exact wording, but I do recall that it was fairly facetious since I was a little irritated at the application dumping on me after I'd spent all that time filling in the form. Anyway, I landed the job and for six months afterwards, my supervisor (who wrote the application) kept my cover letter pinned on the wall. :laugh:
Sunrise Wallpaper Project | The StartPage Randomizer | The Windows Cheerleader
-
JimP_07 wrote:
lest they believe we're doing something malicious by using an unauthorized
I once (and only once) pointed out a descriptive sql error for a time card application. I was accussed by a member of the IT department of "white" hacking the app after reporting the error, which is punishable by dismissal and can be prosecuted, as I was so informed by this in-DAH-vidual. Of course I was not trying to "hack" thier application, just using it to enter my information. Lesson learned.
MrPlankton
-
JimP_07 wrote:
lest they believe we're doing something malicious by using an unauthorized
I once (and only once) pointed out a descriptive sql error for a time card application. I was accussed by a member of the IT department of "white" hacking the app after reporting the error, which is punishable by dismissal and can be prosecuted, as I was so informed by this in-DAH-vidual. Of course I was not trying to "hack" thier application, just using it to enter my information. Lesson learned.
MrPlankton
Since dismissal and/or prosecution would typically be initiated from HR, I think a cursory CC to the head of HR would have been nice. As well as the suggestion that a company wide email be sent indicating to all employees that if they encounter an exception, since this is potentially grounds for dismissal, that they should forward it to HR :D
I'm largely language agnostic
After a while they all bug me :doh:
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
Keep your options open. If you tell, you can't untell. If you don't tell, you can still decide to tell later. :-D
modified on Monday, May 19, 2008 9:51 PM
-
Since dismissal and/or prosecution would typically be initiated from HR, I think a cursory CC to the head of HR would have been nice. As well as the suggestion that a company wide email be sent indicating to all employees that if they encounter an exception, since this is potentially grounds for dismissal, that they should forward it to HR :D
I'm largely language agnostic
After a while they all bug me :doh:
The question I ask myself; "how would this affect my family and my self, tomarrow, next week, next month". Making a stink would have had no benificial effect other than stroking my ego in the short term. Long term, at the very least, I would have adversaries in IT department (never good).
MrPlankton
-
Keep your options open. If you tell, you can't untell. If you don't tell, you can still decide to tell later. :-D
modified on Monday, May 19, 2008 9:51 PM
-
The question I ask myself; "how would this affect my family and my self, tomarrow, next week, next month". Making a stink would have had no benificial effect other than stroking my ego in the short term. Long term, at the very least, I would have adversaries in IT department (never good).
MrPlankton
Ah, but we can dream, no?
I'm largely language agnostic
After a while they all bug me :doh:
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
If this is someone you've been working with for a while and you have a good relationship with them, do tell. If thats just some random company that you met with to review their offer, why the trouble ?? Keep your options open, you might end up working with them on a project one day.
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
Would you tell Paris Hilton how easy it is to view her goodies?
-
During a Webinar with one of our vendors, I wanted to see for myself the site(s) the moderator was demonstrating online. So I typed in the site URL verbatim and suddently a SQL Server Error appeared which was quite explicit in it's explanation. Naturally this was due to my not properly logging into the site. I located the login page. On a lark, I typed the moderator's Username AND the same as password. I was in! This wasn't a demo site AND was secure 'https://' as well. Should I keep my mouth shut or tell said vendor about the SQL Error and how easy his password was to break?
I'd tell him in a casual way. (I don't see why any other choice would be honorable.)
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
Would you tell Paris Hilton how easy it is to view her goodies?