{"id":8,"date":"2005-04-03T09:12:45","date_gmt":"2005-04-03T13:12:45","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/rlucastemp\/2005\/04\/03\/check-cutters-drop-ball-bash-harva"},"modified":"2005-04-03T09:12:45","modified_gmt":"2005-04-03T13:12:45","slug":"check-cutters-drop-ball-bash-harvard-circle-wagons-consumerist-atti","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/rlucastemp\/2005\/04\/03\/check-cutters-drop-ball-bash-harvard-circle-wagons-consumerist-atti\/","title":{"rendered":"Check-cutters drop ball, bash Harvard, circle wagons; “consumerist” attitudes toward computing."},"content":{"rendered":"

<\/a><\/p>\n

Paymaxx, a payroll services provider, recently confessed to a major
\nmistake that essentially made public many of their customers’
\nemployees’ W-2 forms. My firm uses Paymaxx to run payroll. So, as it
\nhappens, does another Harvard-associated person’s small computer firm.
\nThis person, however, has more time (or more curiosity) than I, and
\ndiscovered a gaping hole in the system serving W-2 forms, a hole that
\nmade it trivial to retrieve others’ forms. This person did not create
\nthe hole or “crack into” the system — just stumbled upon the hole left
\nopen. What happened next was unfortunate.\n<\/p>\n

The discoverer of the hole was in a bind; to confirm the existence
\nand nature of the hole, he necessarily performed some testing and
\nexperiments. Upon forming a supported theory of the problem, he
\ncontacted the company with his complaint, and a sales pitch for his
\nservices to fix it. Was this morally correct? Certainly, he was
\ncompelled to take action by knowledge that his security and privacy was
\nthreatened; certainly, he was correct to inform the company. Certainly,
\nhe was under no obligation to provide his expertise without
\ncompensation. However, the quandary seems to center on the nature and
\nspecificity of his notice \/ sales pitch to the company: did he wrongly
\nwithhold information about the problem in a manner as to constitute
\n(morally, if not legally) a form of extortion?\n<\/p>\n

The response of Paymaxx was less than satisfactory as well. In a letter to its customers, Paymaxx stated:\n<\/p>\n

The hacker, is a 21 year-old Harvard student (or
\ngraduate) with a history of similar stunts. He was a PowerPayroll
\ncustomer for nearly four years. In mid- February when we informed him
\n(and the rest of our customer base) of the availability of 2004 W-2
\ninformation on-line, he e-mailed one of our sales reps informing him
\nthat he had found a flaw in the security aspects of our on-line W-2
\napplication and that he would tell us about it if we would hire his
\nfirm. We considered this a sales pitch and dismissed him.\n<\/p><\/blockquote>\n

The remainder of the letter is a bunch of hand-waving.
\nHowever, it is this paragraph that is most troubling. Why was their
\ncustomer referred to as a “21-year old Harvard student?” This seems to
\nme nothing more than an attempt to excuse their incompetence by
\naverring that it required an evil genius from Harvard (that spooky and
\nmuch-maligned ivory tower of mysterious egghead commies) to get into
\ntheir systems. Bad job, Paymaxx — there went your opportunity to own
\nup to your screw-up, be clear about how and why you screwed up, and
\ndemonstrate the objective steps you’ve taken to prevent it in future.
\nInstead, you pled the Harvard defense, and tried to shift the blame
\nonto someone else. However, rather than inveigh against Paymaxx for
\ntheir wounded-animal response, I’d rather look to the systemic reasons
\nwhy we can expect this kind of problem throughout corporate America for
\nthe forseeable future. I’ll begin with a brief technical description,
\nand then give my theory on the attitude that leads to this kind of
\nresult.<\/p>\n

\nThe problem was, schematically, that the URLs for retrieving W-2 forms were like this:<\/p>\n

http:\/\/bogus.paymaxx.com\/w2form?123456<\/pre>\n
Where, as you might guess, the next employee’s form is 123457. This
\nis not exactly how the problem manifested, but it’s close enough to
\nillustrate: the engineers who put that into play were either lazy or
\nstupid, not taking into account that changing digits in the URL is
\ntrivial. Put in the right number, and you get the W-2 form, with name,
\naddress, and earnings.<\/p>\n
\n(Merely to demonstrate that I am not declaiming against their engineers
\nuninformedly, let me state that what needs to have been done is to 1.
\nuse HTTPS, if they had not, and 2. engineer the sharing of a true,
\nnon-trivially guessable secret (for example by snail-mailing a PIN to
\neach employee), and 3. putting a guess-number-count limit on the
\nretrieval dialog to prevent brute-force attacks. In defense of Paymaxx,
\nthey are probably just the first payroll company to get caught with
\nsomething like this — I have chosen to stay with them despite, and
\nsomewhat because of, their experience with this problem, since now they
\nshould be more rightly paranoid about security and because I don’t
\nexpect any better from other firms.)\n<\/p>\n
I can only speculate at the reasons behind this goof, but it does
\nfit with a general pattern I have witnessed, of what I term a “consumer
\nattitude” to data and computing. This attitude is promoted by the false
\npromises of the software industry to liberate us from the burdensome
\ntask of comprehension — the notion that all software can be
\n“intuitive” and that humans and computers can interact without the
\nhumans holding up their end of the bargain. Holding this attitude leads
\nto the implicit adoption of certain maxims;\n<\/p>\n