Should companies post copyrighted software on an unsecured FTP site?
September 26, 2012 12:43 PM Subscribe
A company I just interviewed with has an unsecured FTP site where their IT department posts full versions of copyrighted software, among other things. Yikes?
Two part question! I found the company's FTP site while looking for a staff directory to send a thank you note to the members of the interview team. In addition to the obvious software files (hello, Microsoft Project and friends!), there were many other directories available, at least one containing the staff personal information that caused the site to show up in my Googling.
1) They should not be doing this, right? I suspect it might be a matter of not having fully thought through the implications of making software they have licenses for easily available to their staff, not actual nefarious intent. They might not even realize that it's public; I have seen crazier things than that in businesses that should know better.
2) If I am right to be concerned, should I mention this to the hiring manager during the hiring process? It would be in the spirit of "I don't know if you are aware of this, but your company has some files publicly available that might pose some risk. You might want to look into that." Not "I wish to blackmail you into submission and force you to hire me." Or should I just wait and bring it up if I get the job? My dilemma is that I LOVE this company and I don't want them to get into trouble, whether I wind up being hired or not.
Thanks for your thoughts!
Two part question! I found the company's FTP site while looking for a staff directory to send a thank you note to the members of the interview team. In addition to the obvious software files (hello, Microsoft Project and friends!), there were many other directories available, at least one containing the staff personal information that caused the site to show up in my Googling.
1) They should not be doing this, right? I suspect it might be a matter of not having fully thought through the implications of making software they have licenses for easily available to their staff, not actual nefarious intent. They might not even realize that it's public; I have seen crazier things than that in businesses that should know better.
2) If I am right to be concerned, should I mention this to the hiring manager during the hiring process? It would be in the spirit of "I don't know if you are aware of this, but your company has some files publicly available that might pose some risk. You might want to look into that." Not "I wish to blackmail you into submission and force you to hire me." Or should I just wait and bring it up if I get the job? My dilemma is that I LOVE this company and I don't want them to get into trouble, whether I wind up being hired or not.
Thanks for your thoughts!
The kind of clowns who do this sort of thing are the same type of people who are liable to accuse you of "hacking" them if you call their attention to it. I say, it's not your problem, until they hire you.
posted by thelonius at 12:47 PM on September 26, 2012 [16 favorites]
posted by thelonius at 12:47 PM on September 26, 2012 [16 favorites]
Is it for an IT position? If so, you could present it just as you discovered it: Doing due diligence research on the company. You could make the hiring manager aware of the liability implications, and how you'd handle it if you had the position to do something about it.
posted by thanotopsis at 12:49 PM on September 26, 2012 [2 favorites]
posted by thanotopsis at 12:49 PM on September 26, 2012 [2 favorites]
If people's (read: employee's) personal information is in a compromising state then you should tell the company about the situation. That should happen regardless of your hiring status with said company, feel free to wait until a decision has been made with regards to your application but please don't just walk away with people's private info hanging out for anyone to skim from their server.
posted by RolandOfEld at 12:51 PM on September 26, 2012
posted by RolandOfEld at 12:51 PM on September 26, 2012
Response by poster: It's a marketing position, so they might not know exactly what FTP is. ;-)
posted by bloggerwench at 12:52 PM on September 26, 2012
posted by bloggerwench at 12:52 PM on September 26, 2012
1) No, they shouldn't be doing it.
2) Don't mention it to them during the interview process. Otherwise it might seem like you're threatening them.
Alternately, you can mention it to them anonymously. Send them an email from a throwaway account to a number of the top people telling them what you found.
posted by inturnaround at 12:54 PM on September 26, 2012 [2 favorites]
2) Don't mention it to them during the interview process. Otherwise it might seem like you're threatening them.
Alternately, you can mention it to them anonymously. Send them an email from a throwaway account to a number of the top people telling them what you found.
posted by inturnaround at 12:54 PM on September 26, 2012 [2 favorites]
If you do get the job, by the way, then play it even cooler-- the last thing you want is the head of IT having you on his shitlist.
posted by Sunburnt at 12:59 PM on September 26, 2012 [4 favorites]
posted by Sunburnt at 12:59 PM on September 26, 2012 [4 favorites]
But an anonymous throwaway email will probably just fly into their spam.
Could you phone the person you interviewed with? You can mention what you were trying to look up and saw a tremendous securiy issue at their company. They as an employee on their end need to take it seriously and report it to their IT or Information Security dept.
You can not make a partial disclosure in return for some hiring leverage. Do not make an unethical decision with that info at stake. FULL DISCLOSURE. You may provide them screenshot evidence as well, but please do not leverage this and do not speak of this in terms of a job opening. This is bread and butter ethics in the digital age.
posted by Bodrik at 1:03 PM on September 26, 2012 [2 favorites]
Could you phone the person you interviewed with? You can mention what you were trying to look up and saw a tremendous securiy issue at their company. They as an employee on their end need to take it seriously and report it to their IT or Information Security dept.
You can not make a partial disclosure in return for some hiring leverage. Do not make an unethical decision with that info at stake. FULL DISCLOSURE. You may provide them screenshot evidence as well, but please do not leverage this and do not speak of this in terms of a job opening. This is bread and butter ethics in the digital age.
posted by Bodrik at 1:03 PM on September 26, 2012 [2 favorites]
What else lies beneath? In other words, what haven't you found yet that might freak you out even more?
Doesn't sound like they have their stuff together in a variety of ways, and already you're bothered (reasonably so) by the ways in which they don't have it together.
If I were in your shoes, I really don't know if I'd take the job, unless you will be in a position of some influence and can get these issues taken care of without causing all kinds of resentment on the part of your new coworkers. See Sunburnt's comment above.
I think it might be a stroke of very good luck for you that you stumbled upon the problem before it started affecting YOU.
posted by Currer Belfry at 1:04 PM on September 26, 2012
Doesn't sound like they have their stuff together in a variety of ways, and already you're bothered (reasonably so) by the ways in which they don't have it together.
If I were in your shoes, I really don't know if I'd take the job, unless you will be in a position of some influence and can get these issues taken care of without causing all kinds of resentment on the part of your new coworkers. See Sunburnt's comment above.
I think it might be a stroke of very good luck for you that you stumbled upon the problem before it started affecting YOU.
posted by Currer Belfry at 1:04 PM on September 26, 2012
Other companies, like Intel, have prosecuted employees for discovering security breaches where that was not directly part of their job. You risk being seen as an unauthorized hacker. See for instance Randall Schwartz and Intel.
I would not show them that you can connect to the ftp server, but rather than the ftp server contents show up on Google. Or I would tell them anonymously, if at all, and consider not accepting an offer at the company; if they can't get this right, they have terrible hiring practices and management.
posted by zippy at 1:09 PM on September 26, 2012 [1 favorite]
I would not show them that you can connect to the ftp server, but rather than the ftp server contents show up on Google. Or I would tell them anonymously, if at all, and consider not accepting an offer at the company; if they can't get this right, they have terrible hiring practices and management.
posted by zippy at 1:09 PM on September 26, 2012 [1 favorite]
Response by poster: Bodrik, I definitely don't intend to leverage this, and I'm not sure how you got that impression when I specifically said that I didn't in any way want them to think I was threatening them with the information. However, talking to them now, or after I am hired/not hired, both have risks of them not doing anything because of the source of the information. I like the ideas of anonymously contacting them, and I'm actually now thinking that simply calling up their head of IT, anonymously, might be the best way to get the right person's attention without making unnecessary waves.
posted by bloggerwench at 1:09 PM on September 26, 2012
posted by bloggerwench at 1:09 PM on September 26, 2012
Most of the above advice is crazy paranoid (Anonymous reporting? Lolwut?) They have something publicly visible on the internet through any browser that displays FTP (i.e. all of them). This is not a state secret, nor are you likely to make enemies telling them about it (and honestly if you make enemies over something this stupid, you don't want the job anyway).
I would straight up send an email "Hey I was googling and... just thought you should know".
posted by wrok at 1:14 PM on September 26, 2012 [1 favorite]
I would straight up send an email "Hey I was googling and... just thought you should know".
posted by wrok at 1:14 PM on September 26, 2012 [1 favorite]
I would not take a job at this company. They don't know or respect the laws with regards to copyright, they appear not to understand technology well enough to hide it and who knows what else they may be doing that's illegal or unethical.
posted by tommasz at 1:15 PM on September 26, 2012 [4 favorites]
posted by tommasz at 1:15 PM on September 26, 2012 [4 favorites]
I found something similar at a previous job. First stop was the corporate offices and spoke with the head of IT. He told me the problem was taken care of already, which it clearly wasn't (he also seemed to not even know of the issue and was taking a stance of protecting his own neck). Second stop after a week or so was my boss' boss, who was very familiar with computers and at first accused me of hacking in. I simply gave him the information I had, and at least the outside accessability went away. Beyond that it wasn't my problem, but in the end, it absolutely wasn't a company I should have worked for.
posted by efalk at 1:24 PM on September 26, 2012 [2 favorites]
posted by efalk at 1:24 PM on September 26, 2012 [2 favorites]
Most of the above advice is crazy paranoid (Anonymous reporting? Lolwut?) They have something publicly visible on the internet through any browser that displays FTP (i.e. all of them). This is not a state secret, nor are you likely to make enemies telling them about it (and honestly if you make enemies over something this stupid, you don't want the job anyway).
Whether this is a good idea, and how it is received, depends greatly on the culture at the company. Never underestimate the reflexively defensive, ass-covering nature of someone doing something unbelievably stupid.
posted by zippy at 1:26 PM on September 26, 2012 [1 favorite]
Whether this is a good idea, and how it is received, depends greatly on the culture at the company. Never underestimate the reflexively defensive, ass-covering nature of someone doing something unbelievably stupid.
posted by zippy at 1:26 PM on September 26, 2012 [1 favorite]
Response by poster: I called and left a message. Ball's in their court. If I do get a job there and it's not resolved, I'll bring it up again, ever so delicately so as not to make an enemy of IT. Like I said in the original post, plenty of businesses get confused on secure/non-secure sites. I wish it were surprising, but it's not, and I think it indicates ignorance more than anything. Thanks for your answers!
posted by bloggerwench at 1:27 PM on September 26, 2012
posted by bloggerwench at 1:27 PM on September 26, 2012
No problem bloggerwench. Just some suggestions had mentioned and reinforced the same. Sorry for piling on.
To clarify, the software thing isn't unusual especially if this company has multiple locations and their method of distributing copies to sites is by company ftp. The issue is that the ftp can be seen publicly and the software they bought and licensed is out there for the WWW to take and obtain illegally. It is like their IT file server has a public opening to the WWW with nobody knowing.
The personal information issue is purely an information security breach and that is an all-around problem no matter what.
Any competent IT manager should take you seriously. Hopefully they do their job here with your VM.
posted by Bodrik at 1:30 PM on September 26, 2012
To clarify, the software thing isn't unusual especially if this company has multiple locations and their method of distributing copies to sites is by company ftp. The issue is that the ftp can be seen publicly and the software they bought and licensed is out there for the WWW to take and obtain illegally. It is like their IT file server has a public opening to the WWW with nobody knowing.
The personal information issue is purely an information security breach and that is an all-around problem no matter what.
Any competent IT manager should take you seriously. Hopefully they do their job here with your VM.
posted by Bodrik at 1:30 PM on September 26, 2012
I think it indicates ignorance more than anything.
Probably.
Also, I did a favor once for a company that I was applying to. Then I turned down their job offer for a different opportunity—but based on having seen my work product in that favor, they responded by raising their offer and I took the job. It worked out great.
Good luck!
posted by cribcage at 2:44 PM on September 26, 2012
Probably.
Also, I did a favor once for a company that I was applying to. Then I turned down their job offer for a different opportunity—but based on having seen my work product in that favor, they responded by raising their offer and I took the job. It worked out great.
Good luck!
posted by cribcage at 2:44 PM on September 26, 2012
I worked for a company with serious tech ethics problems that were not taken seriously even after I went through proper channels to report them. I really, really wish I hadn't. If they can't get this together, I just don't think it bodes well. GL either way...
posted by cestmoi15 at 2:54 PM on September 26, 2012
posted by cestmoi15 at 2:54 PM on September 26, 2012
When I notified another department at the university that I used to work at that they had some issues with their database security (which I'd noticed while doing an unrestricted connection search while not knowing I was connected to the campus network, which *walked* the entire campus network looking for database servers to connect to), I found that I was extremely lucky that my boss knew the campus VP of IT, was in good with campus HR, and that I was close friends with a bunch of the campus police department, because the first thing that the head of IT in that other department did was call the campus police department and insist that I be arrested for "hacking" -- then he called HR and insisted that I be fired for the same. The police chief (who I knew from volunteer work) called HR and my boss, who took it to the head of IT, and I ended up hearing about my near miss with a pair of handcuffs from one of my police department buddies over a beer in the bar the next day because my boss had been on vacation, had handled the entire thing from a deer blind, and didn't think to tell me.
I approach situations like this EXTREMELY carefully these days. I wouldn't have done what you did; I would have notified a third party that is anonymous and let the third party handle contact with them.
posted by SpecialK at 3:10 PM on September 26, 2012 [8 favorites]
I approach situations like this EXTREMELY carefully these days. I wouldn't have done what you did; I would have notified a third party that is anonymous and let the third party handle contact with them.
posted by SpecialK at 3:10 PM on September 26, 2012 [8 favorites]
I would just let them know anonymously (throw away email or whatever).
I mean, what does them doing this have anything to do with you (other than you were the one who discovered it)? Further, for what purpose would you want them to know it was you who found this? I don't think they will pat your back. Most IT folks would probably get really sensitive and defensive over the whole thing. It certainty won't help you get a marketing job.
posted by nickerbocker at 4:12 PM on September 26, 2012
I mean, what does them doing this have anything to do with you (other than you were the one who discovered it)? Further, for what purpose would you want them to know it was you who found this? I don't think they will pat your back. Most IT folks would probably get really sensitive and defensive over the whole thing. It certainty won't help you get a marketing job.
posted by nickerbocker at 4:12 PM on September 26, 2012
I think you did the right thing. Wondering if you could post back with any resolution to this?
posted by BlueHorse at 6:16 PM on September 26, 2012
posted by BlueHorse at 6:16 PM on September 26, 2012
The Business Software Alliance has a section on their website for anonymous reporting.
posted by radwolf76 at 6:31 PM on September 26, 2012
posted by radwolf76 at 6:31 PM on September 26, 2012
Response by poster: BlueHorse, will do. For now, my conscience is clean, I have minimized risk of repercussion to myself by reporting anonymously, and I hope the company will have a learning moment and make things right. If they don't fix the issue, my attorney has agreed to contact them on my behalf to encourage them to minimize their risk, as a purely friendly gesture that they might take more seriously.
posted by bloggerwench at 7:40 PM on September 26, 2012
posted by bloggerwench at 7:40 PM on September 26, 2012
I would not take a job at this company. They don't know or respect the laws with regards to copyright, they appear not to understand technology well enough to hide it and who knows what else they may be doing that's illegal or unethical.
That isn't necessarily true - I've worked for companies that were very strict about following licensing policies that had internal FTP sites for software that they had a site license for, or for floating multi-seat licensed software. If I wanted to use FakeCompany SuperSoft 2012, for example, with a floating multi-seat license, I would email someone requesting a license key, and then go off to download the software from the internal FTP server once I received it. With a site license, it was just "download this if you need it for work".
It's also possible that the company in question's FTP site allows anonymous uploads, and is being used for warez hosting without their knowledge.
posted by cmonkey at 5:04 AM on September 27, 2012
That isn't necessarily true - I've worked for companies that were very strict about following licensing policies that had internal FTP sites for software that they had a site license for, or for floating multi-seat licensed software. If I wanted to use FakeCompany SuperSoft 2012, for example, with a floating multi-seat license, I would email someone requesting a license key, and then go off to download the software from the internal FTP server once I received it. With a site license, it was just "download this if you need it for work".
It's also possible that the company in question's FTP site allows anonymous uploads, and is being used for warez hosting without their knowledge.
posted by cmonkey at 5:04 AM on September 27, 2012
This thread is closed to new comments.
posted by ish__ at 12:47 PM on September 26, 2012 [9 favorites]