Remember Impero, the school software biz that went ape over a vuln? Someone's got revenge
In a very British way – leaflets! OVER 9,000 of them
Video Nottinghamshire-based software biz Impero has a lot of recycling to do – after hacker-turned-security-researcher Cal Leeming delivered over 9,000 paper copies of a vulnerability to the company's headquarters as a protest.
A few weeks ago, Impero hit the headlines when it threatened to sue someone called Slipstream, who had published details of a security flaw with the firm's software. Impero produces an application that allows network administrators in schools to remotely manage devices and networks, and the flaw would have allowed someone with local access (such as a pupil) to run malicious code on any PC.
Slipstream was threatened with copyright infringement for publishing the software's hardcoded AES key and IV; breach of contract; and breach of confidentiality. But the threats fizzled out after Slip took down details of the vulnerability.
Impero's attitude ruffled a lot of feathers in the UK security community, and seems to have particularly irritated Leeming. So he printed out 9,001 copies of an exploit for Impero's security holes, and delivered them to the company, as well as sending them a copy on a floppy disc (although who has a floppy drive these days?)
Leeming risked the ire of his partner by drilling a hole in their kid's changing bag to attach a GoPro camera to record the affair, and took the boxes of dead tree to the company. After a fractious conversation with some sales and marketing staff, Leeming met Nikki Annison, the firm's marketing director, who politely took delivery.
Annison also let Leeming know that in future such flaws can be sent to the firm via email and wished him a good day. Leeming then put a few spare copies under some windscreen wipers in the car park and went home.
"We had an incident last week where one security researcher turned up on our doorstep armed with over 9,000 printed copies of a single suspected vulnerability and a chest-mounted Go Pro camera (sensibly capturing on record that this had been received!)," Impero said in a statement [PDF].
"To save future cost, time, and carbon footprint, should security researchers be contemplating similar methods, we wanted to make clear that an email to firstname.lastname@example.org will suffice!"
The Impero case highlighted the problems involved in security research and responsible disclosure. While Slipstream wasn't being particularly responsible in posting the flaw, the firm's threat of legal action was ill-advised.
Leeming is now back at his day job, programming to help companies that he used to rob from improve their security. When Leeming was 13, he was found guilty of gaining unlawful access to computer systems, making him the youngest person in the UK to be charged with hacking offenses.
That didn't stop him. When he was 19, Leeming was sentenced to 15 months in prison after he used stolen credit cards to buy £750,000 ($1.16m) worth of hardware, which he sold via eBay. On arrest he was found to have laundered £102,000 ($158,716) through his girlfriend's building society account.
Leeming is now on the straight and narrow, and has worked to keep other youngsters out of trouble. Today, he's a legit security researcher and working on raising four children. ®