http://lwn.net/Articles/182365/ This is a special feed containing comments posted to the individual LWN article titled "The risks of disclosing web vulnerabilities". hourly 2 http://lwn.net/Articles/183562/rss 2006-05-14T19:48:56+00:00 kasperd <p><i>I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.</i></p> <p>I have experinced that as well with a Danish company. My experience with that particular company was a different reaction on each email I send to them.</p> <ol> <li><b>ignore</b> it: I wrote an email to them, and it appeared to be ignored. I got no reply, and nothing was done about the problem.</li> <li><b>try to talk out of it</b>: I got a thankful answer, in which they stated, that they would do something about the problem. But they didn't. <li><b>deny it</b>: After my third email they tried to deny the existence of the problem. To which I responded, that in that case it couldn't do any harm to publish my findings. <li><b>threaten</b>: Their next reaction was to threaten me with a lawsuit in case anybody found out about the problem. </ol> <p>At that point I decided the best I could do was to report it the company to authorities for keeping personal data without the amount of security required by the law. At least I felt that was the best I could do to my own position in case of a lawsuit.</p> <p>The company was given a very long time to respond about the problem. And just before their time ran out, they removed that particular symptom. However there was no proof that the vulnurability was really solved. And in other places there were still symptoms showing vulnurabilities, and other problems showing they just don't know what the hell they are doing.</p> <p><i>A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly.</i></p> <p>Nice to hear that there still are companies handling such approaches reasonably. Unfortunately they are rare. I have reached the point where I don't know if it is worth the effort to tell sites about their security problems.</p> <p>I think the next time I come across a security vulnurability in a Danish site I'm just going to report it straight to the authorities and then just publish the fact that this company has been reported.</p> http://lwn.net/Articles/183391/rss 2006-05-12T12:34:56+00:00 copsewood "So, for example discussing on the public forums (of the corresponding <br> system) about whether anybody else had bumbed into a "funny feature" <br> of the system might be OK," OK in the UK and in common law. Might be illegal under some circumstances in the US.<br> <p> "as long as one doesn't try use it him/herself" which I take to mean breaking and entering or trespassing in physical law and a violation of the UK Computer Misuse Act. I think US state computer laws vary, don't know whether covered by US federal law.<br> <p> "nor mentions that it "might" be a security hole?" Legal AFAIK in the UK, illegal under the US DMCA which is in conflict with the US Constitution.<br> <p> "Could one be even outraged that the organization had "implemented" a <br> feature for disclosing sensitive information?" How you feel is your own business. What you say could breach the DMCA in the US but not the UK Computer Misuse Act as I understand it. In the US the DMCA discourages you from doing the responsible thing which is telling the party with a known insecure system what's wrong so they can fix it. <br> <p> http://lwn.net/Articles/182703/rss 2006-05-06T12:37:45+00:00 addw Hear hear!<br> <p> http://lwn.net/Articles/182638/rss 2006-05-05T16:27:45+00:00 cdmiller Well, if some organization is going to store data about me, I should have the right to test their system and make sure they are securing my personal info properly. Perhaps a law suit is in order by the accused against USC for endangering his personal data.<br> http://lwn.net/Articles/182601/rss 2006-05-05T03:07:42+00:00 fozzy Seems like USC is not a good place to study.<br> <p> That's the message to get out - something that will affect their hip pocket. Whilst I'm not in the USA, so unlikely to want to study at USC, reading stories such as this my first reaction is what does this tell me about the culture of the institution?<br> http://lwn.net/Articles/182549/rss 2006-05-04T18:32:51+00:00 oak So, for example discussing on the public forums (of the corresponding <br> system) about whether anybody else had bumbed into a "funny feature" <br> of the system might be OK, as long as one doesn't try use it him/herself <br> nor mentions that it "might" be a security hole? <br> <br> Could one be even outraged that the organization had "implemented" a <br> feature for disclosing sensitive information? <br> <br> http://lwn.net/Articles/182507/rss 2006-05-04T16:17:43+00:00 copsewood I think there is a great difference between:<ul><li> "researching" someone else's implementation of a program - which is used to store confidential data belonging to someone other than the security researcher, and</li><li> the security researcher implementing this program themselves, finding a vulnerability in their own implementation of it and giving the developer of this program appropriate time to fix it before publishing the exploit.</li></ul> In the UK, as this article points out, this makes the difference between unauthorised and authorised access. Unless the system owner invites security reports of discovered vulnerabilities, effort should not be put into discovering these by an uninvited party. I may accidently leave my door unlocked. If someone sees keys left in the outside door and rings the doorbell to tell the house owner, this is authorised access. If they go in through an unlocked door or try to see how easy this is to pick and wonder around the house this is trespassing - as well as being a violation of privacy. Buying a particular make and model of door lock at a hardware shop and taking it home and working out how easy it is to break it or pick it and telling others about this is generally considered fair use and fair comment. <p> In cases such as these it is instructive to compare actions in the virtual domain with similar actions in the physical domain, to see how the latter would be regarded both socially and in legal terms. This is also a useful acid test of computer related legislation. Based on these criteria the DMCA fails a test that the UK Computer Misuse Act passes. http://lwn.net/Articles/182478/rss 2006-05-04T14:21:30+00:00 jreiser So if "responsible" disclosure is discouraged, then "No prisoners!" must be the reply. Such as: randomize the effective MAC address on a laptop, go to a free wireless cloud, post the zero-day exploit on IRC. Surely there are improvements and other strategies; let's hear them!<br> http://lwn.net/Articles/182467/rss 2006-05-04T12:57:03+00:00 csamuel The issue with Daniel Cuthbert was that the judge found that he lied to <br> police initially and only later changed his story to what actually <br> happened. This probably meant the difference between the fine he got and <br> a conditional discharge.<br> http://lwn.net/Articles/182441/rss 2006-05-04T09:27:03+00:00 eskild Well, yes, but... Reading the article it appears the web site owners didn't acknowledge the problem until they were presented with data that proved their systems' failure.<br> <p> In other words: They flat-out denied they had a problem -- until it was proven to them with their own data.<br> <p> It is hard for me to see how an organization acting in denial of their own problems could be convinced of their web site deficiencies in another manner.<br> <p> So he *had* to retrieve data, he *had* to distribute them. But, of course, he *didn't* have to retain them once they were sent.<br> <p> I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.<br> <p> An anecdote: A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly. That's how these things should work.<br> <p> http://lwn.net/Articles/182439/rss 2006-05-04T08:48:58+00:00 cate <p><i>[Editor's note: anybody who informs LWN of a vulnerability in the LWN.net code will, assuming they have not exploited that vulnerability for their own gain, be thanked, publicly if desired.] </i> <p> Are the php errors in http://lwn.net/Gallery/ exploitable? ;-) http://lwn.net/Articles/182438/rss 2006-05-04T08:44:58+00:00 dvrabel Sounds like McCarty didn't just find a flaw but used it to obtain personal data to which he was not authorized nor entitled and then proceeded to store and distribute that data. Should my personal data be misused in such a way I would expect and require investigation by the police or other appropriate authorities.<br> <p> If we applaud such misuse of personal data then it becomes all too easy for wholescale misuse to occur under the guise of "security research".<br> http://lwn.net/Articles/182430/rss 2006-05-04T06:37:41+00:00 error27 It seems like student council or the ACM club there should take a stand. Someone has done them a favour and the administration has acted like slime.<br> <p> <p>