What is Digg?40 Comments
- NetElemental, on 10/12/2007, -0/+12I believe that some of this information is subjective to the site in question. For example, the owners of some sites are known to be more lenient with Grey Hats(or penetration testers) than others, so in my case, I let my knowledge of the site guide my actions. Also, when curiosity overwhelms me, I will ALWAYS use tor to protect myself. If I want to report a vuln but do not want to be identifiable in any way, I will register a new email with tor and use that. I write all my penetration testing tools to utilize tor for this reason as well.nnThe author makes a good point about requesting written authorization to perform penetration testing, and this is a step most Grey Hats (myself included) will either not bother with or will not remember. This is something that needs to be remembered by the security curious/conscious.
- stevenb, on 10/12/2007, -0/+10He's for the most part right.
I think of it like this:
Some lady has a flat on the side of the road... I stop... assuming she allows me to assist her.. I help her put the spare tire on her car.
She peddles down the street and has a blowout that causes her to tumble down the street.
She turns around and sues me.
Welcome to America!!! - NetJoe, on 10/12/2007, -1/+10Sell the vunerability. if your going to get burned make it worth it.
- inactive, on 10/12/2007, -0/+9i sure as hell will zip my mouth.
i wouldn't want to be fired.
of course, this violates my engineering ethics. - rewritable, on 10/12/2007, -0/+8"Was this the right decision, or is reporting an issue regardless of the risks a moral necessity?"
Let them burn. - psyon, on 10/12/2007, -0/+6My wife works or a non-profit organization that helps with heating costs in the winter. They helped one home owner reinsulate her house, in order to reduce the cost of heating it. The insulation job was done badly, and caused dust to get all over the house and cause respitory problems. Who got sued? My wifes company who arranged and paid for the job.
- Rmplstltskn, on 10/12/2007, -0/+5A few years ago I was taking an art history course and the professor rigged the website so that the thousands of images of great works of art couldn't be downloaded (or so he thought.) I figured out a way to download the pictures I liked and when I told him how I did it he said that I should keep things like that to myself. Hey...I was just trying to help the guy out but I guess some people would rather remain ignorant of their mistakes than have their mistakes brought to their attention.
- merreborn, on 10/12/2007, -1/+6"reporting SOFTWARE issues, a moral necessity? moronic"
Software flaws, when exploited, can lead to damages (lost productivity, service downtime => lost revenue, etc.) on the order of tens of billions of dollars in a single month.
http://thewhir.com/marketwatch/feb021904.cfm
So yes, if you have knowledge that could potentially prevent 10s of billions of dollars of damages, the choice not to report is absolutely a moral issue. - rishimaharaj, on 10/12/2007, -0/+5It's amazing that people waste their time on context-menu-blocking scripts when they can easily be bypassed with Tools -> Page Info -> Media in Firefox. *sigh*
- 0Troy, on 10/12/2007, -0/+4Reporting is simply not worth it. The last time I reported a vulnerabillity to the technical contact of a site, I was brushed off with "That's not readily exploitable."
Months later I got a fire-and-brimstone e-mail from the admin claiming that I would have to prove my innocence during a certain period of time because I was "the only one who knew about the exploit" at the time. I knew he was full of it, and they found the real attacker, but the point stands. If they didn't find anyone, I would have been the only one they could have gone to.
It's like finding a lost wallet, and turning it in to a police station only to discover that someone before you took out a card and ran it to the limit. Guess who the prime suspect is? The person trying to do the right thing.
What's the point. - hotdrop, on 10/12/2007, -0/+4Ask yourself the following questions:
Do I want to go to Jail?
Do I want to get sued?
Do I want to be labled a terrorist?
Do I want to I want my life ruined?
If the anwser is no to any of those questions you should not report security flaws. - psyon, on 10/12/2007, -0/+4Yeah, people suck. I was told once that if you do CPR on someone, and mess up, or fail to help them... tuff ***** for them. But if you are trained in CPR, and mess up or fail to help, you can be in serious trouble.
- inactive, on 10/12/2007, -0/+3 Number 1 rule in life.
Don't let others know about weeknesses you have found in a person, place, or thing.
Otherwise they will make a law against it. - NewEvolution, on 10/12/2007, -0/+3Let's face it. Even right-clicking is beyond SOME computer users.
- pHr34kY, on 10/12/2007, -0/+3Back in school I explained to the teacher how it was possible to steal passwords. Then I showed them an example. I got suspended.
Stupid IT dept! - Zonkzor, on 10/12/2007, -0/+3Or just dragging the picture to the desktop.
- MrBound, on 10/12/2007, -0/+2I thought if you were Red Cross certified you couldn't be held liable for trying to help someone and failing.
- stevenb, on 10/12/2007, -0/+2@psyon.
It's a sign of the society we live in these days. Why I don't go out of my way to help people anymore. I might help them right into a lawsuit against me. - stevenb, on 10/12/2007, -0/+2Precisely...
It's sad... but true. - inactive, on 10/12/2007, -0/+2this culture of sueing everyone to death is going ot backfire big time.
mark my words, the days where white and grey hats cease to exist are close, and then you'll just have black hats selling their knowledge to the highest bidder.
would i tell a website i've found an exploit in their site? ***** no, they might sue me. it's only a short hop and jump from that to the realisation that OTHERS might find that information valuable.
what would be a much better approche would be a bounty on CORRECTLY reported issues on large sites. if you can provide instructions on how it's done and sign a form stating you haven't disclosed this to any other sources feed them a decent reward. this would build a culture of pro active white hats all looking for the next hole to score that litte bonus. - inactive, on 10/12/2007, -1/+3yeah and then said organisation gives you up and you go to federal rape me in the arse prison.
- macewan, on 10/12/2007, -0/+2in most instances silence is the best bet nowdays
- Samurailink3, on 10/12/2007, -0/+2I broke into my high school's computer network then later reported the problem to be thanked by expulsion. The system was complete crap, holes everywhere. I just got in, got out, and stated the problem. They thank me by kicking me out for the rest of the year. Since when is helping people a reason to be burned at the stake? I agree with this article. Dugg and Dugg.
- HeapMalloc, on 10/12/2007, -0/+2An old adage best sums this up... "No good deed goes unpunished".
- NewEvolution, on 10/12/2007, -0/+1I thought they passes good Samaritan laws to cover that sort of thing? Something that protects you if you're acting in good faith to save someone's life in an emergency....
Maybe it's only in some states. - miaow, on 10/12/2007, -0/+1this highlights my main concern with the net. websites and internet companies are too slack and too arrogant. and like the guy says if they here about it then its the reported person that will be targetted. It seems to me that all you need is something not patched in your compiter and you visit a website and you are in trouble (as an example)
its an ideal situation for trojan, rootkit users. I think most of the net should be https for a start.
It highlights how mediocre most companies are in our business world. If someone runs a rotten call-centre, the chairman will likely never realise. This is the general standard for most companies imho. With internet security, that sort of standard isn't good enough. We live in a world of shoddy standards except when it can't be hidden. - inactive, on 10/12/2007, -0/+1Here in Oz there are instances where some ungrateful bastard who had CPR administered to them sued the pants of the person who SAVED them because they left bruising from the CPR itself!
I let my 1st Aid certs lapse because of this sort of thing, plus if I don't help I can get sued as well!
Its insane!! - StephnDolenc, on 10/12/2007, -0/+1reporting an exploit in my school's network that allowed a harcker to acquire all of the passwords resulted in his expulsion and legal troubles
- inactive, on 10/12/2007, -0/+1thye need to change thier thinking and gain a greater understanding of just what their websites and IT inferstructure means to them.
example: black hats spreading details on how to gain access to porn sites for free. it costs them in lost customers and in wasted bandwidth, a LOT of wasted bandwidth.
a single $500 bounty to save them $2000 a month in lost bandwidth makes pretty good business sense. - inactive, on 10/12/2007, -0/+1Sad but very true it would seem.
- Kestral, on 10/12/2007, -0/+1For the cynical, there is an old saying that says: No good deed goes unpunished.
- pt4117, on 10/12/2007, -0/+1I could see a cool professor saying something like that. He might have been obligated to take reasonable measures to protect the files, but didn't really care if you downloaded it. If you tell him how you did it he might be required to fix that hole.
That's something that he isn't interested in doing either because he's lazy, doesn't think it's horrible if you download a picture of a work of art (that you could have probably googled and gotten), or just doesn't know how to prevent it. - FuzzyCat, on 10/12/2007, -0/+1Indeed just ask Brian K West....nnn"Brian K. West, a 24 year old support tech for an ISP in SE Oklahoma, is being asked to "accept a felony conviction and 5 years probation", after reporting a security flaw to the editor-in-chief of the Poteau Daily News."nnand that was 6 years ago... nnBasically you just have to say "***** it, not my problem" and walk away.
- FuzzyCat, on 10/12/2007, -0/+1[digg update editor is stupid]
Indeed just ask Brian K West....
"Brian K. West, a 24 year old support tech for an ISP in SE Oklahoma, is being asked to "accept a felony conviction and 5 years probation", after reporting a security flaw to the editor-in-chief of the Poteau Daily News."
and that was 6 years ago...
Basically you just have to say "***** it, it's not my problem" and walk away... - jerbaker, on 10/12/2007, -0/+0@psyon
If your wife's company arranged for and paid for the installation, why did they pick such shoddy workers? Sounds like there was a firm basis for the suit. - unluckier, on 10/12/2007, -0/+0This is ridiculous. Send the vulnerability report to an organization that is designed to handle and coordinate vulnerabilities. End of story.
- nightwing2000, on 10/12/2007, -0/+0I recall the story about a professor who was so confident of his system's security, he challenged the students, in class, to break in to the college mainframe. A pair of students simply lifted the ceiling tiles and climbed into computer room, where the administrator console was always logged on. Guess who had no sense of humour about the situation? Guess what happened to the students? (Hint - "Break and Enter").
- stevenb, on 10/12/2007, -0/+0Are you kidding?
With more and more companies looking to cut costs and increase profit? HAHAHAHAHH!!!
Why do you think so many holes exist in providers as it stands? - stevenb, on 10/12/2007, -0/+0@merreborn
I was going to bring up the example of a medical program that could be exploited to reveal people's medical histories...
Or possibly other situations where you can exploit and otherwise reveal people's history.
Or the unlucky hacker that breaks something that controls another service... that kills someone. - skjalff, on 10/12/2007, -8/+1"Was [not reporting] the right decision, or is reporting an issue regardless of the risks a moral necessity?"
what a load of crap! reporting SOFTWARE issues, a moral necessity? moronic
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is