Reporting Vulnerabilities Is For The Brave 245
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
Reporting vulnerabilities safely? (Score:4, Interesting)
I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway). Try the following:
1) Get a laptop with wireless.
2) Boot with knoppix, change mac adress.
3) Walk around until you find unsecured AP.
4) Post said vuln everywhere (including
-wmf
Posting anonymously (Score:4, Insightful)
of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.
Re:Posting anonymously (Score:2)
Re:Posting anonymously (Score:4, Interesting)
Re:Reporting vulnerabilities safely? (Score:5, Interesting)
http://www.nycpba.org/publications/mag-02-fall/sh
Another good example (Score:3, Insightful)
Or you can get paid for it... (Score:5, Informative)
I think a vulnerability can be reported anonymously quite safely
And you can even get paid for doing it! Remember the Zero Day Initiative [zerodayinitiative.com] that was on the news a while back? They guarantee anonymity [zerodayinitiative.com].
Re:Or you can get paid for it... (Score:2)
Live in a free country (Score:3, Insightful)
One way to safely pulicise the info is to live in a free country or get a friend in a free country to do it.
Re:Reporting vulnerabilities safely? (Score:4, Funny)
3) Walk around until you find an unsecured AP of somebody you don't like.
So then the common computer illiterate that didn't have his AP properly secured gets hassled by the police instead.
Re:Reporting vulnerabilities safely? (Score:2)
Re:Reporting vulnerabilities safely? (Score:2)
Re:Reporting vulnerabilities safely? (Score:2)
Oh, technically it can be done, but the problem is the giant egos are unable to not sign their names at the bottom of the postings.
Or they steer clear of things that will get them stomped. Never mind that there's nothing particularly noble about a system where pissing off the wrong person ruins your life. That's been the human condition throughout history, and the greatest achievement of the US government has been its ability to reduce its incidence.
Re:Reporting vulnerabilities safely? (Score:2)
BTW, you can do that with MAC OS X 10.4 and later. My wap logged me at 00:00:00:00:00:00
(it will let you change the ethernet adapter too)
Just the usual terminal command...
Re:Reporting vulnerabilities safely? (Score:2)
Re:Reporting vulnerabilities safely? (Score:2)
Re:Reporting vulnerabilities safely? (Score:2)
Re:Reporting vulnerabilities safely? (Score:2)
1) Get a laptop with wireless....
Everyone is trying to find an anonymous way to report VIA THE INTERNET. There are other ways. Telephone them from a public phone; ask to speak to the admin. See what his attitude is; depending on that, either share the details with him or hang up. Or snail mail -- print out using a common printer, then photocopy it and drop it in an envelope without gett
Re:Reporting vulnerabilities safely? (Score:2)
Another alternative includes free e-mail accounts logged into through public terminals.
BTW, nice job posting as Anonymous Coward.
Re:Reporting vulnerabilities safely? (Score:3, Insightful)
Sure, the report is safe, but admins will try to use their logs to find the IP address of those who exploited the vulnerability before.
If you didn't take precautions when you tested the website and normally you didn't as you were not trying to crack the website, you were just checking that it is safe), if the logs are detailed enough, they will find the IP address of the one who did it and will come knocking at your door.
Depends on who you report to (Score:5, Insightful)
Re:Depends on who you report to (Score:2, Insightful)
If reporting a security bug to one of your vendors (OS or other software) or suppliers (ISP / hosted software) is a problem, change your vendor.
If reporting a security bug to one of your employers is a problem, change your employer.
Re:Depends on who you report to (Score:3, Insightful)
That's fine for application software, where the code is running on your machine. However, this article is talking about security testing on 3rd party web pages. In this case, I think the article's opinion is correct. Unless there's a signed statement explicitly allowing you to do penetration testing, you shouldn't go prying into other peoples web sites even if you do think there is a vulnerability. And, should you (inadvertently) find a vulnerability, you ought to keep it to yourself and delete all evid
Re:Depends on who you report to (Score:2)
And that's why I use open source (Score:5, Insightful)
Re:And that's why I use open source (Score:4, Insightful)
Re:And that's why I use open source (Score:2)
Not all closed-source owners are evil, though. Some companies are even reasonable. I remember an episode when a guy working at a NY university reported a HUGE flaw in an IBM mainframe product, and the IBM support people thanked that person -- before opening a severity 1, priority 1 problem!
Re:And that's why I use open source (Score:2)
wierd (Score:2, Insightful)
'if im gonna get jailed anyways...might as well make some money off of it'
Re:wierd (Score:2)
On the other hand, I can feel for the security admin who's tired of chasing down dead ends created by random people actively trying to punch holes in
Anonymous reporting (Score:3, Insightful)
You could have some sort of secret key to verify that you were the original submitor, if you later wanted recognition for the report. (I imagine a PGP signature of a secret text would be sufficient to allow validation, without any chance of determining who posted until they came forward.)
Re:Anonymous reporting (Score:2, Insightful)
Re:Anonymous reporting (Score:2)
Re:Anonymous reporting (Score:2)
/. effect (Score:3, Insightful)
Re:/. effect (Score:2, Interesting)
Anonymous Email (Score:3, Insightful)
What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.
Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.
Yes and no; not so simple (Score:4, Informative)
That's all quite true.
At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.
And, if software were like any other tangible (and most intangible) products/services in the world, you would be correct here as well. Unfortunately it's not, so you're not. Why? Those lovely click-wrap EULA licenses explicitly and specifically disclaim all liability, including even fitness for purpose. Look at almost any EULA out there and you'll see that usually the most you could possibly recover, even if this software somehow manages to kill you, through gross negligence or otherwise, is the price you paid for it.
Of course, Bob's Software doesn't want to part with your money, so your point is still partially valid. However, I think we shouldn't overlook the fact that we're not talking about huge product liability lawsuits, and yet they're treating disclosures as if we were. Basically they're trying to have their cake (EULA dislaimers) and eat it (prevent disclosures) too.
They would, it seems, be doing fairly well at both right now.
Re:Yes and no; not so simple (Score:2)
Or even better, I can't put a punji pit in my front yard and then put signs on my property that simply say "Not responsible for injuries incurred on this land" and be totally immune from retribution when Little Billy becomes Little Spike.
Re:Yes and no; not so simple (Score:2)
Re:Yes and no; not so simple (Score:2)
Apropos Comment (Score:4, Funny)
I stick my neck out for nobody. -- Humphrey Bogart, "Casablanca"
Ah well, at least we'll always have Paris.
Doing the Right Thing (Score:2, Interesting)
* Picking up a hitchhiker
* Peporting evidence of theft from a company (retaliation, backlash if employee is exanerated)
There's more than my limited mind can produce.
Does "site is vulnerable to Slashdotting" count? (Score:2)
I don't get it (Score:2, Interesting)
No really. Why should that be OK? Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted? Should they take a picture from inside and send it to the homeowner as proof that someone could get in? Should you be suprised when someone tries to prosecute such a person? Sorry for the analogy, let's just try to answer the firs
Re:I don't get it (Score:5, Interesting)
Do you think I should have reported this? Should I have ignored the issue? I had access to another person's training records without authorization. No doubt someone could have gained access to mine as well. On the other hand, I'm not interested in being prosecuted for something this silly.
Re:I don't get it (Score:2, Interesting)
Their logic is that you accessed someone else's account. Whether you intentionally did it or not, the fact remains that you did it. Therefore, 9 out of 10 courts are going to assume you are guilty.
Just like if they saw you carrying a bag of cash right after someone robbed the 7-11. Nevermind the fact that you just cashed your paycheck at the local bank. You were found carrying money in a bag right after a store was robbed. No one is going to listen to
Re:I don't get it (Score:2, Insightful)
I fail to see what any of your comments have to do with TFA. The author explicity does not condone hacking. Your metaphor is wrongheaded, too. Public web sites are not the equivalent of a random private house on the street. If I walk into a store to buy something, go to the checkout, and discover that if I lean against the checkout counter that cash streams out the register, does the store want me to le
Re:I don't get it (Score:4, Informative)
In the article, it's talking about students noticing security issues in web applications that they are using. If you accept the physical property analogy at all, this is more "seeing that a door that should be secured was left open".
Re:I don't get it (Score:2)
In the real world I'd feel completely safe poking my head through an open door to see what's on the other side if the door was in a public area. There's nothing i
Re:I don't get it (Score:2)
Here we go again with the Doorknob Analogy. I see your "try turning all the doorknobs" and raise you a "don't leave your door open with a big neon sign that says WIDE OPEN DOOR HERE".
Re: (Score:3, Insightful)
I don't get it either. (Score:2)
Re:I don't get it either. (Score:2)
Re:I don't get it either. (Score:2)
Not according to Wikipedia [wikipedia.org]. Their article claims that under the original common law definition of burglary, it was not considered "breaking" if a person entered a house through an open door or window. It would still be considered "entering", but since "breaking" was a prerequisite for a
Re:I don't get it (Score:2)
Bad analogy.
House doors don't just magically spring open just when you walk down the street and have an Irish sounding name.
Some website, however, do. Especially if they run Microsoft Sequel Server, hehe.
Re:I don't get it (Score:2)
No, but there are neighborhood watch groups, and it is normal to call the police if a door looks like it is hanging ajar. It's also normal to petition the local government to install or repair streetlights in dark or dangerous areas. Due to the nature of computing (zombies, identity theft) I think it is very much my business to see that my neighbors are secure
Don't ever report a flaw! Ever! (Score:3, Interesting)
Been there, done that. Got arrested, got lucky, found not gulty for all but one charge, but lost three computers becose the cort did figure out it was wrong of me to use a pwd (I did test the flaw, big mistake), even if it was on a public C: drive for everyone to see and in a clear text file. I am never going to report a bug in a computer system in a school, company or somewhere else agen. Don't care what the type of the flaw is or who it is, it is there own problem, they can handle there own infestation.
Re:Don't ever report a flaw! Ever! (Score:2)
Some people might argue that reporting networking vulnerabilities on Windows is like shooting fish in a barrel. But nevertheless, from what you wrote, you seem to have done the right thing. I'd strongly suggest that next time you find a flaw in that institution's network (was it your school?), you just post it anonymously on the Internet. Preferably on a high traffic site.
If people start doing that, maybe the notion that you shouldn't shoot the messenger will slowly sink into the thick skull of th
Re:Don't ever report a flaw! Ever! (Score:3, Insightful)
True story (Score:5, Interesting)
It's easy to spoof email addresses with a very simple PHP script.
I decided one day to trick one of my collegues. I sent him an email 'from' one of our very attractive collegues (in a fairly distant department so I thought it safe at the time) complimenting him on his physique and machismo. I used her real email address as the 'spoof' address, which being the dumbass he is, he replied to. In a manner that would not be considered acceptable in a work enviroment lets say...
Well, I got in trouble for this. (Everyone where I work already knew I was the only one capable of something like this... [lame] So that same afternoon I was called into my bosses office. He was quite frank, and also remember that I value my job here, he said "That email... You had something to do with it didn't you?"
I said that I was the cause of that little incident by way of one of my scripts. I said I was sorry it went as far as it did, and my boss accepted that.
After that my boss said, "Do you have any other things you wish to report?" I decided that I'd come clean with everything I'd found out about the work network. I told them that using the citrux system, I could remotely control anyone on the networks PC. I told them I could spoof emails from anyone... Which resulted in my company rejecting email authorisation for crediting invoices full stop.
OK, through a prank I caused my company a bit of upset... But I, in turn, improved systems indirectly. And all this because I exposed one weakness, and upon my bosses asking me about it - I told all. As I'm sure any loyal employee would do. Through exposing a weakness in my company, I concentrated effort on plugging those holes.
Re:True story (Score:2)
Re:True story (Score:2)
Only on slashdot could anyone be surprised that a man responded to an attractive woman flirting with him.
Only a tool would email someone at their work a sexually explicit proposal (which I assume is what was alluded to) without already being in a sexual relationship. Even then, decency states that you use some innuendo so they don't get in trouble because of your post-teenage lust.
Personally if he's single then he'd have been a dumbass not to
Yeah, by setting up a date, maybe? Once you have her full
Re:True story (Score:3, Insightful)
It's easy to spoof email addresses with a very simple telnet client.
telnet mail.example.com 25
HELO local.domain.name
MAIL FROM: billg@microsoft.com
RCPT TO: pranked@yourdomain.com
DATA
Subject:
.
QUIT
Hell, you can usually just set an arbitrary 'from' address in your email client. I learned that trick on Netscape 3.0 in gradeschool.
Unintended consequences (Score:3, Insightful)
The people running Web sites, or creating software for that matter, might want to consider some of the consequences of their current crack-down on vulnerability reports. Yes, vulnerability reports are bad PR. However, if this keeps up people who find vulnerabilities will have only two feasible alternatives:
I have some experience with this (Score:5, Interesting)
Let me tell you, it was not easy. Here's the story of the first time because it's the most interesting.
I worked for a community college in its' tech department. Alot of my time was devoted to answering phones and helping faculty with problems, which did leave me idle alot. (high availability requires high idle time as a concequence). As a tinkrer, my idle time is never spent truly idle, but pursuing things that don't require 100% attention.
The community college I worked for had many different systems, and as such had many many translation layers between them. One of these transition layers was a transition from a "Portal" type website to another website that handled student information. (class registration, transcripts, billing, paying, you know all that important personal stuff).
Anyway, I found a flaw in one of the scripts used to authenticate a user session to the second web service. The flaw was that the moron who coded it decided that creating a script that accepted 1 variable (the username) was enough security to authenticate a login.
by closely observing the scripts actions through my web browser, i noticed there were 2 very quick redirects. Focusing my efforts there (and logging my URL requests), i found the call to the script that required only the username.
So, basically, at that point I had access to anyones student account that I had the username for.
I documented it very well in a long email, and demonstrated the flaw to my coworkers. I thought I would be a real hero for finding it; I mean afterall, if I had found it who knows who else might have? surely, disaster averted!
But... my idealism in the situation was met hard with reality. My inexperience led me to not take into account factors I should have.
After reporting the vulnerability, a minor investigation was launched which I was the subject of. I felt more like a crminal than a saint. After demonstrating how I could login to their accounts, my coworkers were suspicious as were my superiors. The thought pattern seemed to go like "Well shit if he can do that, what else has he done? Why was he even poking around there in the first place?".
While never actually accused of any wrong doing, they weren't nearly as impressed with my find as i thought they would be. I was looking for a pat on the back, maybe a bonus, but instead my superiors were troubled and nervous. I'm not sure if I was right in feeling this way, but I never felt quite fully trusted there again after that one.
The other thing I didn't think about was how the existance of the error then impeached the person who wrote it. rightfully so, because it was a FOOLISH error, but the guy who wrote it was a guy who had been employed there far longer than I, and of course having me find it and dismantle it presented quite an embarassment to him.
I ended up leaving the job there 6 months later for a variety of reasons, but reporting the vulnerability was one of the 2 or 3 core reasons that I left. I don't regret it all and would do it the same way again, but going through it taught me alot about how to NOT be someones boss (should I ever become one in the future), and not react in the accusatory manner like my superiors did.
Re:I have some experience with this (Score:3, Interesting)
I demonstrated for the proctor, the fact that ANYONE could use the start menu, run item to open calc.exe, and therefore, access the
Re:I have some experience with this (Score:2)
Re:I have some experience with this (Score:3, Interesting)
In my case it was a very simple SQL injection bug in the login page, being the person I am I do test for these things out of curiosity and an almost compelling need to re-assure myself that the systems I'm working with or using are relatively secure.
I landed up in the middle of an 'investigation' after an e-mail with a couple of screenshots and a quick description of the bug was sent
Re:I have some experience with this (Score:3, Informative)
-) No I did not ask for a bonus. I don't ask for rewards, nor do I feel entitled to them. I do think it would've been nice, and I felt my actions were noble. I think that rewarding subordinates should be proactive rather than reactive. Reactive rewarding responds to greed while proactive is generous.
-) There is no concievable way my email reporting it co
Re:I have some experience with this (Score:2)
The morale is: when you get hold of a bunch of stuffed, arrogant fools who have high self-esteem and low common sense, and push their nose into their own poo, they will not clean off the poo, they will splash it all over you.
Notice the similarity with your situa
Almost got me in trouble (Score:2, Interesting)
Slashdotted: article text (Score:3, Informative)
I was involved in disclosing a vulnerability found by a student to a production web site using custom software (i.e., we didn't have access to the source code or configuration information). As luck would have it, the web site got hacked. I had to talk to a detective in the resulting police investigation. Nothing bad happened to me, but it could have, for two reasons.
The first reason is that whenever you do something "unnecessary", such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn't have? It's normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.
A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it...). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.
The second reason that bad things could have happened to me is that I'm stubborn and believe that in a university setting, it should be acceptable for students who stumble across a problem to report vulnerabilities anonymously through an approved person (e.g., a staff member or faculty) and mechanism. Why anonymously? Because student vulnerability reporters are akin to whistleblowers. They are quite vulnerable to retaliation from the administrators of web sites (especially if it's a faculty web site that is used for grading). In addition, student vulnerability reporters need to be protected from the previously described situation, where they can become suspects and possibly unjustly accused simply because someone else exploited the web site around the same time that they reported the problem. Unlike security professionals, they do not understand the risks they take by reporting vulnerabilities (several security professionals don't yet either). They may try to confirm that a web site is actually vulnerable by creating an exploit, without ill intentions. Students can be guided to avoid those mistakes by having a resource person to help them report vulnerabilities.
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized? Thankfully, the student bravely decided to step forward and defused the situation.
As a consequence of that experience, I in
You know what they say... (Score:5, Funny)
It's like a crook reporting a drug stash... (Score:3, Insightful)
I'd venture to say that most hackers 'smart' enough to hack into a website is probably smart enough to send an anonymous email reporting the hack. If the administrator ignores the emails or warnings, then the burden falls upon them.
This is similar to a crook breaking into a house and then reporting the secret stash of drugs or child porn they found. Ok, it would be nice if they could report it anonymously, but it certainly doesn't justify the initial illegal behavior. And, like most crooks, they probably break into hundreds of places before they either get caught or find stuff worth reporting (like being able to access student grades or SSN).
That said, I agree it's in the website's best interest to allow folks to anonomously post vulnerabilities. Duh.
Re:It's like a crook reporting a drug stash... (Score:2)
"If guns are made illegal..." (Score:2)
It IS already very hard for security companies to get 0day exploits at their hands. Making it illegal to report vulnerabilities is about the DUMBEST thing to do. It means that the info only circulates in the cycles that want to exploit them.
Now, that SURELY raises security. About as much as the snooping of governments raises freedom.
Simpler than unsecured Wi-Fi (Score:5, Funny)
Not so different (Score:3, Insightful)
You are probably making them a big favour, but the fact remains that they will be suspicious about you, and may call the police. How do you know about those things? What are your intentions? It's quite a natural reaction. We only perceive the situation to be different because we happen to be experts not in alarms but in computers.
Re:Not so different (Score:3, Interesting)
BTW, where is your sig from? I like it. I'm still trying to learn t
Re:Not so different (Score:3, Informative)
Point is, you don't always have to be looking to see something.
Re:Not so different (Score:3, Informative)
Unsung Heroes (Score:2)
Specifically, I was able to give myself an unlimited number of Elixir War victories. Now, an Elixir War is an event held maybe twice a day, if that, in which players are split into two teams, play a sort of paintball/freezetag game, and at the end of three rounds, the event hosts summon an NPC near the winning team's base. Clicking him gives the player a choice of prizes, and selecting a prize gives the player a victory and teleports t
In other words (Score:2)
Take this advice with a grain of salt (Score:2)
The problem is; you could have stumbled onto a honeypot. Or, the system could be vulnerable, but they could be logging your IP anyway (they're only half-incompetent).
Deleting evidence is a sure-fire way to get indicted for obstruction of justice, lying to investigators, etc.
I'm not sure what the right answer here is - but it's not "covering your tracks" because you can't always cover ALL of your tracks, and covering some of
Re:Take this advice with a grain of salt (Score:2)
Deleting evidence is a sure-fire way to get indicted for obstruction of justice, lying to investigators, etc.
Bullshit. It isn't obstruction until there's an investigation (exceptions for legally required document retention). If they find you, tell them you deleted the records 'because you didn't need it anymore'. I suspect that if you tell them it was to avoid being persecuted by some DA looking for a kill, it wouldn't go over too well.
While searching for a job, I found a bug... (Score:3, Interesting)
Re:While searching for a job, I found a bug... (Score:2)
Anonymous DSL (Score:2, Informative)
Step 2: Create an anonymous webmail account.
Step 3: Practical immunity to abusive lawsuits means they can't take you to court for
Step 4: Profit!
LET the Server Catch on Fire (Score:2)
My first and last time (Score:3, Interesting)
So of course I learned my lesson, and I never reported any vulnerability to anyone, ever again. Found them, though.
Here's my favorite: On my first ISP (shell account), files in
Legal remedy? (Score:2)
For example: If you stumble upon (or more proactively find) a vulnerability, if you send details of the vulnerability, the actions you took to find it, the exact steps you took whilst exploiting it; and you only performed reasonably minimal actions whilst in the
Anonymous reporting (Score:2)
Such a site would make it easy to expose vulnerabilities, but it would also have to be capable of weathering DOS attacks from those that are less than scrupulous.
My one report (Score:2)
Nope, not worth it. (Score:2)
Of course, this isn't the moral thing to do - to let a company die when you could have helped, but it's not what they want.
Focus on the real issue (Score:3, Insightful)
Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.
So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.
The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn't really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign... bang.
Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.
Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It's a part of human nature. But the bug never gets fixed... and then the really bad guy comes...
Vulns on uni networks (Score:3, Interesting)
It turned out that for a number of the windows labs, available to all students, you were always logged in as administrator. When I reported this issue (along with a list of actions I could perform that would be cause damage to the University or its students), I got the brush off. At the time I considered exploiting this to demonstrate the problem. I'm glad I didn't.
This is a few years ago but it was interesting that there was a total disregard for any security concerns with that particlular section of IT support.
I reported a problem once and didn't get in troubl (Score:3, Informative)
Well, first thing that happens when you did that, was you read their terms of service in a "more" listing. Of course, it was easy to hit Ctrl-Z and drop to a shell at that point. Once in the shell, I did an "ls" of the "new" user's home directory. Lo and behold, in that directory was a file containing all the new users created that day, along with their system-assigned passwords.
Funny thing -- most users never change their passwords. I had the master list to almost 90% of the accounts on the system! It got better, though. I noticed certains patterns in the assigned passwords. E.g., the last three chars of one password where the same as the first three of some other password. I wrote a program to piece it all together.
Turns out, the "random" passwords were drawn from a 512-character string, with the beginning point randomly selected. So I busted the string up into each possible password and ran the thing through a crack program. Now I had closer to 99% of the accounts on the system!
I reported this, and suggested that perhaps the system-assigned password algorithm was weak. The admins grumbled and yelled but didn't threaten any legal actions.
I pissed them off again later, with an accidental fork bomb. I lost my account that time :-)
Re:Anonymous (Score:2)
Thank you for submitting foo vulnerability on bar product, we will use this to improve our baz processes in the future.
Or any other fluffy BS that shows I did something Cool&Good(tm). That is something I can place in my Awards & Recognitions file for the next resume or interview should it be pertanant.
-nB
Re:Anonymous (Score:2)
If I get nothing out of it, well then the risk ain't quite worth it.
If I inform them of the risk, and get sued, then tough, I'll give it to the world for free along with my story and see what happens...
-nB