Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software News

Security Flaw Hits VAserv; Head of LxLabs Found Hanged 413

Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."
This discussion has been archived. No new comments can be posted.

Security Flaw Hits VAserv; Head of LxLabs Found Hanged

Comments Filter:
  • Well (Score:4, Insightful)

    by courteaudotbiz ( 1191083 ) on Tuesday June 09, 2009 @09:52AM (#28265731) Homepage
    I guess there's not much to say...
    • Re:Well (Score:5, Informative)

      by tattood ( 855883 ) on Tuesday June 09, 2009 @10:02AM (#28265889)
      TFA: "Ligesh [from LxLabs] was also still coming to terms with the suicides by hanging of his sister and mother five years ago."

      I suspect that this was the result of a lot of bad things going on in his life, and not just because of the software issues.
      • Re:Well (Score:5, Interesting)

        by espamo ( 1061728 ) * on Tuesday June 09, 2009 @10:41AM (#28266439)

        TFA: "Ligesh [from LxLabs] was also still coming to terms with the suicides by hanging of his sister and mother five years ago."

        I suspect that this was the result of a lot of bad things going on in his life, and not just because of the software issues.

        And very likely a genetic predisposition to suicide [scienceblog.com] as well.

        • Re:Well (Score:5, Insightful)

          by dagnabit ( 89294 ) on Tuesday June 09, 2009 @10:55AM (#28266725)

          How does a genetic predisposition for suicide propagate...?

          • Re:Well (Score:4, Informative)

            by jeffasselin ( 566598 ) <<cormacolinde> <at> <gmail.com>> on Tuesday June 09, 2009 @12:46PM (#28268549) Journal

            Genes that bring defects that don't affect an individual before its main reproductive period tend to survive more easily. So say a gene defect that kills you the day you are 40, especially for females, will propagate more easily than one that kills you at 10, because you've reproduced and passed those genes on by that time.

            There is still an advantage to surviving after the age of reproduction in a species with longer childhood cycles or one where the grandparents care for the offsprings of its offspring (aka its grandchildren). This advantage is lessened because of gene dilution and its (usually) lesser importance compared to straight reproduction, but still if humans mostly reproduce around 15-20y old (historically), around where they reach maturity, then surviving till at least 40 is an advantage because of more care for the offspring up till maturity. For grandchildren, the age can be up to 60 in the same context.

            Species with communal care for offspring also get advantaged by members who survive longer because they get more people to care for the offsprings, but then the dilution is even more significant.

            So I can see how a gene that brings higher suicide rates of mature subjects can survive for a while, even though it is detrimental.

    • Re: (Score:2, Insightful)

      by siloko ( 1133863 )
      A lot of stuff was going on in this guys life which suggests his demise wasn't simply down to exploits found in his software - from the article it appears that both his mother and sister committed suicide a few months ago, he also recently lost a large contract. That being said I can't imagine the news of VAserv (which relied on Ligesh's HyperVM, the exploited software) losing data on upto 10,000 virtual servers helping much.
    • Re: (Score:3, Funny)

      by iluvcapra ( 782887 )
      After reading the headline "Head of LxLabs found hanged" I was sortof hoping "Head of LxLabs" was some sort of master node and it just needed a power cycle...
  • um.... (Score:2, Funny)

    by sanosuke001 ( 640243 )
    whoops
  • Narrow escape (Score:3, Interesting)

    by sakdoctor ( 1087155 ) on Tuesday June 09, 2009 @09:54AM (#28265761) Homepage

    Just closed an account with VAserv last week for no particular reason.
    I hardly ever do things for "no particular reason" so it must have been my spider sense.

    Will this be a case of good bye reputation, or no publicity is bad publicity?

    • Re:Narrow escape (Score:4, Interesting)

      by TheRaven64 ( 641858 ) on Tuesday June 09, 2009 @10:44AM (#28266491) Journal
      An SQL injection vulnerability, via the web, gained hypervisor-level access to their system. Let me say that again; a web server, an SQL database, and a web app were all running with sufficiently-high privilege that a vulnerability in one caused arbitrary-code execution at the hypervisor level. Anyone who doesn't immediately start worrying when they see that kind of lack of privilege separation has absolutely no business running a VPS business. I definitely won't be putting any business VAserv's way in the future...
      • Re:Narrow escape (Score:5, Insightful)

        by EvilRyry ( 1025309 ) on Tuesday June 09, 2009 @11:16AM (#28267143) Journal

        If I'm reading this right, the point of the web application is to manage the VMs. If it didn't have privilege to manage (or destroy in this case) the VMs, it would be pretty useless.

      • Re: (Score:3, Insightful)

        by vlm ( 69642 )

        I definitely won't be putting any business VAserv's way in the future...

        Well, normally, this results in a high level of focus on the problem... So, in the future, they probably won't have problems like this. On the other hand, their competitors will be too busy signing up accounts to patch their systems and any public display of patching (like special extended maint time or a new way of using their product) will make them look just as bad so of course their competitors won't focus on security, leaving them more vulnerable than VAserv...

        Except their dude, whom would have focuse

  • Well (Score:4, Funny)

    by Zashi ( 992673 ) on Tuesday June 09, 2009 @09:54AM (#28265771) Homepage Journal
    That's one way to dodge all those bug reports...
    • Re:Well (Score:5, Funny)

      by ckthorp ( 1255134 ) on Tuesday June 09, 2009 @09:57AM (#28265817)
      Yah, but once you're in the ground, how do you dodge the bugs then?
    • Re:Well (Score:5, Insightful)

      by SatanicPuppy ( 611928 ) * <Satanicpuppy.gmail@com> on Tuesday June 09, 2009 @10:02AM (#28265897) Journal

      Yea, Jesus. Someone take their job a little too seriously?

      If you ever seriously think of killing yourself over your job, it's time to get a new job.

      • Re:Well (Score:5, Insightful)

        by value_added ( 719364 ) on Tuesday June 09, 2009 @10:13AM (#28266079)

        If you ever seriously think of killing yourself over your job, it's time to get a new job.

        Probably good advice generally, but I wonder how many of those defaulting on their mortgages due to a layoff will react positively to hearing it.

        Sometimes that shitty job is all you've got.

        • Re: (Score:3, Insightful)

          Sure but there *are* other jobs, sure, it might mean taking a job in something that isn't your specialty, taking a job thats "lower than you", etc. But if you really are /that/ stressed about your job, even a job at McDonalds might be better even if that means you can't afford that 50 inch plasma.
          • Re:Well (Score:5, Insightful)

            by johnsonav ( 1098915 ) on Tuesday June 09, 2009 @10:41AM (#28266441) Journal

            But if you really are /that/ stressed about your job [...]

            It might not have anything to do with on-the-job stress. It seems that there were some other things going on in his life at the time. Lots of people, when their personal lives go to shit, begin to define themselves, more and more, by their jobs. When the rest of their life sucks, their job is where they are valuable, potent, skilled, respected, and needed.

            If you lose that, and you begin to think that your job performance is just as terrible as your performance in the rest of your life, That's when you find people at risk for suicide; they've just had their last leg kicked out from underneath them.

            For some people, a job is the only good thing in their life. Failing at that, as they perceive they've failed at every other aspect of life, is sometimes enough to drive someone over the edge. And no, a job at McDonald's won't mitigate that feeling.

          • Re:Well (Score:5, Insightful)

            by TheRealMindChild ( 743925 ) on Tuesday June 09, 2009 @10:49AM (#28266593) Homepage Journal
            Typical. You do know that most places, you'd be lucky that a full time, minimum wage, McDonalds job will pay for a one bedroom apartment and food for yourself per month. That doesn't include utilities, transportation, clothing, etc.

            Now imagine the single mom with two children. Imagine the 68 year old woman who takes care of her husband who had a stroke.

            It isn't as cut and dry as "Stop being gluttonous"
          • Re:Well (Score:5, Insightful)

            by Abreu ( 173023 ) on Tuesday June 09, 2009 @11:02AM (#28266877)

            But if you really are /that/ stressed about your job, even a job at McDonalds might be better even if that means you can't afford that 50 inch plasma.

            I would be glad to take a job at McDonalds or Starbucks if it only meant that I would not be able to afford a flat-screen TV... I'd be like Kevin Spacey in American Beauty... hanging out with the kids all day, flipping burgers or making frappuchinos in a no-pressure job.

            However, I choose put up with my current job because I have a wife and two kids that deserve more from me.

            • Re: (Score:3, Interesting)

              by svnt ( 697929 )

              I'd be like Kevin Spacey in American Beauty...

              You did see the entire movie, right?

              Notable characteristics of Kevin Spacey's character: in the middle of a mid-life crisis, hated by his daughter, hates his wife, has sexual contact with a minor. Oh, and he happens to work at a fast food restaurant.

              This is just a friendly suggestion, but before you tell this story to people you actually know, maybe refine your role model selection a little?

              • Re:Well (Score:5, Insightful)

                by Abreu ( 173023 ) on Tuesday June 09, 2009 @05:46PM (#28272689)

                The way I saw the movie it was about:

                A man in the middle of his mid-life crisis, quits his hated job and gets a job in McDonalds ...he also gets a boner about his teenage daughter's friend, but lets be honest, this is Mena Suvari (at her prime!) we are talking about!

                His wife, in the middle of her mid-life crisis, gets into an affair with a coworker

                His daughter, in the middle of her teenage crisis, hates them both

                I really don't see Lester (the protagonist) as a role model; I for one, don't plan to quit my job. However, I can empathize with his feelings and the situation he's in.

          • Re:Well (Score:5, Insightful)

            by Ephemeriis ( 315124 ) on Tuesday June 09, 2009 @11:12AM (#28267063)

            Sure but there *are* other jobs, sure, it might mean taking a job in something that isn't your specialty, taking a job thats "lower than you", etc. But if you really are /that/ stressed about your job, even a job at McDonalds might be better even if that means you can't afford that 50 inch plasma.

            Spoken like someone who hasn't had to deal with the job market in quite some time.

            The economy right now is in rough shape. My son has been looking for a job for six months now with no luck. He isn't looking for anything amazing - just retail, labor, or food service, or something basic like that. Folks aren't hiring.

            And your typical McDonalds job isn't going to cut it these days. Most food service/retail positions will be minimum wage, which doesn't go very far. They'll also be hourly, not salaried, so you're screwed if you get injured or sick. They'll also be part-time - your schedule will change from one week to the next so you'll not have reliable income, and there'll be absolutely no benefits.

            We're not talking about whether or not you can afford a 50" plasma. We're talking about whether or not you can keep your house and/or car. Whether you'll be able to afford to feed your family. Whether you'll be able to pay the assorted bills.

            We try very hard to live well within our means. We've got a very affordable mortgage on our house. We bought a used car a few years back and paid for it in full, with cash. We don't have a lot of expensive hobbies. We don't have a pile of debt. But if I lost my job we'd be pretty much screwed.

            The odds of me being able to find reliable employment before our savings ran out aren't good. Like I said, folks around here aren't hiring. We could sell the house, if necessary, but I don't know that anyone would buy it. There are plenty of "for sale" signs around town and I don't see them disappearing very quickly. There aren't a whole lot of luxuries we could cut back.

            It's a very scary situation to be in, and we aren't even under a pile of debt. I can't imagine what it's like for some of the folks out there.

          • Re:Well (Score:4, Insightful)

            by Anonymous Coward on Tuesday June 09, 2009 @11:33AM (#28267427)

            Maybe in some sections of the country, people have to downsize from a Rolls to a Lincoln or go from their Lear Jet to chartering a plane and are hating life, but in most of America, a job loss means loss of a house, loss of basic transportation, and loss of the ability to feed one's family.

            People can't just downsize and work at McDonald's. It's not about the 50 inch plasma either. It's getting the kids clothing and school supplies, keeping a homestead, and keeping basic transportation running.

            The US isn't like Europe. In the majority of the nation, there just plain no other transportation other than by car. No, bikes don't work either, unless you like being buzzed by semis while trying to pedal into town on the frontage road of an interstate with no shoulder, not to mention being prey for any gangbangers. Yes, you have the BART and NYC's subway system, but for most of America, finding a bus route is a major achievement, and finding a bus route that can get someone to work on time is almost astounding. Of course, someone will chime in that people moved to the suburbs so they suffer what they may. However, most US cities, someone not extremely rich has a pretty bad choice: Raise a family up in the inner city with gunshots ringing out nightly, or buy a house in the suburbs with a reasonably safe chance to raise kids and commute to work.

            So the adage that most Americans are just whining that they can only buy a smaller TV or go with a smaller SUV for their 500 pound derriere is pure BS.

        • If you ever seriously think of killing yourself over your job, it's time to get a new job.

          Probably good advice generally, but I wonder how many of those defaulting on their mortgages due to a layoff will react positively to hearing it.

          The same rule can be applied to mortgages, and, really, any material possession or circumstance. If it can be destroyed, you should be prepared to live without it. In fact, you should enjoy it all the more while you have it: "It's the transience of life which lends it such p

      • Re:Well (Score:4, Interesting)

        by Comatose51 ( 687974 ) on Tuesday June 09, 2009 @10:40AM (#28266427) Homepage

        Agreed but I think that kind of situation or attitude is more prevalent than we think. People build their lives around different things. Their "work" (as in the product of their effort, not as in what they do from 9 to 5) becomes their lives. This is especially true of the creative types such as artists and writers but also software engineers. In many ways, software engineering or engineering in general is a hybrid between the arts and the sciences with room for creativity and personal touches. I work with a good group of engineers who are very passionate about their work, much more so than our paychecks can account for. I've seen the same passion turn into despair in bad times as well. Engineers also compound this problem by not being the most social people in the world. Having a network of people to connect to can really soften the pain when things don't go well. Most engineers don't commit suicide but the rate of burning out is rather high.

      • by Thaelon ( 250687 )

        The job wasn't the only thing. From TFA:

        Ligesh was also still coming to terms with the suicides by hanging of his sister and mother five years ago.

        I'm sure that had a significant impact as well. The security flaw fiasco may have been just the final straw.

  • Mixed feelings (Score:4, Interesting)

    by JeffSpudrinski ( 1310127 ) on Tuesday June 09, 2009 @09:56AM (#28265795)

    You can't truly blame Milw0rm for a person being depressed and committing suicide.

    However, reading their security notes on it, they did hear back from the developer...they simply declared that it didn't happen fast enough and decided unilaterally that the "Vendor appears uninterested".

    I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.

    -JJS

    • Re:Mixed feelings (Score:5, Informative)

      by asdf7890 ( 1518587 ) on Tuesday June 09, 2009 @10:10AM (#28266039)

      I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.

      -JJS

      But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there? Quietly forgetting about it and just hoping that you are the only people who know about the issue and no black-hats out there will find it is simply not an option.

      • Re:Mixed feelings (Score:4, Insightful)

        by drachenfyre ( 550754 ) on Tuesday June 09, 2009 @10:21AM (#28266211) Homepage
        Why is it not an option? It isn't the best option, which is to announce that an exploit exists, but not release the details. I'm not blaming their actions for the guy's death, but the people who lost servers and data have every right to be angry. It would have been far easier for them to announce that an exploit exists so customers could get out of a bad position instead of releasing the code which guarantees the end result we see here (For the customer, not the owner of LxLabs)
      • Re:Mixed feelings (Score:5, Insightful)

        by corbettw ( 214229 ) on Tuesday June 09, 2009 @11:31AM (#28267403) Journal

        But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there?

        You're assuming the bolded part is true. Reading through the information on Milw0rm's own site [milw0rm.com], it appears they had an email exchange with someone at LXLabs for two weeks, then decided on their own to release the information. Two weeks is not nearly enough time to even decide if something like this is worth looking at, let alone find a fix, develop it, test it, implement it, and push it to all clients. I hope the guys at Milw0rm get sued into oblivion over this. Their actions were completely irresponsible and directly led to millions of dollars of damage, potentially billions of dollars of damage (over 100,000 accounts were destroyed, assuming those accounts spent on $10 per month on hosting that's millions of dollars in damage to the hosting provider alone). VAServ is based in the UK and LXLabs is based in India; I have no idea what the laws are like in those countries, but let's hope Milw0rm faces criminal charges there over this. Security research is an important field and requires a certain level of trust, accountability, and responsibility for it to function properly. By releasing this information publicly without sufficient notice, Milw0rm breached those traits and deserves to suffer the consequences for doing so.

        • Re: (Score:3, Interesting)

          by nxtw ( 866177 )

          Two weeks is not nearly enough time to even decide if something like this is worth looking at, let alone find a fix, develop it, test it, implement it, and push it to all clients

          Are you serious?

          According to milw0rm, whoever responded didn't even access the details of the vulnerabilities - after two weeks. Nor did they provide any contact information. It would only take a few minutes to skim through the details, and it should have been immediately apparent that the vulnerabilities described could be seriou

          • Re:Mixed feelings (Score:5, Insightful)

            by corbettw ( 214229 ) on Tuesday June 09, 2009 @12:04PM (#28267881) Journal
            Someone sends a random, out-of-the-blue email saying "hey we hax0red your code, lol" and you expect the recipient to pop tall and check out their site immediately? Are you serious? And what contact information was needed? Obviously Milw0rm talked with someone at the company, so they already had contact information. Could it be that Milw0rm was talking to a customer service agent who didn't appreciate the severity of the problem because, gee, I dunno, Milw0rm didn't bother to track down contact information for the right person(s)?

            Assuming milw0rm did contact the correct person/people at LXLabs

            That's a huge assumption and not one I'm willing to make. However, I am willing to state, without reservation, that Milw0rm are a bunch of asshats who deserve to be sued into oblivion over their callous disregard for the safety of the customers using this software. That's really the worst part of all of this. Most of the people hurt by this had no control over the software getting fixed, had no idea there was a problem until it was too late to do anything about it, and were completely innocent of any mistakes. And yet Milw0rm doesn't care one fig about those people and just releases code that sends their lives and businesses into a tailspin. How do you defend that kind of behavior and call yourself a professional?

    • Re: (Score:2, Interesting)

      by Zashi ( 992673 )
      Actually thanks to cyber-bullying laws I think you can.
    • Re: (Score:3, Interesting)

      by CarpetShark ( 865376 )

      You can't truly blame Milw0rm for a person being depressed and committing suicide.

      No, you truly can. You can't blame it for 100% of the problem, but without doubt, people who make viruses are preying on others. What outcome to you expect, when those preyed upon are already struggling just to get through the day and raise their kids or whatever?

  • by Anonymous Coward on Tuesday June 09, 2009 @09:56AM (#28265803)
    According to the article, there have been other suicides in the family a few years ago. Let's just discuss tech, and let the personal stay personal.
  • VM Attacks (Score:3, Informative)

    by barfy ( 256323 ) on Tuesday June 09, 2009 @09:57AM (#28265819)

    Had been posited for about 2-3 years now. It is actually amazing that this was such a brutal attack.

    The dangers of these attacks had always been stealth related, because it is nearly impossible for the machine to SEE the vm manager. Which makes these things even more dangerous than rootkits.

    • Re:VM Attacks (Score:5, Interesting)

      by Zocalo ( 252965 ) on Tuesday June 09, 2009 @10:19AM (#28266177) Homepage
      Actually, this has almost nothing to do with attacking VMs and more to do with the simple fact that LxLab's code is an extremely poorly written piece of crap from a security standpoint that leaves the VM wide open to attack. Having read through the 24 sample exploits when they were first published on milw0rm, the errors are pretty damn fundamental and indicate a complete ignorance of many of the established best practices in secure coding. It was just a matter of time before one of LxLab's users got hit and hit hard; frankly I'm surprised it took so long.

      The only thing that I found surprising about the attack on VAserv is that the perpetrator decided to blow away the servers instead of subvert them for sending spam or hosting related websites; 100,000 web hosts have got to be worth quite a few dollars on the right market. While it sucks to be VAserv or one of their customers right now, it's probably better things went this way than the alternative for everyone else. Of course, it's just a matter of time before the next users of LxLabs HyperVM gets hit - if they haven't been already - and at least some of them are almost certainly going to be end up doing something less than legitimate.
  • My condolences (Score:5, Insightful)

    by elnyka ( 803306 ) on Tuesday June 09, 2009 @09:58AM (#28265825)
    My condolences to Mr. Ligesh's family.
    • by Hyppy ( 74366 )
      A good chunk of the rest of his family hanged themselves as well a few years back, it seems. I don't think the whole vulnerability thing was more than just the straw that broke the camel's back.
  • by hattig ( 47930 ) on Tuesday June 09, 2009 @09:58AM (#28265833) Journal

    Sounds like the guy needed some more help than he got to get to grips with his personal situation. Anyway ...

    The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

    There is no excuse for SQL Injection vulnerabilities these days. The problem is well known and publicised, the solutions are well documented. This is a problem that is solved by altering how you code, that results in neater code with less errors. If you can't use prepared/parameterised statements and insist on building SQL command strings out of user supplied data, then ... well, err, I can't say "you deserve to hang" in this case can I?

    • Re: (Score:2, Informative)

      by Saija ( 1114681 )

      There is no excuse for SQL Injection vulnerabilities these days.

      I just wish that be truth, right now i'm using some "connection db class" in c# made by someone else, wich expects the sql commands to be executed be concatenated strings, no SqlParameters or whatsoever, no, just single and dangerous sql commands concatenateds, and there's no way in hell i could change that class for something better

      • right now i'm using some "connection db class" in c# made by someone else

        Don't use crappy libraries you pulled off some web forum then. Always be suspicious of third party libraries and only use the highest-quality ones.

        concatenated strings, no SqlParameters or whatsoever, no, just single and dangerous sql commands concatenateds

        Yes, this is a shitty API. But it's still no excuse for SQL injection. You can always quote any variable pieces of information before using them to construct the SQL string. You coul

      • Of course there is. You just do it. In C# especially, it's not that hard.

        Oh? What's that? You have a lot of places it's used? Tough shit. Do it right.

  • by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Tuesday June 09, 2009 @09:59AM (#28265839)

    His sister and mother both committed suicide by hanging 5 years ago. He may have had a genetic propensity towards suicide.

    Culturally, Indians have a very heavy emphasis on honor and responsibility. The failure of the software is only the outermost layer of true damage. Each of those compromised VMs is a failure to satisfy a customer at best, and a grave violation of the trust between vendor and customer.

    When it comes to suicide, why hanging? It seems like a really hard way to go. Maybe the person wants to suffer to pay back his debts before death.

    • Easy, quick, can make a noose out of the nearest curtain cord, certain (if nobody discovers you for a few minutes).

      I can only wish that despicable people from our own culture would show honor. But, all that was beaten out of us and now a man who uses a word like 'honor' in public would be giggled at.

      • by Anonymous Coward on Tuesday June 09, 2009 @11:51AM (#28267709)

        I use the word "honor" in public, and no one laughs at me, but I don't use it to describe acts like this one. This is just as screwed up a notion of honor as the Japanese have. Killing yourself does not absolve you of anything. It does not help anyone. It is at best a gesture, and at worst simple escapism.

        The honorable thing to do would have been to fix the problem in the first place, or build a new version from scratch, or shut down the project and provide a migration path. The honorable thing to do after the disaster would have been to patch the biggest holes as fast as possible while providing a migration path to another product. The thing about responsibility for negligence or idiocy is that it requires messy things like restitution, even if no one is making you do it. Suicide is ridiculously self-serving by comparison.

  • by Anonymous Coward on Tuesday June 09, 2009 @10:03AM (#28265917)

    Hopefully the sites lost were those abandoned blogs, even better if they were active blogs.

  • I'm really sad that he hanged himself. Even if he was a total douche-bag (and I have no idea either way), this wasn't a reason for someone to die.

    But by killing himself, he likely devastated a amily who loved him.

    At the very least, he should have resigned. If he felt the need to make amends, he could have dedicated his remaining life to teaching, serving the poor and oppressed, or generally living a quiet life where he helped the people around him.

    For him to judge that his life was such a failure that he

  • The guys pic (Score:4, Informative)

    by ultrapenguin ( 2643 ) on Tuesday June 09, 2009 @10:05AM (#28265955)

    The guys pic

    http://i41.tinypic.com/zjdqgy.jpg [tinypic.com]

    RIP

  • Disrespectful (Score:5, Insightful)

    by gubers33 ( 1302099 ) on Tuesday June 09, 2009 @10:10AM (#28266037)
    I think it is quite disturbing with all of the disrespectful comments on this article. I could Mod some of this, but not all of it. The guy obviously hit hard times with death of two family members by suicide and the tanking of his company. It is clear he had depression in his family and was not able to bear all of this hitting him. It is sickening that so many of you think it is a joke.
    • Re:Disrespectful (Score:5, Insightful)

      by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Tuesday June 09, 2009 @10:18AM (#28266159)

      It is sickening that so many of you think it is a joke.

      Sickening, but not surprising. Civilization has always been a thin veneer on top of barbarism, and it barely keeps our worst instincts in check. Remove via anonymity the social cues that inhibit these instincts, and we end up with the appalling comments here.

      • by DoofusOfDeath ( 636671 ) on Tuesday June 09, 2009 @10:42AM (#28266461)

        Civilization has always been a thin veneer on top of barbarism, and it barely keeps our worst instincts in check.

        Yes, but if you look under the Barbarism, you actually find two layers of humanitarianism.

        You don't need a sense of despair; just a good belt sander.

    • Re: (Score:3, Insightful)

      Killing yourself pretty much removes your right to a lot of sympathy. Lot of people are talking about "honor" like killing yourself is the honorable way out, but really it's not. The honorable way out is working in the ruins to try and rectify your mistakes, not quitting when the road gets hard.

      • Re:Disrespectful (Score:5, Insightful)

        by gad_zuki! ( 70830 ) on Tuesday June 09, 2009 @11:15AM (#28267117)

        >Killing yourself pretty much removes your right to a lot of sympathy.

        Bullshit. People with mental illness deserve your sympathy. The idea that suicide was some kind of rational selfish response is stupid. Clearly, he had a lot of suffering if he felt he needed to kill himself. These people deserve our sympathy not our disdain. Hopefully, we can teach people, especially young people, that mental illness shouldnt be shameful and if they suspect they have it then they should get treated - not hide it away and have it lead to suicide like this guy.

      • Re:Disrespectful (Score:5, Insightful)

        by AioKits ( 1235070 ) on Tuesday June 09, 2009 @11:19AM (#28267195)

        The honorable way out is working in the ruins to try and rectify your mistakes, not quitting when the road gets hard.

        I suspect it's much easier to say this when you're not the one having to travel that road. No offense to you is implied by this observation Mr SatanicPuppy, but from a smaller degree of personal experience, it is easier said than done. The depression I entered after my brother's death (sorry, no details for /.) has had some long lasting effects on me, even if it was 11 years, 7 months and 2 days, 15 hours, 30 minutes ago.

        Not saying I disagree, but still, easier said than done.

    • Re: (Score:3, Insightful)

      by Brad Mace ( 624801 )
      Some people use humor as a coping mechanism. I suspect the percentage is higher than average on slashdot. Perhaps that's because it's a relatively young crowd that doesn't have much experience with death. That's how it goes though; things that hit close to home seem like serious business, and the sort of things that "happen to someone else" don't. It's also just not possible to get personally invested in every bad thing that happens in the world. With our 24-hour news cycle and world-wide coverage, we'
    • is not appreciated by those who think they are immortal

      ie, teenaged idiots

      that the world is full of teenaged idiots (most of whom are not chronologically actual teenagers) should not surprise you or disappoint you

      just a simple ugliness of life you need to learn to accept, like people who throw their garbage on the ground or talk loudly at movies, its another example of the tragedy of the commons

      sure you could declare a high holy moral crusade against boorish insensitivity, but its like trying to stop the sun from rising and setting: a lot of people are ignorant assholes, status permanent, and even those you might actually be able to educate are quickly replaced by more morons

  • by Anonymous Coward

    I'm sure this guy was already unstable but can't help but believe that the attacks were what finally pushed him over the edge. Legally this would be difficult to prosecute as murder but morally those little script kiddies who so impressed with themselves should consider the unintended consequences of their actions. We are all responsible for our own actions (suicide) but should be equally concerned with how our actions affect others (hackers).

    • Re: (Score:3, Insightful)

      Oh, please. They had sufficient time for a relatively simple exploit to be patched. This guy stalled them with vague non-responses and shit never got done, so milw0rm posted it publicly. That's what security folks do. It's not their fault that he decided that fixing the software he put his reputation behind wasn't worth it.

      • by Gary W. Longsine ( 124661 ) on Tuesday June 09, 2009 @10:55AM (#28266721) Homepage Journal

        "Oh, please. They had sufficient time for a relatively simple exploit to be patched. This guy stalled them with vague non-responses and shit never got done, so milw0rm posted it publicly. That's what security folks do. It's not their fault that he decided that fixing the software he put his reputation behind wasn't worth it."

        Well, not exactly. There is a raging debate over whether this is an appropriate tactic, and this incident will go down in the security text books as an example of why the debate exists. Opposite your opinion is something like, "That's what publicity seeking sociopathic nerds, masquerading as [security folk] do."

        There is a fundamental tension between wanting to know if a system you own is vulnerable to some defect, and wanting to keep the exploit code out of the hands of The Bad Guys(TM). In this case, however, it seems pretty clear that simply knowing the name of the product (not even the version) was enough, exploit code wasn't required (as it sometimes is when scanning large numbers of systems that might be at indeterminate patch levels, for example).

        There are quite a few actions one could take between "notify the vendor" and "release exploit code" which appear to have been skipped. That's irresponsible, not, "what security folks do".

        Frankly, I don't understand how organizations or consultants who do this kind of thing manage to stay in business. If you were a big company with a bunch of interlocking IT systems and limited resources, would you hire someone who had a track record of publishing exploit code before patches were available? Suppose this consultant found some issues, which your organization couldn't respond to as quickly as you would like? Does that consultant become a risk to you now, simply because you didn't fix something in a manner timely enough to suit them? How do you know they wouldn't publish details of your vulnerabilities, because some snot nose punk with an inflated sense of self-righteousness thought you were ignoring him?

        I don't operate that way, and neither do any of the fine security consultants who work for me or with me. I work discretely with my clients until they get their problems fixed. That sometimes means doing a lot more work than *should* be required to get the attention of a vendor. However, it has never yet meant publishing exploit code prior to patch availability.

    • You got a point there, AC. IF this were US based, they might be able to prosecute the hackers for murder. We were able to prosecute some lady for hacking when she harassed a little girl to the point of suicide.
    • It depends. There is a great thrill to be had in depriving someone from something they can never have back, especially if you can con them into giving it up willingly. For example, virginity. Some of us just happen to not extend that as far as their life; others simply don't care, or have Nelsonism (HA ha!).
  • Any idea what other cheap web serving companies are using this tech?

  • but I gotta respect this guy's dedication to the job. If we could get American CEO's to take this level of responsibility when their companies completely faceplant, the world would be a better place.
  • Woah. (Score:5, Funny)

    by Anonymous Coward on Tuesday June 09, 2009 @10:31AM (#28266325)
    Can you imagine if a Microsoft executive hung himself every time a vulnerability was discovered in Windows that led to data loss?
  • by barq ( 1194291 ) on Tuesday June 09, 2009 @10:39AM (#28266413)

    Request: Please no one post links to the VAserv status page. The last thing we need is to /. them right now. Customers have been emailed the URL and we are the only ones who really need to see it (plus it isn't very interesting).

    VAserv have emailed customers to say they will be taken over by BlueSquare (where they do most of their hosting anyway). Probably the best option given the scale of the attack.

    I've got one apparently deleted VPS and one still running. The whole situation is terribly frustrating. However I don't think the lack of information coming from VAserv is due to a lack of effort on their part.

  • by EddyPearson ( 901263 ) on Tuesday June 09, 2009 @10:57AM (#28266767) Homepage

    Some rather unpleasant comments coming off of you lot.

    The poor chap sounds like he'd had a bad decade, and this just topped it off.

    When your business collapses overnight (which is what happened here), you're facing god knows how many lawsuits (which is what would have happened here) and the people you'd turn to for support are dead... Well, I'd imagine what follows are some rather sobering thoughts.

    My heart goes out to his remaining family, and those of you modded "Funny" should go gargle some engine coolant.

  • by BrittanyGites ( 871668 ) on Tuesday June 09, 2009 @11:12AM (#28267053) Homepage

    Summary from http://www.milw0rm.com/exploits/8880 [milw0rm.com] seems pretty serious but quite difficult to fix all of them in 2 weeks.

          Timeline :

          05/21/2009 - sent initial email to vendor with a link to a private
                                    resource for viewing various kloxo hiab575
                                    vulnerability info
          05/23/2009 - received the following: "Thanks for the info. I will
                                    review this and let you know." (no signature)
          05/30/2009 - sent an email asking if there were any updates
          06/01/2009 - received the following: "Sorry for the delay. I am
                                    currently looking into this, and will reply in a couple
                                    of hours time." (no signature)
          06/04/2009 - nothing heard from vendor, and the private resource
                                    containing the vulnerability info still does not
                                    appear to have been accessed

          2 weeks have passed since the initial notification. Vendor appears
          uninterested.

          ISSUE 1 - uid/gid reuse
          ISSUE 2 - unprivileged port use
          ISSUE 3 - default passwords
          ISSUE 4 - useradd string in the process list
          ISSUE 5 - XSS
          ISSUE 6 - remotely create partially user controlled file names
                                and directories. Locally append uncontrolled data to
                                any file
          ISSUE 7 - local users can take control of any file or directory
          ISSUE 8 - local users can take control of any file or directory
          ISSUE 9 - local users can overwrite any file on the box
          ISSUE 10 - yet another symlink attack for local users
          ISSUE 11 - metachar injection, local command execution as root
          ISSUE 12 - web stats world readable password hashes
          ISSUE 13 - local users can overwrite any file on the box
          ISSUE 14 - metachar injection, local command execution as root
          ISSUE 15 - remotely block any - or every - IP addr in hosts.deny
          ISSUE 16 - remote CPU and mem usage DoS
          ISSUE 17 - local users can truncate and control any file
          ISSUE 18 - just 2 more symlinks to own any file on the box
          ISSUE 19 - file manager, view and edit any file
          ISSUE 20 - file manager PT II
          ISSUE 21 - file manager PT III
          ISSUE 22 - local user symlink attack
          ISSUE 23 - local user symlink attack (last one)
          ISSUE 24 - sql injection in the "Forgot Password" form

We all agree on the necessity of compromise. We just can't agree on when it's necessary to compromise. -- Larry Wall

Working...