Mistafreeze
|
|
August 03, 2011, 03:58:08 PM |
|
No, I'm calling you an asshole because you've made an asshole move.
"If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck."
are you an asshole too then? non-asshole are not insulting people. What are you, 12? You don't publicly reveal the inner workings of a bug you find without privately letting the developers know first. All this does is give those that have no morals the chance to exploit it. Is this really that hard to grasp? You made an asshole move. Learn and move on.
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 04:01:03 PM |
|
No, I'm calling you an asshole because you've made an asshole move.
"If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck."
are you an asshole too then? non-asshole are not insulting people. What are you, 12? You don't publicly reveal the inner workings of a bug you find without privately letting the developers know first. All this does is give those that have no morals the chance to exploit it. Is this really that hard to grasp? You made an asshole move. Learn and move on. no its not hard to grasp. i could ask you the same question, is it really that hard to grasp that, i do what i do?
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
makomk
|
|
August 03, 2011, 04:16:58 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there. (For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.) Edit: Also, that's another problem. Private disclosure of website vulnerabilities allows the company to lie and pretend the vulnerability never existed because there's no way of proving it after it's been closed, so even if the reporter tries to disclose it publicly at that point they won't be believed. This causes users to get a false sense of security about the website; even if one vulnerability gets fixed it increases the odds there are other unfixed ones.
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
BTCrow
|
|
August 03, 2011, 04:24:46 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there. (For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.) If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.
|
|
|
|
Mistafreeze
|
|
August 03, 2011, 04:34:59 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there. It's only comparable to that if you take out a full page add in the newspaper to inform the owner that the door hasn't been locked.
|
|
|
|
BTCrow
|
|
August 03, 2011, 04:47:23 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there. (For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.) If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox. Just want to enforce this point: http://nvd.nist.gov/cvss.cfm?calculator&version=2This is the calculator from NVD to calculate the severity scores of any potential or current vulnerability, this is how vendor and security professional can price vulnerability and calculate the security risk for most of the time. Check the "Temporal Score Metrics" and put availability to high, fix to unavailable and verification to confirmed. You'll see it will put the security risk at a very high level compared to do ethical full-disclosure with right steps.
|
|
|
|
Xephan
Newbie
Offline
Activity: 42
Merit: 0
|
|
August 03, 2011, 05:44:41 PM |
|
(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)
Edit: Also, that's another problem. Private disclosure of website vulnerabilities allows the company to lie and pretend the vulnerability never existed because there's no way of proving it after it's been closed, so even if the reporter tries to disclose it publicly at that point they won't be believed. This causes users to get a false sense of security about the website; even if one vulnerability gets fixed it increases the odds there are other unfixed ones.
That's why discoverers usually only give the developers a week or two to do something before going public unless there are good reasons not to. It's not really possible to try to fool the discoverers who would usually be very competent technically about how long it's going to take to fix something. If the company isn't interested or proactive, nobody's going to blame the discoverer for being irresponsible. A simple way for the discoverer to verify that they did give the developers warning is simply to send the initial warning without details via email CC to a few others. A simple "I've discovered what appears to be a flaw in your system. Please reply to all within 48 hours for details or I will publicly release the details of the exploit" would do. The CC'd people only need to know you're providing a warning and if the devs did bother to get back, and they can't fix it and claim it didn't exist. If you can't trust anybody, routing it to yourself using a new account at a public webmail service like gmail or yahoo would also do in a pinch. Or do what Wikileaks did and put an aes256 encrypted file with the details in public domain first
|
|
|
|
nhodges
|
|
August 03, 2011, 09:12:32 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it. you should only be glad that im not trying to use it.
I believe that is irresponsibility to the highest levels. Posting a bug like that isn't helpful to anyone... look I follow the Ubuntu policy on bug requests... send it privately to the developers.. give them a chance to fix it.. then publish what went wrong... You don't send it out the other way... where you publish it publicly .. allow a billion people to hack into the system... then claim "i was doing the right thing" ... that's not the right thing... that's akin to me publishing your banking username and password... then saying "I was doing the right thing" instead of telling you "you're username and password are compromised" .. i believe in full disclosure as well... just give the guy a chance to fix it before you announce it... I'm asking for a few hours... not a few days or weeks... Sometimes, there is no other option than full disclosure because security issues go unanswered so far as to be adopted by other businesses as acceptable practices. Private reports are great if they are digested and responded to in a timely fashion, however usually this is not the case. Most people who do find Bitcoin bugs do indeed submit them to the team directly, or commit a patch themselves.
|
|
|
|
makomk
|
|
August 04, 2011, 04:56:18 PM |
|
If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.
You'd think so, but the window for exploiting this kind of vulnerability once it's been publicly exposed generally seems to be too small for anyone to actually do so profitably. Generally the person publicly announcing it only provides a minimal proof-of-concept that's enough to show the issue exists and a lot of effort is still required to use it maliciously.
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
Tasty Champa
Member
Offline
Activity: 84
Merit: 10
|
|
August 04, 2011, 07:50:08 PM |
|
Most everyone that is running anything important is in the channel, so all you have to do is tell them privately there. Then if someone finds something, give them an adequate reward for not being a complete dip shit chicken little.
|
|
|
|
indicasteve
|
|
August 04, 2011, 08:13:43 PM |
|
Do what I do...just pay the guy a bounty!
I put out a bounty to find bugs on my demo site and Kokjo stepped up and found some things I would have never thought of....like who knew 'inf' as a form input gets parsed as a valid float?
He sent me some bugs in PM and I appreciate his help.
|
|
|
|
Tasty Champa
Member
Offline
Activity: 84
Merit: 10
|
|
August 04, 2011, 09:49:16 PM |
|
Do what I do...just pay the guy a bounty!
I put out a bounty to find bugs on my demo site and Kokjo stepped up and found some things I would have never thought of....like who knew 'inf' as a form input gets parsed as a valid float?
He sent me some bugs in PM and I appreciate his help.
you are a smart fellow.
|
|
|
|
Rodyland
|
|
August 05, 2011, 12:17:00 AM |
|
i don't care, about the other users.
Sums himself up right there perfectly.
|
Beware the weak hands! 1NcL6Mjm4qeiYYi2rpoCtQopPrH4PyKfUC GPG ID: E3AA41E3
|
|
|
bitplane
|
|
August 05, 2011, 12:26:28 AM |
|
I agree that Flexcoin should learn from this and lead the way by giving bounties and offering up a clear bug-resolution policy. Pay a reasonable fee for each vulnerability, allow the researcher to publish after a fixed period of time (regardless of whether the bug is fixed or not), and list all fixed vulnerabilities on the site along with the bounty paid.
A history of this sort of security policy would be strong evidence that sites that hold BTC are both secure and honest about their shortfalls.
|
|
|
|
|