|
the founder (OP)
|
 |
August 03, 2011, 01:49:44 PM |
|
Guys... I know people are trying to be helpful (and they are) but if there is a bug discovered that even has a remote chance of being a potential security threat, you can't have the error publicly displayed on the forum.
One user was attempting to be helpful (which he was) but he posted the entire error message he found on the public forum as compared to a PM .. this though was not malicious in nature could be used for people less than honest...
Please make this post a sticky.. and this doesn't apply to just flexcoin, I'm sure Tradehill, Mt.Gox and everyone else wouldn't want any bugs posted publicly on a forum before they are given the chance to fix it.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
kokjo
Legendary
 Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 01:55:34 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
the founder (OP)
|
|
August 03, 2011, 02:00:50 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.
I believe that is irresponsibility to the highest levels. Posting a bug like that isn't helpful to anyone... look I follow the Ubuntu policy on bug requests... send it privately to the developers.. give them a chance to fix it.. then publish what went wrong... You don't send it out the other way... where you publish it publicly .. allow a billion people to hack into the system... then claim "i was doing the right thing" ... that's not the right thing... that's akin to me publishing your banking username and password... then saying "I was doing the right thing" instead of telling you "you're username and password are compromised" .. i believe in full disclosure as well... just give the guy a chance to fix it before you announce it... I'm asking for a few hours... not a few days or weeks... |
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 02:06:41 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.
I believe that is irresponsibility to the highest levels. Posting a bug like that isn't helpful to anyone... look I follow the Ubuntu policy on bug requests... send it privately to the developers.. give them a chance to fix it.. then publish what went wrong... You don't send it out the other way... where you publish it publicly .. allow a billion people to hack into the system... then claim "i was doing the right thing" ... that's not the right thing... that's akin to me publishing your banking username and password... then saying "I was doing the right thing" instead of telling you "you're username and password are compromised" .. i believe in full disclosure as well... just give the guy a chance to fix it before you announce it... I'm asking for a few hours... not a few days or weeks... you should be happy that im not trying to exploit it on my own. you should just be glad that i release it on the forum, instead of selling it to the highest bidder. just do publish my banking username and password, feel free to do so. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
the founder (OP)
|
|
August 03, 2011, 02:14:11 PM |
|
kokjo ,
1 - I wouldn't do that with your banking crap because I don't have your banking crap to do it with.. and because that violates every ethical code I have believed in.. but alas it's just my belief .. you do as you want.
2 - we'll agree to disagree...
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 02:26:21 PM |
|
1 - I wouldn't do that with your banking crap because I don't have your banking crap to do it with.. and because that violates every ethical code I have believed in.. but alas it's just my belief .. you do as you want.
thank you! now stop trying to enforce some bug policy, it only pisses me off and make me want to exploit the bugs i may find. 2 - we'll agree to disagree... agree! (end of discussion?) |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
the founder (OP)
|
|
August 03, 2011, 02:30:31 PM |
|
We're fine... then as a personal favour.. if you find something specifically related to my service... I humbly request that you tell me first and give me a chance... again as a personal request and not forced.
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f |
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 02:32:57 PM |
|
We're fine... then as a personal favour.. if you find something specifically related to my service... I humbly request that you tell me first and give me a chance... again as a personal request and not forced.
then i may do it, will not promise anything.  |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
Yuusha
|
|
August 03, 2011, 02:34:14 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
|
|
|
|
|
Seraphim401
Full Member
Offline
Activity: 215
Merit: 100
Live Long and Prosper
|
|
August 03, 2011, 02:35:44 PM |
|
I have to side with the OP on this.
I think BTC businesses should also offer rewards like google for any bug find.
This should stop people from going:Ooh look at me I found a bug, I'm like all cool and stuff...
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 02:37:30 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
maybe you should just lock your door. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
Yuusha
|
|
August 03, 2011, 02:39:48 PM |
|
maybe you should just lock your door.
Yes, of course. But everyone makes mistakes once in a while, and this is especially true when it comes to software. Who benefits from you informing everyone in town about my unlocked door, aside from burglars? |
|
|
|
|
|
BTCrow
|
|
August 03, 2011, 02:43:56 PM |
|
Actually "the founder (FlexCoin)" have the right definition of ethical full-disclosure. Releasing any bug before submitting to his developers is in fact not full-disclosure but a way that crackers work not hackers.
The only two reasons that hackers should go full-disclosure is if a developer don't worry much about it, go lazy not patching it after a reasonable time frame or if the developers try to silent patch without advice his customers by public advisories.
That's how ethical vulnerability researchers work and will always works. That's why full-disclosure have been made after all. To help users which are non aware of security bugs to stop using the software before a patch was made once a vulnerability have been discovered.
I also of course don't like the fact that "the founder (FlexCoin)" have to "force" his idea but I understand that this should be take with care.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
August 03, 2011, 02:47:56 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.
Sorry, I strongly disagree with you as well. It's irresponsible to make public "full disclosure" without giving the responsible party an opportunity to rectify it. Only after they have slacked and failed to act is "full disclosure" the responsible thing to do. The whole "tough guy" attitude is the same one you see in the poorest crime-infested neighborhoods (e.g. "that guy didn't lock his door so he deserves to have his stuff stolen"). It's non-constructive to a civil society and results in collective harm to everyone. Bad karma too, if you believe in that. |
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
August 03, 2011, 02:48:49 PM |
|
Actually "the founder (FlexCoin)" have the right definition of ethical full-disclosure. Releasing any bug before submitting to his developers is in fact not full-disclosure but a way that crackers work not hackers.
The only two reasons that hackers should go full-disclosure is if a developer don't worry much about it, go lazy not patching it after a reasonable time frame or if the developers try to silent patch without advice his customers by public advisories.
That's how ethical vulnerability researchers work and will always works. That's why full-disclosure have been made after all. To help users which are non aware of security bugs to stop using the software before a patch was made once a vulnerability have been discovered.
I also of course the fact that "the founder (FlexCoin)" have to "force" his idea but I understand that this should be take with care.
what if i you want to inform other people that are using the service, to just get the hell out of there its insecure? http://en.wikipedia.org/wiki/Full_disclosure: Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. see? wikipedia disagree with you. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
BTCrow
|
|
August 03, 2011, 02:48:55 PM |
|
"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Hmm not applying here, in fact just bad argument regarding full-disclosure. Cause it was made to protect users (not the developers) In this case the dev is the guy not locking his door and users none. Maybe saying he didn't lock the door to his wife after the second time you catch him will make his wife mad and wanting to make something for that won't happen. |
|
|
|
|
Yuusha
|
|
August 03, 2011, 02:55:23 PM |
|
Hmm not applying here, in fact just bad argument regarding full-disclosure. Cause it was made to protect users (not the developers) In this case the dev is the guy not locking his door and users none. Maybe saying he didn't lock the door to his wife after the second time you catch him will make his wife mad and wanting to make something for that won't happen.
I was just portraying his general attitude. But for a more extensive example: Let's say I'm responsible for the money of a few of my friends. I keep the money stored in my house, in a safe. I always make sure to lock the door when I leave home, to protect my own property and the property of others that I am responsible for. However, one day when I leave home, I do remember to lock the door, but the lock somehow breaks without me noticing it. Someone else (like kokjo) notices the unlocked door, and tells everyone in town about this "security flaw", to protect the friends whose money I am responsible for. However, by doing so, he is exposing their money to a security risk. If he hadn't told the whole town about the security flaw, no one might ever have known about my broken lock. If he had instead chosen to tell only me, so I could fix the lock, or tell me and the friends who store money in my house, the money would be much safer AND the problem would be solved. |
|
|
|
|
|
BTCrow
|
|
August 03, 2011, 02:57:11 PM |
|
Actually "the founder (FlexCoin)" have the right definition of ethical full-disclosure. Releasing any bug before submitting to his developers is in fact not full-disclosure but a way that crackers work not hackers.
The only two reasons that hackers should go full-disclosure is if a developer don't worry much about it, go lazy not patching it after a reasonable time frame or if the developers try to silent patch without advice his customers by public advisories.
That's how ethical vulnerability researchers work and will always works. That's why full-disclosure have been made after all. To help users which are non aware of security bugs to stop using the software before a patch was made once a vulnerability have been discovered.
I also of course the fact that "the founder (FlexCoin)" have to "force" his idea but I understand that this should be take with care.
what if i you want to inform other people that are using the service, to just get the hell out of there its insecure? http://en.wikipedia.org/wiki/Full_disclosure: Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. see? wikipedia disagree with you. The window of exposure that it's stated in this article is such a non-sense when involving coders more time to patch the soft than exploiting the bugs by script-kiddies. This will affect more users than if you just asked the coder to do his job. Then if he don't do it you warn people of course. The same article also refer to responsible disclosure. Which is in fact the good way to work to reduce security incidents. |
|
|
|
Xephan
Newbie
Offline
Activity: 42
Merit: 0
|
|
August 03, 2011, 02:57:13 PM |
|
that is YOUR opinion.
i believe in full disclosure.
i don't like that you are trying to force YOUR opinion down around MY head.
if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.
Responsible full disclosure means letting the developer know about it, with sufficient time to fix it before releasing the full details. This is how it's done by respectable security firms and hackers. They find the bug, they tell the developer, they also put a time line on when they are going public with the details unless there are good reasons to delay, e.g. developer IS working on a solution, shows evidence of such but the bug is such that they need more time to debug, test and deploy the fixed versions. Otherwise, the only persons who benefits from such irresponsible disclosures are the criminals, and the only one who generally get hurts the most are the people you claim you want to warn to get out while they can. |
|
|
|
|
|
BTCrow
|
|
August 03, 2011, 03:00:01 PM |
|
Hmm not applying here, in fact just bad argument regarding full-disclosure. Cause it was made to protect users (not the developers) In this case the dev is the guy not locking his door and users none. Maybe saying he didn't lock the door to his wife after the second time you catch him will make his wife mad and wanting to make something for that won't happen.
I was just portraying his general attitude. But for a more extensive example: Let's say I'm responsible for the money of a few of my friends. I keep the money stored in my house, in a safe. I always make sure to lock the door when I leave home, to protect my own property and the property of others that I am responsible for. However, one day when I leave home, I do remember to lock the door, but the lock somehow breaks without me noticing it. Someone else (like kokjo) notices the unlocked door, and tells everyone in town about this "security flaw", to protect the friends whose money I am responsible for. However, by doing so, he is exposing their money to a security risk. If he hadn't told the whole town about the security flaw, no one might ever have known about my broken lock. If he had instead chosen to tell only me, so I could fix the lock, or tell me and the friends who store money in my house, the money would be much safer AND the problem would be solved. Much much more better argument I'm gonna use it for customers I think. |
|
|
|
|
