It is currently Thu Mar 28, 2024 10:35 am

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 30 posts ]  Go to page 1, 2  Next
Author Message
Offline
 Post subject: Revealing other site's security holes on L19
Post #1 Posted: Fri Dec 30, 2011 12:15 am 
Judan
User avatar

Posts: 5539
Location: Banbeck Vale
Liked others: 1103
Was liked: 1456
Rank: 1D AGA
GD Posts: 1512
Kaya handle: Test
In the 'Kaya.gs' thread, there were several people explicity describing alleged security flaws of the Kaya site. I asked people not to do this on L19. I'm starting this thread to discuss that policy.

IMHO, as a general rule for any forum, when you discover a security flaw in a web site, the best option is to contact the admins there as soon as possible and as discretely as possible. Posting it on a public forum seems to be a last resort, done only when all private attempts to correct the flaw have failed. I think that is a wise policy on L19 or on any forum.

Furthermore, there are liability issues. Suppose someone posts a relatively innocuous flaw, and we do nothing, and then later a serious flaw about a second site is posted. If the owner of the second site suffers significant losses, we could be liable because we would have a demonstrable track record of not doing anything to prevent the publication of security flaws. In lawyer jargon, we would have been willfully negligent.

I'm in favor of a policy that says that you don't post security flaws on L19. You can say that the site has flaws, but not describe them so that some malicious reader can exploit them. Details should be privately sent to that site's admins.

_________________
Help make L19 more organized. Make an index: https://lifein19x19.com/viewtopic.php?f=14&t=5207


This post by Joaz Banbeck was liked by: ez4u
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #2 Posted: Fri Dec 30, 2011 8:27 am 
Oza
User avatar

Posts: 2644
Liked others: 304
Was liked: 631
Rank: kgs 6k
Is that actually US law, or just a scaredy-cat interpretation of US law?

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #3 Posted: Fri Dec 30, 2011 9:03 am 
Judan
User avatar

Posts: 5539
Location: Banbeck Vale
Liked others: 1103
Was liked: 1456
Rank: 1D AGA
GD Posts: 1512
Kaya handle: Test
jts wrote:
Is that actually US law, or just a scaredy-cat interpretation of US law?


All US law gets interpreted. Indeed, the vast majority of the laws that you and I live under are not 'statute law' - the actual text written by a legislative body - but are 'case law' - that which has been interpreted in a courtroom. ( This, BTW, is why supreme court decisions are newsworthy, for nobody really knows what the law means until the supremes say what it means. )

If you mean to ask, "Is the attorney to whom you spoke a scaredy-cat?", I can say with certainty, "no".

_________________
Help make L19 more organized. Make an index: https://lifein19x19.com/viewtopic.php?f=14&t=5207

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #4 Posted: Fri Dec 30, 2011 12:28 pm 
Gosei
User avatar

Posts: 1449
Liked others: 1562
Was liked: 140
Rank: KGS 6k
GD Posts: 892
Like I've said on that thread, I am not in favor of having forum policy say you can't post security flaws. Go program/site security flaws should be able to be publicly discussed at L19.

Most Go developers have been open to suggestions and bug reports, but what if one isn't, and just refuses to listen to reason? Such a policy would make it impossible to discuss its flaws here.

_________________
a1h1 [1d]: You just need to curse the gods and defend.
Good Go = Shape.
Associação Portuguesa de Go

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #5 Posted: Fri Dec 30, 2011 12:54 pm 
Gosei
User avatar

Posts: 1585
Location: Barcelona, Spain (GMT+1)
Liked others: 577
Was liked: 298
Rank: KGS 5k
KGS: RBerenguel
Tygem: rberenguel
Wbaduk: JohnKeats
Kaya handle: RBerenguel
Online playing schedule: KGS on Saturday I use to be online, but I can be if needed from 20-23 GMT+1
There's a legal issue here, and Joaz statement is to the point. I guess we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem.

But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #6 Posted: Fri Dec 30, 2011 1:23 pm 
Tengen

Posts: 4380
Location: North Carolina
Liked others: 499
Was liked: 733
Rank: AGA 3k
GD Posts: 65
OGS: Hyperpape 4k
Not that I'm planning anything, but what's the rule on links to security flaws published elsewhere?

_________________
Occupy Babel!

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #7 Posted: Fri Dec 30, 2011 1:41 pm 
Lives in sente

Posts: 774
Liked others: 137
Was liked: 155
Shooting the messenger is a time-honored practice.

I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?). The harming details in question were all present on the Kaya website, afair.

And what about negative book reviews? Isn't there a risk of significant losses, too?


This post by tapir was liked by: maproom
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #8 Posted: Fri Dec 30, 2011 2:03 pm 
Tengen

Posts: 4380
Location: North Carolina
Liked others: 499
Was liked: 733
Rank: AGA 3k
GD Posts: 65
OGS: Hyperpape 4k
tapir wrote:
And what about negative book reviews? Isn't there a risk of significant losses, too?
Not as far as I know. In the US, I believe there should only be an issue if the content of the review is libelous. And proving libel is hard: you need to prove that the reviewer knowingly wrote falsehoods designed to damage the reputation of the target.

The US is litigious, but also tends towards strong protections of free speech in many areas.

That's even aside from the issue of whether the forum would be liable for user reviews--I seem to recall that that's another high bar for the plaintiff to clear.

Of course, I'm no lawyer.

_________________
Occupy Babel!


This post by hyperpape was liked by: RBerenguel
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #9 Posted: Fri Dec 30, 2011 2:10 pm 
Judan

Posts: 6087
Liked others: 0
Was liked: 786
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #10 Posted: Fri Dec 30, 2011 2:23 pm 
Gosei
User avatar

Posts: 1585
Location: Barcelona, Spain (GMT+1)
Liked others: 577
Was liked: 298
Rank: KGS 5k
KGS: RBerenguel
Tygem: rberenguel
Wbaduk: JohnKeats
Kaya handle: RBerenguel
Online playing schedule: KGS on Saturday I use to be online, but I can be if needed from 20-23 GMT+1
RobertJasiek wrote:
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.


I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #11 Posted: Fri Dec 30, 2011 2:46 pm 
Gosei
User avatar

Posts: 1449
Liked others: 1562
Was liked: 140
Rank: KGS 6k
GD Posts: 892
RobertJasiek wrote:
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.


I disagree. That should only be done as a last measure, if the developers don't act on private messages.

_________________
a1h1 [1d]: You just need to curse the gods and defend.
Good Go = Shape.
Associação Portuguesa de Go

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #12 Posted: Fri Dec 30, 2011 3:06 pm 
Gosei
User avatar

Posts: 2060
Location: Texas
Liked others: 546
Was liked: 173
Rank: KGS 3k
GD Posts: 264
KGS: Chew
tapir wrote:
I am a bit disappointed by L19-admin stance on this.


To be fair, Joaz was suggesting more 'Hey, I think I found a security-related bug in X site. Could someone please put me in contact with a developer so that I can contact them privately'.

He's far from shooting the messenger, just saying 'If we discuss this sort of stuff, it's polite to the developers (and covers your backside) if you make sure it doesn't look like you're just trying to spread word so that people can hack into sites.

As a metaphor, it's kind of like saying 'Man, there's a lot of go book piracy on the internet. Can someone put me into contact with this author so that I can tell him the site in case he can take action against it?' versus saying 'Here is a list of where each go book can be found illegally on the internet. Piracy is bad and I hope they take it down.' Even if the latter is meant with good intentions, it's too likely to be abused or misunderstood.

_________________
Someday I want to be strong enough to earn KGS[-].

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #13 Posted: Fri Dec 30, 2011 3:28 pm 
Honinbo

Posts: 9545
Liked others: 1600
Was liked: 1711
KGS: Kirby
Tygem: 커비라고해
I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid. I guess it has the benefit of encouraging people to go to the source and try to get them to fix it. But it's funny to me that this is required.

_________________
be immersed

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #14 Posted: Fri Dec 30, 2011 3:51 pm 
Judan
User avatar

Posts: 5539
Location: Banbeck Vale
Liked others: 1103
Was liked: 1456
Rank: 1D AGA
GD Posts: 1512
Kaya handle: Test
RobertJasiek wrote:
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I shall keep this in mind if you ever have a broken lock on your front door. :lol:


Kirby wrote:
I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

Ummm..we are talking civil law here, not criminal law.


RBerenguel wrote:
... we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem.

But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.


This is stated better than mine. :clap: :clap: :clap: Thanks.

_________________
Help make L19 more organized. Make an index: https://lifein19x19.com/viewtopic.php?f=14&t=5207

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #15 Posted: Fri Dec 30, 2011 4:03 pm 
Gosei
User avatar

Posts: 1758
Liked others: 378
Was liked: 375
Rank: 4d
Free speech is protected under the first amendment. I can't see any party that would sue L19 (which is US-based) over a member posting a security flaw having a leg to stand on in court. As well, there would likely be a huge backlash over some party suing us for what one of our members says. I believe the correct policy is to allow members to talk and discuss about whatever they like, as long as it doesn't violate the rules we already have in place. Even in the event that we were to be sued (and I think it's a bit ridiculous to think we would), I believe such a policy would still be the correct one.

In short, yes, you should be able to post about security flaws on L19 (though you probably should contact the owner first). Don't add more rules to this forum; it's good as it is.

_________________
We don't know who we are; we don't know where we are.
Each of us woke up one moment and here we were in the darkness.
We're nameless things with no memory; no knowledge of what went before,
No understanding of what is now, no knowledge of what will be.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #16 Posted: Fri Dec 30, 2011 4:25 pm 
Judan
User avatar

Posts: 5539
Location: Banbeck Vale
Liked others: 1103
Was liked: 1456
Rank: 1D AGA
GD Posts: 1512
Kaya handle: Test
Here is Dusk Eagles' Visa card number:
This would not be covered by the first amendment. If I did reveal his info, and he suffered a loss because of it, I would be liable.


tapir wrote:
...
I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?)...

The concern is not about kaya disclosure. Nobody is going to sue anybody over it. Nobody has suffered any significant harm, nor does anybody have exposure such that they could suffer harm from it.
It is the possible NEXT disclosure that concerns me. If, in the future, somebody divulges a security flaw about some other web site on L19, and there is significant harm to someone as a result, then how we handled this one could be relevant.
If our actions on the kaya issue reflect a disregard for preventing the spreading of security flaws, it can be argued that we disregarded the later issue too.

tapir wrote:
... The harming details in question were all present on the Kaya website...

Surprisingly, in US civil law, this is not really relevant. Either we are or are not spreading info about security flaws. That someone else makes such information available too does not cover us. ( Unless they are just blanketing the world with the info such that our actions had no effect whatsoever. )

_________________
Help make L19 more organized. Make an index: https://lifein19x19.com/viewtopic.php?f=14&t=5207


This post by Joaz Banbeck was liked by: shapenaji
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #17 Posted: Fri Dec 30, 2011 4:33 pm 
Lives with ko
User avatar

Posts: 292
Liked others: 92
Was liked: 80
Rank: 1 kyu
KGS: LocoRon
This new policy aside, the original post that sparked this policy really was a special case.

As the poster indicated, all the required information for the security hole was already publicly available. It's not like he had to do any sort of non-obvious work to discover the hole.

Second, the owner of the website in question has explicitly stated he doesn't even consider it to be a security vulnerability (I personally disagree, but I've been trying to suppress my urge to rant on this, and so I shall continue to suppress that urge).

Third, due to the nature of this particular hole, the users were more at risk of attack than the website itself, and as such, I think it is highly important that those very users be made aware of the hole.

Anyway, I think this is a generally acceptable policy (if I want to read about security vulnerabilities, I'll find security vulnerabilities newsletters or forums to subscribe to; I come to L19 for the Go); however, I am glad that at least this one hole was mentioned here. After all, Go is such a niche market, that even the highest profile Go website security vulnerabilities probably wouldn't even make a blip on the radar of most security focused sources.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #18 Posted: Fri Dec 30, 2011 5:06 pm 
Honinbo

Posts: 9545
Liked others: 1600
Was liked: 1711
KGS: Kirby
Tygem: 커비라고해
Joaz Banbeck wrote:

Kirby wrote:
I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

Ummm..we are talking civil law here, not criminal law.
.


RBerenguel wrote:
RobertJasiek wrote:
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.


I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)


This is where I got the bit about jail.

Anyway, I still think it's kind of silly to punish someone for revealing a flaw in design, particularly if they are only revealing the hole that is there. I think a guy put an app on the apple app store recently to exploit a bug apple had. They revoked his dev account, but no legal action was taken, I think. That, to me, seems fair.

If we are going to require people to privately disclose this stuff by law, then how about entitling them to compensation for working on a company's security design?

The more I think about this, the more I am skeptical.

Can we get a citation of an actual law stating that this is not allowed?

_________________
be immersed

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #19 Posted: Fri Dec 30, 2011 6:18 pm 
Lives in sente
User avatar

Posts: 932
Location: New York, NY
Liked others: 146
Was liked: 150
Rank: KGS 1k
Universal go server handle: judicata
Lawyers are scaredy-cats when it comes to question such as "can I get in legal trouble for X?" It is basically our job. By the way (although I don't think this is the case here) if you ask "Can I be sued for X?", the answer is almost always "yes" because people can file a lawsuit over practically anything. Whether you would likely be held liable along with whether being held liable would have any practical consequences, and whether someone is actually likely to sue are the real questions.

And I won't answer them :).

I think it is basically a non-issue, whether the policy is adopted or not. It isn't like L19 is a resource for finding and exploiting security holes (nor is it a deep pocket). And he policy might chill otherwise helpful communication: as demonstrated in this thread, it isn't entirely clear what posts would be allowed and what wouldn't be.

But since the issue is unlikely to come up very often, adopt the policy or don't. You might upset someone's principles either way, but to little ultimate effect.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #20 Posted: Fri Dec 30, 2011 7:33 pm 
Lives in sente

Posts: 1223
Liked others: 738
Was liked: 239
Rank: OGS 2d
KGS: illluck
Tygem: Trickprey
OGS: illluck
As the culprit, I wanted to reply when I read this post earlier today, but had to rush to a trip.

I must admit that I failed to consider the implications for L19 when I made that post in the K.gs thread, and would like to apologize for any inconveniences I caused to the moderators.

I will make sure to avoid posting any details on L19 in the future (though as others remarked, this is likely/hopefully infrequent).

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 30 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group