It is currently Thu Mar 28, 2024 4:19 pm

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2
Author Message
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #21 Posted: Fri Dec 30, 2011 7:50 pm 
Lives in sente

Posts: 800
Liked others: 141
Was liked: 123
Rank: AGA 2kyu
Universal go server handle: speedchase
I would like to say that I think it is unlikely that L19 can expect legal trouble for its users posting security flaws on other websites (although keep in mind I am no expert). obviously if someone gets hacked because of a security flaw, it is their fault for having the flaw not our fault for noticing it (Really it is the hackers fault but...). I do on the other hand think it is rude to post a security flaw without contacting the developers first, so I am unsure where I stand on this particular rule.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #22 Posted: Sat Dec 31, 2011 12:31 am 
Lives in sente
User avatar

Posts: 924
Location: Pittsburgh
Liked others: 45
Was liked: 103
Rank: lazy
KGS: redundant/silchas
Tygem: redundant
Wbaduk: redundant
DGS: redundant
OGS: redundant
As far as I'm concerned, we should adopt a policy of not posting other's security flaws. We should concern ourselves with talking about go, not with talking about the "security" of go sites (I'm a kaya.gs founder, and I found the supposed security flaw to be a non-issue, as the most it enabled was masquerading as a founder in a non-permanent environment).

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #23 Posted: Sat Dec 31, 2011 1:34 am 
Lives in sente

Posts: 774
Liked others: 137
Was liked: 155
Lax security measures can result in significant damage not only to business ventures, but to individual users. The policy seems to be only concerned about the first. Exposing it in time before anything is at stake (illuck probably would not have posted credit card data even if available online) should be encouraged as it prevents damage later instead of scaring everyone with a new policy, which basically means nobody will post such news even if tremendously helpful to others on this forum.


This post by tapir was liked by: Phelan
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #24 Posted: Tue Jan 03, 2012 3:00 pm 
Judan

Posts: 6725
Location: Cambridge, UK
Liked others: 436
Was liked: 3719
Rank: UK 4 dan
KGS: Uberdude 4d
OGS: Uberdude 7d
My first thought on seeing this thread was "probably don't have this policy", but that was based on the assumption someone had actually done some serious hacking and revealed flaws. But then I saw all illluck had done was point out the bleeding obvious that if passwords and usernames are the same you can login as someone if you know their username. To censor this is bonkers, it should be absolutely allowed.


This post by Uberdude was liked by 2 people: oren, Phelan
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #25 Posted: Tue Jan 03, 2012 3:25 pm 
Gosei

Posts: 1494
Liked others: 111
Was liked: 315
I'd agree that L19 shouldn't become some of Lulzsec postit board for security flaws. However, this wasn't a security flaw. It was an alpha server which hadn't implemented real authentication, and had let everyone using the server know it.

_________________
North Lecale


This post by Javaness2 was liked by: Uberdude
Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #26 Posted: Tue Jan 24, 2012 1:30 pm 
Lives with ko

Posts: 289
Liked others: 7
Was liked: 42
Rank: 100
GD Posts: 100
I believe it is good to post about security flaws. I think the users of the service would like to know. If Amazon had a bunch of security holes that could leak your credit card information all over the place would you rather:

1. Have each flaw fixed one at a time, slowly, without you ever knowing about it

2. Have someone expose the security flaws, so that you now know to stop using Amazon because it does not treat your information with respect

Yeah, maybe in #1 case Amazon will say, hey we fixed some vulnerabilities. But, they have an interest in white washing it. A dis-interested third party can let you know the actual truth about how severe the flaws are.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #27 Posted: Tue Jan 24, 2012 3:35 pm 
Gosei
User avatar

Posts: 1581
Location: Hong Kong
Liked others: 54
Was liked: 544
GD Posts: 1292
I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.

_________________
http://tchan001.wordpress.com
A blog on Asian go books, go sightings, and interesting tidbits
Go is such a beautiful game.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #28 Posted: Tue Jan 24, 2012 9:58 pm 
Lives with ko

Posts: 289
Liked others: 7
Was liked: 42
Rank: 100
GD Posts: 100
tchan001 wrote:
I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.


If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #29 Posted: Wed Jan 25, 2012 4:43 am 
Gosei
User avatar

Posts: 1581
Location: Hong Kong
Liked others: 54
Was liked: 544
GD Posts: 1292
badukJr wrote:
tchan001 wrote:
I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.


If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

And what does that have to do with posting on L19 forum? Is L19 a forum where Amazon has asked for security flaws to be posted? Even if so, does L19 have to comply and make a subforum for every entity which asks for a subforum to house security flaws for their own nonrelated sites?

I visit L19 for go related material and in my opinion L19 is not intended as a place for people to post about security flaws of other sites.

_________________
http://tchan001.wordpress.com
A blog on Asian go books, go sightings, and interesting tidbits
Go is such a beautiful game.

Top
 Profile  
 
Offline
 Post subject: Re: Revealing other site's security holes on L19
Post #30 Posted: Wed Jan 25, 2012 5:33 pm 
Lives with ko

Posts: 289
Liked others: 7
Was liked: 42
Rank: 100
GD Posts: 100
tchan001 wrote:
badukJr wrote:
tchan001 wrote:
I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.


If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

And what does that have to do with posting on L19 forum? Is L19 a forum where Amazon has asked for security flaws to be posted? Even if so, does L19 have to comply and make a subforum for every entity which asks for a subforum to house security flaws for their own nonrelated sites?

I visit L19 for go related material and in my opinion L19 is not intended as a place for people to post about security flaws of other sites.


I think you misunderstood what I was saying. Kaya.gs subforum was created with input from Kaya.gs founder. They even link it directly from their site.

Quote:
On the last note, we now have a sub-forum in L19 here . We welcome discussions and suggestions there, specially when the Feedback section is just not enough for the conversation.


My final point, is that the founder knew that the security flaw existed, but chose not to fix until the flaw was pointed out in the forums. So I view it as pretty necessary.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group