Revealing other site's security holes on L19

[Joaz Banbeck]

Here is Dusk Eagles' Visa card number:

This would not be covered by the first amendment. If I did reveal his info, and he suffered a loss because of it, I would be liable.

...
I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?)...

The concern is not about kaya disclosure. Nobody is going to sue anybody over it. Nobody has suffered any significant harm, nor does anybody have exposure such that they could suffer harm from it.
It is the possible NEXT disclosure that concerns me. If, in the future, somebody divulges a security flaw about some other web site on L19, and there is significant harm to someone as a result, then how we handled this one could be relevant.
If our actions on the kaya issue reflect a disregard for preventing the spreading of security flaws, it can be argued that we disregarded the later issue too.

... The harming details in question were all present on the Kaya website...

Surprisingly, in US civil law, this is not really relevant. Either we are or are not spreading info about security flaws. That someone else makes such information available too does not cover us. ( Unless they are just blanketing the world with the info such that our actions had no effect whatsoever. )

[LocoRon]

This new policy aside, the original post that sparked this policy really was a special case.

As the poster indicated, all the required information for the security hole was already publicly available. It's not like he had to do any sort of non-obvious work to discover the hole.

Second, the owner of the website in question has explicitly stated he doesn't even consider it to be a security vulnerability (I personally disagree, but I've been trying to suppress my urge to rant on this, and so I shall continue to suppress that urge).

Third, due to the nature of this particular hole, the users were more at risk of attack than the website itself, and as such, I think it is highly important that those very users be made aware of the hole.

Anyway, I think this is a generally acceptable policy (if I want to read about security vulnerabilities, I'll find security vulnerabilities newsletters or forums to subscribe to; I come to L19 for the Go); however, I am glad that at least this one hole was mentioned here. After all, Go is such a niche market, that even the highest profile Go website security vulnerabilities probably wouldn't even make a blip on the radar of most security focused sources.

[Kirby]

I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

Ummm..we are talking civil law here, not criminal law.
.

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)

This is where I got the bit about jail.

Anyway, I still think it's kind of silly to punish someone for revealing a flaw in design, particularly if they are only revealing the hole that is there. I think a guy put an app on the apple app store recently to exploit a bug apple had. They revoked his dev account, but no legal action was taken, I think. That, to me, seems fair.

If we are going to require people to privately disclose this stuff by law, then how about entitling them to compensation for working on a company's security design?

The more I think about this, the more I am skeptical.

Can we get a citation of an actual law stating that this is not allowed?

[judicata]

Lawyers are scaredy-cats when it comes to question such as "can I get in legal trouble for X?" It is basically our job. By the way (although I don't think this is the case here) if you ask "Can I be sued for X?", the answer is almost always "yes" because people can file a lawsuit over practically anything. Whether you would likely be held liable along with whether being held liable would have any practical consequences, and whether someone is actually likely to sue are the real questions.

And I won't answer them .

I think it is basically a non-issue, whether the policy is adopted or not. It isn't like L19 is a resource for finding and exploiting security holes (nor is it a deep pocket). And he policy might chill otherwise helpful communication: as demonstrated in this thread, it isn't entirely clear what posts would be allowed and what wouldn't be.

But since the issue is unlikely to come up very often, adopt the policy or don't. You might upset someone's principles either way, but to little ultimate effect.

[illluck]

As the culprit, I wanted to reply when I read this post earlier today, but had to rush to a trip.

I must admit that I failed to consider the implications for L19 when I made that post in the K.gs thread, and would like to apologize for any inconveniences I caused to the moderators.

I will make sure to avoid posting any details on L19 in the future (though as others remarked, this is likely/hopefully infrequent).

[speedchase]

I would like to say that I think it is unlikely that L19 can expect legal trouble for its users posting security flaws on other websites (although keep in mind I am no expert). obviously if someone gets hacked because of a security flaw, it is their fault for having the flaw not our fault for noticing it (Really it is the hackers fault but...). I do on the other hand think it is rude to post a security flaw without contacting the developers first, so I am unsure where I stand on this particular rule.

[Redundant]

As far as I'm concerned, we should adopt a policy of not posting other's security flaws. We should concern ourselves with talking about go, not with talking about the "security" of go sites (I'm a kaya.gs founder, and I found the supposed security flaw to be a non-issue, as the most it enabled was masquerading as a founder in a non-permanent environment).

[tapir]

Lax security measures can result in significant damage not only to business ventures, but to individual users. The policy seems to be only concerned about the first. Exposing it in time before anything is at stake (illuck probably would not have posted credit card data even if available online) should be encouraged as it prevents damage later instead of scaring everyone with a new policy, which basically means nobody will post such news even if tremendously helpful to others on this forum.

[Uberdude]

My first thought on seeing this thread was "probably don't have this policy", but that was based on the assumption someone had actually done some serious hacking and revealed flaws. But then I saw all illluck had done was point out the bleeding obvious that if passwords and usernames are the same you can login as someone if you know their username. To censor this is bonkers, it should be absolutely allowed.

[Javaness2]

I'd agree that L19 shouldn't become some of Lulzsec postit board for security flaws. However, this wasn't a security flaw. It was an alpha server which hadn't implemented real authentication, and had let everyone using the server know it.

[badukJr]

I believe it is good to post about security flaws. I think the users of the service would like to know. If Amazon had a bunch of security holes that could leak your credit card information all over the place would you rather:

1. Have each flaw fixed one at a time, slowly, without you ever knowing about it

2. Have someone expose the security flaws, so that you now know to stop using Amazon because it does not treat your information with respect

Yeah, maybe in #1 case Amazon will say, hey we fixed some vulnerabilities. But, they have an interest in white washing it. A dis-interested third party can let you know the actual truth about how severe the flaws are.

[tchan001]

I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.

[badukJr]

I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.

If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

[tchan001]

I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.

If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

And what does that have to do with posting on L19 forum? Is L19 a forum where Amazon has asked for security flaws to be posted? Even if so, does L19 have to comply and make a subforum for every entity which asks for a subforum to house security flaws for their own nonrelated sites?

I visit L19 for go related material and in my opinion L19 is not intended as a place for people to post about security flaws of other sites.

[badukJr]

I'd rather have the discoverer of the security flaw email Amazon privately than to post it publicly on a forum which Amazon might have no idea it even exists until it's already too late.

If you are making an analogy against what happened here, then Amazon would know it exists because Amazon asked for a subforum (or was offered) to be created in the private forum where the security flaw was posted. So Amazon would know about it quickly. Also, in this case, Amazon would know of the flaw already, but didn't do anything about until it was posted publicly.

And what does that have to do with posting on L19 forum? Is L19 a forum where Amazon has asked for security flaws to be posted? Even if so, does L19 have to comply and make a subforum for every entity which asks for a subforum to house security flaws for their own nonrelated sites?

I visit L19 for go related material and in my opinion L19 is not intended as a place for people to post about security flaws of other sites.

I think you misunderstood what I was saying. Kaya.gs subforum was created with input from Kaya.gs founder. They even link it directly from their site.

On the last note, we now have a sub-forum in L19 here . We welcome discussions and suggestions there, specially when the Feedback section is just not enough for the conversation.

My final point, is that the founder knew that the security flaw existed, but chose not to fix until the flaw was pointed out in the forums. So I view it as pretty necessary.