| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <50FE0BB2.5560.AAD92D68@nick.virus-l.demon.co.uk> Date: Tue, 22 Jan 2013 16:46:58 +1300 From: "Nick FitzGerald" <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 Sanguinarious Rose to me: > And that is the reason why no one wants to report anything they find, > it's because of people like you and your kind of thinking. As you seem to have assumed a whole bunch about "my kind of thinking" that I did not put in the original post, I find the above laughable. > Did they public post all the private information? > No Agreed. > Did they try to use it for malious or illicit purposes? > No Not that we know from what seems to be a rather one-sided, self-serving to the victim, "the system screwed poor little me" telling of the story. > Did they report it when they found it? > Yes Agreed. > A horrible moral compass indeed! ... No -- I said nothing about what could or should be considered about their moral compass _in finding_ the problem. I did say they probably broke _both_ school/other ToS agreements and unauthorized access laws, but I did not say what I felt about that. It is often the case that minor transgressions of such nature are necessary in doing many useful things in the computer security domain. That alone makes it precarious territory in which to work and such issues should obviously be front-of-mind for _anyone_ potentially in such territory. > ... Arrest these people for being > concerned and reporting it after stumbling upon security flaws! > Amiright? No, I did not say that either. What you seem to have missed (other than that you are reading things into my previous post that are not there) was that _after_ these two students notified the relevant system owners/operators and/or vendors, apparently only _one_ of them went back and did stuff that he probably should not have originally done (but that we can _probably_ excuse because of a "greater good"), _again_. _That_ is what tells us something critical about _his_ moral compass (either he does not have one, it is rather under-developed for a 20- year old or it is rather broken). Did you notice that this story was not titled "Youths expelled..." "or "Students expelled..." _despite_ the first sentence of any substance in the National Post article starting: Ahmed Al-Khabaz ... was working on a mobile app ... when he and a colleague discovered what he describes as "sloppy coding" in ... Did you notice how the rest of story fails to mention that his colleague was expelled? Poor journalism, missing a fairly major fact in the story? Or perhaps evidence that his "colleague" was not expelled because his colleague did not continue to mess with stuff that he should have (now) known he should not be messing with? If _both_ students had been expelled, surely the tone of indignation and righteousness would have been greater, so I doubt the fact that the article only talks of one student being expelled is due to journalistic oversight... So, Mr Rose, do you now see what you chose to avoid noticing on your first pass through this story and its "clever hacker cruelly ostracized" skew? Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists