Hacker News new | past | comments | ask | show | jobs | submit login

> broadcasting knowledge of the holes to the world without a reasonable wait is akin to criminal

I wouldn't go as far as that. It's sure bad form, but disclosing a fact (maybe with the exception of immediate national security concerns) can't be considered a crime.

This will cost the PHPfog folks some and they can - and should - pursue civil action against whoever causes damage to them.




Disclosing a fact? No, that's not necessarily criminal.

Publicly admitting to having committed a "computer crime"? That's a different story.

I think the point _phred was trying to make is that publicly disclosing the issue like this puts all of the sites on PHPFog at risk.


Exactly; as I said, "disclosing a fact without a reasonable wait" which is fair and ethical in the security world. I'm all for full disclosure, but give the affected parties time to clean up the mess and get PR ready.

After berating one of the "d00ds" involved on Twitter, it looks to me like he told his friend how to exploit the problem, and his friend (or his friend's friend) made the site and exploited the hole.

If I show someone how to break into your house, and that person tells someone else "hey, nbpoole's house is open, let me show you," and your house gets broken into am I completely innocent of the crime? Security knowledge is the kind of knowledge that gets things broken into, so security people need necessarily be cautious with who they tell about security problems.


FYI, when I found about an open ASP.NET padding oracle at Subway.com, all I did was to run PadBuster to exploit it without damaging the servers in any other way. Eventually I reported it to feedback@subway.com, and only after a week of no response only then I finally posted it to reddit: http://www.reddit.com/r/netsec/comments/g9crj/open_aspnet_pa...


There are numerous facts which disclosing would be considered a crime. For one thing, copyright infringement is a crime; all that is, in essence, is disclosing a fact. Disclosing trade secrets may be a crime. Disclosing personal health records can be a crime. Disclosing insider information to a third party can be a crime. There are plenty of facts which can be criminal to disclose.

Now, this particular case may or may not be criminal, but it is at least incredibly irresponsible.


I think this is a Federal Crime in the US. If he was an idiot and actually disclosed his details, they can find him and actually extradite him from Australia for this.... not a lawyer but wow, but he did not think this one through




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: