I appreciate that you discovered a security flaw and took action to get it fixed. Thank you.
However, the WAY you did this really screwed up a bunch of people. I have an app running on PHP Fog that serves 25,000 people a day, and I woke up on Sunday morning to a stream of complaints that it had been down for hours. You seem technically capable, so I'm sure you have a lot of interesting (and useful) projects and hacks to come. But next time you do something like this, model it after this:
If you're hacking to help people and make the world a better place, do it like David Chen. With your abilities you will get a lot of respect and appreciation if you do it like that. If you act destructively, some people might appreciate your technical chops but you won't get real respect in the field.
And don't worry too much if it feels like you're at the center of a cyclone right now. It'll pass, and as long as you act more deliberately in the future you'll be okay. :)
Unfortunately, that cyclone may not be as easy to get past. Yes, people won't forever care about phpfog. However, if phpFog (which was at least PARTIALLY at fault here) presses charges, thats a criminal record and will come up on every background check for the rest of his life. This effects job opportunities, VISA opportunities, loans (not to mention lawyer debt from fighting it), hell even insurance prices.
What the kids did was bad, but I think pressing charges and seriously hindering two smart sixteen year-olds is a knee-jerk, over-zealous application of law and retaliation/punishment. Especially (I know I'm going to draw a lot of heat for this) when they found THEIR irresponsible storage of sensitive data.
I am a dev. I have also worked in the computer security field for a reputable firm. What phpfog did was irresponsible(actually, stupid!) and it was relatively easily avoidable. I know this because I (along with pretty much every dev) have used the exact stopgaps and quick-fixes that phpFog did. BUT (big lesson) cleaning up after your self is as much a part of programming as putting those quick-fixes in place. Unfortunately, its not the "fun" part and its not the most obvious money maker.
Like they (pretty much) said, phpFog put off the fixes because they wanted to deliver quickly. Thats THEIR decision and THEIR risk/reward assessment. I've made the same assessments in my work. They should suck it up and learn the lesson. Not hurt little kids. They're lucky it was found by these kids and not someone that knows how to conceal their identities and/or wants to do more serious damage (For example, hurting a phpFog clients).
If I knew some dev at my hosting company was keeping system passwords on a web server, they wouldn't be my hosting company. What about the trust/confidence of the clients that phpFog was knowingly betraying?
Edit: Yes, there is a proper way to disclose information. They're kids. I'm surprised they handled it as well as they did to be honest. I was a much dumber 16 year old.
I appreciate that you discovered a security flaw and took action to get it fixed. Thank you.
However, the WAY you did this really screwed up a bunch of people. I have an app running on PHP Fog that serves 25,000 people a day, and I woke up on Sunday morning to a stream of complaints that it had been down for hours. You seem technically capable, so I'm sure you have a lot of interesting (and useful) projects and hacks to come. But next time you do something like this, model it after this:
http://daverecycles.com/post/2858880862/heroku-hacked-dissec...
If you're hacking to help people and make the world a better place, do it like David Chen. With your abilities you will get a lot of respect and appreciation if you do it like that. If you act destructively, some people might appreciate your technical chops but you won't get real respect in the field.
And don't worry too much if it feels like you're at the center of a cyclone right now. It'll pass, and as long as you act more deliberately in the future you'll be okay. :)
- Jason