Actually now that they've suspended him, I kind of wish did some real damage. The whole 'get hung for a lamb' saying.
That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal. Or I guess since he actually modified a file or to instead of just publicly commented about the theoretical vulnerability, he is now a gray hat hacker ... ? But if he just blogged about the vulnerability without proving it, he wouldn't have been taken seriously and less people would have believed him (did you know about this guy before this happened? I didn't).
That is why I think, as an individual, if you hack, always be a black hat hacker. Organizations do not have mercy and will not treat you with respect if you just break in to point out a problem to try to help them. So might as well do some real damage, hide and or profit from it, by selling it on a black market.
(Note, not saying that I condone, or personally agree with such activities, just proposing a better course of actions for those who do).
That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal.
Supposedly, a white hat hacker is someone hired (or at least, legally authorized) by the company itself to test their security by trying to break in.
I thought it was more of a moral label than anything else. One who find vulnerabilities but doesn't exploit them or doesn't do it with a malicious purpose vs. the ones that do it with malice, Of course you can't read someone's mind, but you can see the actions and go from there. It looks extremely unlikely that this is a case of hacking for profit or to cause harm.
When you hack something, even with good intents, you always end exposing yourself to some form of retorsion.
You can point your fingers to vulnerabilities every day full time just to make the web a better place and many will thank you for this but much more will just threaten you or file a complaint.
How does anyone know he hasn't placed a thousand backdoors elsewhere on GH? This could have been just the harmless shot across the bow. The real vulns being traded in the online underground market now (or in the near future)?
Seeing the comments he made days prior to this and also knowing what an appalling security vulnerability attr_accessible is I'm very pleased he did this. The issue needs to be addressed and for some reason everyone's been sweeping it under the carpet.
The guy was clear and resonable in the earlier bugs and suggestions he posted and then simply escalated them (with no harm done) to illustrate the issue.
Frankly this is a whole less worrying than firesheep and way more easily addressable.
It is possible but why would he disclose it then if he was trading it on the black market? Kind would shot himself in the foot then since the vulnerability would be fixed and the price of it would go down to 0.
Actually, that was my original point. If he is already treated as a criminal and a hacker, might as well profit from it. Instead of trying to disclose it publicly and get treated as a criminal, might as well sell it on the black market, don't tell anyone about it and at least profit from all this work.
That is why I don't really believe in 'white hat hacker' label. Organization when humiliated by their vulnerability strike back and treat the white hacker as a criminal. Or I guess since he actually modified a file or to instead of just publicly commented about the theoretical vulnerability, he is now a gray hat hacker ... ? But if he just blogged about the vulnerability without proving it, he wouldn't have been taken seriously and less people would have believed him (did you know about this guy before this happened? I didn't).
That is why I think, as an individual, if you hack, always be a black hat hacker. Organizations do not have mercy and will not treat you with respect if you just break in to point out a problem to try to help them. So might as well do some real damage, hide and or profit from it, by selling it on a black market.
(Note, not saying that I condone, or personally agree with such activities, just proposing a better course of actions for those who do).