> Black vs white hat is "did you break this and then use it to <do something illegal>.
That is a very narrow interpretation of "black hat". I think mainstream take is that black hat includes many legal but ethically dubious actions. Maybe you would call it "grey hat", I don't know. But publishing vulnerability without a responsible disclosure can be considered unethical.
> But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".
Yes, I don't know if you misread but by 'responsible disclosure' I meant 'tell ejmr about this before publishing'.
> The only option
No. If they were informed about this issue, after changing the schema EJMR could take down all preexisting posts made with the old schema and request public archives to remove them (and reindex new ones). It's not foolproof because many posts may happen to be archived independently but it would be something. And of course notify users.
> But publishing vulnerability without a responsible disclosure can be considered unethical.
Yes, there is debate on that, and there are arguments on either side. But given ejmr went 12 years without changing their "anonymization" scheme, and then changed it a short time prior to an article being published that demonstrated the scheme was broken, I think it's reasonable to presume ejmr was notified prior to publication, and had time to correct the flaw, which is the canonical example of responsible disclosure.
That ejmr did not tell its users is an example of the behavior that the anti-responsible disclosure folk point to. Organizations that say "you should tell us about vulnerabilities in our products, but you cannot tell our users, and neither will we" are a large part of the reason some people oppose responsible disclosure.
> No. If they were informed about this issue, after changing the schema EJMR could take down all preexisting posts made with the old schema and request public archives to remove them (and reindex new ones).
There are multiple existing libraries online to support scraping ejmr specifically, as well as who knows how many archives and search engines we don't know about.
Every person who posted need to be made aware that their posts could be tracked at least to the IP (though at any institution you're behind a NAT so generally IP != person, and the idea of ISPs having per hour IP<->user logs from a decade ago seems suspect).
Also we know that ejmr found out about the gaping hole somehow - we don't know exactly, we just know they addressed the incompetence, though I assume they're still doing it wrong - and they didn't even pull and re-index their own archive let alone ask anyone else to do so.
> It's not foolproof because many posts may happen to be archived independently but it would be something.
Either you're anonymous or you're not, so you can't just say "we doubt there are any other archives so you're safe". The user IPs are not secret, as they were never secret.
We also have no way to know if anyone else had already done this, and we likely never will.
You are never ever fully anonymous writing online. It all depends on how difficult it is and how determined the threat.
Everything you post can be correlated with your other writing and online activity (even if you fake the style), ISP subpoenaed and tor nodes compromised. But most people are sorta anonymous because no one bothers to go through the trouble.
That is a very narrow interpretation of "black hat". I think mainstream take is that black hat includes many legal but ethically dubious actions. Maybe you would call it "grey hat", I don't know. But publishing vulnerability without a responsible disclosure can be considered unethical.
> But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".
Yes, I don't know if you misread but by 'responsible disclosure' I meant 'tell ejmr about this before publishing'.
> The only option
No. If they were informed about this issue, after changing the schema EJMR could take down all preexisting posts made with the old schema and request public archives to remove them (and reindex new ones). It's not foolproof because many posts may happen to be archived independently but it would be something. And of course notify users.