Join 3,556 readers in helping fund MetaFilter (Hide)


Fish finger
January 31, 2011 7:24 PM   Subscribe

Security advisor Brian Krebs on the 'hacking' of web dating site Plenty of fish by Chris Russos.
posted by unliteral (73 comments total) 11 users marked this as a favorite

 
To summarize, Brian Krebs learns about a security vulnerability on Plenty of fish. Krebs then tries to notify Plenty of fish, who do not respond immediately. Some days later, after the site is hacked, Plenty of fish founder accuses Krebs of extortion, and then withdraws the accusation. Usernames and passwords are stored as plaintext.
posted by KokuRyu at 7:37 PM on January 31, 2011 [4 favorites]


Plenty of dating sites.
posted by box at 7:51 PM on January 31, 2011 [3 favorites]


Russos on the conspiracy theory attributed to him:
I never extorted you at all. I reported you a bug. Your people asked me what to do now, and asked me for a action plan, and a price. I never mention anything, about that.
Assuming what he said is true--does anyone involved with this website have technical experience? If their response to "here's a proof-of-concept showing you your huge security hole" is "oh god you've owned us, how much do we pay to get our data back", that's pretty disturbing.
posted by shii at 7:52 PM on January 31, 2011 [8 favorites]


After a decade or so of long (seemingly endless) debates about 'ethical disclosure' or 'responsible disclosure' security researchers and most software makers have finally gotten to the point where they allow volunteer work done for them without threatening researchers (/volunteers).

If a security researcher (even inadvertently) runs across a vulnerability in a web service or online service, it is *very* dangerous to attempt to 'responsibly disclose' this information.

Which is why the person who found the vulnerability attempted to proxy his disclosure to one of the most respected computer security journalists. And that journalist was then accused of something that independent security researchers are often accused of; blackmail.

Moral of the story; when you find a vulnerability in an online service, NEVER attempt to alert the operators of the service, unless you can afford a good lawyer. (exception: I trust the staff at metafilter).
posted by el io at 7:53 PM on January 31, 2011 [6 favorites]


POF is a terrible ugly badly designed site that is mostly about spamming its members and allowing escorts to advertise. I can't imagine they have a very tech savvy bunch at the helm.
posted by Potomac Avenue at 7:54 PM on January 31, 2011 [4 favorites]


I wish there was a way to reveal which online sites stored passwords in plaintext, so we could all immediately go and remove our accounts there.
Which probably would just result in a db flag like 'deleted' changed from 0 to 1, with the info retained, so if you used that password anywhere else you'd want to change that for sure.
But still, it's the principle of the matter.
posted by Theta States at 7:59 PM on January 31, 2011 [2 favorites]


Does metafilter still store passwords in plaintext? It definitely did in the past.
posted by ryanrs at 8:04 PM on January 31, 2011


The CEO of POF sounds un-hinged.
posted by Ad hominem at 8:07 PM on January 31, 2011


Theta, just avoid any site that can email you your password if you forget. Sites that only email a link to reset your password are probably safe, as are sites that email a new, randomly-generated password.
posted by ryanrs at 8:08 PM on January 31, 2011 [5 favorites]


I like the bit where Chris Russos casually tosses off in the middle of his ramble that the owner of POF said a serial killer is murdering POF users. And then it is never mentioned again.
posted by Justinian at 8:10 PM on January 31, 2011 [9 favorites]


A company actually has a director of engineering and they store passwords in plaintext? How's that dude have a job?
posted by xmutex at 8:10 PM on January 31, 2011 [2 favorites]


Ya know, I usually do things the "correct" way with a hash and a salt. But sometimes an exec will call me up and try to get me to log in as him, or tell him his password and he thinks I am just goldbricking when tell him that I don't know his password and he will have to go through the reset password procedure like everyone else, that's when I hear the siren song of plaintext passwords. It's very easy to do it the wrong way just for ease of use, especially for something non-critical like a dating site. You guys don't use the same password on POF and your bank, right.
posted by Ad hominem at 8:13 PM on January 31, 2011


Moral of the story; when you find a vulnerability in an online service, NEVER attempt to alert the operators of the service, unless you can afford a good lawyer.

Why not just let them know anonymously? And include mention of the fact that you'll bring them to their knees if they don't fix it in X amount of time.
posted by Xezlec at 8:18 PM on January 31, 2011 [1 favorite]


The CEO of POF sounds un-hinged.

Well... Certainly my position is that there needs to be some established and generally agreed upon protocols for revealing vulnerabilities in online services... I also have empathy for a business owner who finds their entire business in jeopardy because of a breach they don't yet understand and haven't done the risk analysis to see how great of a danger their company is in...

His updates made him sound more reasonable...

This also shows the danger of a CEO freely blogging about whats going on; their personal impressions of events that are immediate to them (and emotional) are conveyed to their customers, stockholders (potentially), and employees, without the filter that time can often give you.

Software makers now have the option of reacting reasonable to vulnerabilities that are found in their product (even if the world and hacker community knows about them before they do); a clean roadmap of non-asshatery has been already published - if they are savvy they will have already read it or find it when the crisis occurs.

A service provider doesn't have a roadmap for them that is well-known in their industry (with compliant free volunteers to give them the consulting work to walk them through the vuln who also know how to convey this information in a way that doesn't terrify the service provider).

As we move from software as a product to software as a service it is crucial that both the service providers and the security 'community' (researchers, independent or not) find some path towards 'responsible disclosure'.

Because the current stance that the [responsible?] security community has when finding a vulnerability in an online service (often inadvertent discovery of vulnerability; e.g. the URL for the website contains an unfiltered SQL statement *IN THE URL*)...

The responsible action for security researchers or security savvy folks that find vulnerabilities in online services is to *not tell anyone*.

I assure you that those with bad motivations are doing more than keeping their mouths shut. The current situation leaves everyone at greater risk than they should be.
posted by el io at 8:20 PM on January 31, 2011 [1 favorite]


especially for something non-critical like a dating site

Yup, no privacy issues there!
posted by ryanrs at 8:24 PM on January 31, 2011 [1 favorite]


You gotta admire the guy's Cycle.
posted by Bromius at 8:35 PM on January 31, 2011 [1 favorite]


Yup, no privacy issues there!

Well the fact of the matter is that once somebody gains access to the database they can just dump everything else, messages, photos. That site is already compromised, no password storage policy is the world can un fuck that system. Best it can do is keep attackers from accessing your accounts on other systems, it is negligent of them not to hash passwords but it is cold comfort of you are worried about your POF privacy.
posted by Ad hominem at 8:39 PM on January 31, 2011


Plenty of Fish deletes the accounts of out transgender members, no warning and no notice.

I'd be fine with the site dying. (Not fine with user's data being compromised, though.)
posted by andreaazure at 8:44 PM on January 31, 2011 [10 favorites]


Man. I retract all Gawker-related security jokes I've made in the last couple of months. At least they came out right away, took responsibility, and were open about what they were doing to fix the problem (and didn't have plaintext passwords in the first place).

Compared to this chump Gawker is a paragon on online security.
posted by auto-correct at 8:45 PM on January 31, 2011


Does metafilter still store passwords in plaintext? It definitely did in the past.

Fixed November 2007.
posted by ryanrs at 8:48 PM on January 31, 2011


I still wouldn't retract those Gawker jokes.
posted by june made him a gemini at 8:49 PM on January 31, 2011 [3 favorites]


At least [Gawker] came out right away

Ha! They grudgingly acknowledged the breach after their front page was defaced and their database uploaded to The Pirate Bay. I got the impression they would have preferred to keep their mouths shut.
posted by ryanrs at 8:57 PM on January 31, 2011 [4 favorites]


Fixed November 2007.

Okay, that was a little bit of a surprise.
posted by XMLicious at 9:05 PM on January 31, 2011


I would like to make a bid for a new, temporary security disclosure protocol:

1) Send anonymous* email to CEO, to the domain registrar, and so forth, stating that A) you have found a vulnerability, B) that companies freak out about security disclosures, C) list incidents of companies freaking out about security disclosures, and since D) nobody can agree on a protocol for disclosures without lawyers threatening everyone, you can only alert them by releasing the code into the wild, in one hour.

2) Wait one hour.

3) Pastebin working proof of concept exploit code to 4chan, etc.

After about five years of this, corporations should have a working security disclosure protocol. Unless the W3C gets involved.

* Use Tor, use shady proxies, and pretty much anything you can think of
posted by adipocere at 9:14 PM on January 31, 2011 [10 favorites]


I remember reading about POF back when I was curious about adsense years ago, they were either the first site to break the $100,000 a month or $1,000,000 a year in adsense revenue. Based on that interview I can't say I'm surprised to learn this now.
posted by maxwelton at 9:20 PM on January 31, 2011


My comments before about trusting mefi to handle security disclosures was based on their past actions in regards to non-security measures. After reading their actual commitment to security. I reiterate my trust in mefi's reasonableness.

Maybe this should be an ask. post, but I'm curious as to what the admin's here would want/and like in a security disclosure interaction... From a service providers perspective, what is a reasonable disclosure process?

To those that advocate 'anonymous disclosure', it seems to me that disclosure needs to be more than tossing an email at a company and hoping it goes to the right place and gets acted upon, disclosure is engaging in a conversation and discourse, it's a back-and-forth interaction. That's one reason why generally it really is volunteer work, and if its a professional organization that found the bug and is disclosing it, then their reputation is involved in the disclosure; so it must be of a professional grade.
posted by el io at 9:22 PM on January 31, 2011


el io: The responsible action for security researchers or security savvy folks that find vulnerabilities in online services is to *not tell anyone*.

Including the site owners? That's silly.

Adipocere's protocol is the result of a long, intimate dialog between the security community and software and service vendors. Quite a few vendors really don't care if their users are getting pwned left and right as long as their site seems secure.
posted by hattifattener at 9:36 PM on January 31, 2011 [1 favorite]


el io you can definitely trust metafilter to handle vulnerability reports in a constructive way. When I figured out how to dump metafilter's password database, Matt was like, "oh crap, I will fix that immediately!"
posted by ryanrs at 9:45 PM on January 31, 2011 [2 favorites]


Here's the question though, why are you even going around looking for vulnerabilities anyway? Although I suppose if there was SQL query in the URL it would be pretty easy to notice.

I'm going to have to actually read the links, I guess.
Ya know, I usually do things the "correct" way with a hash and a salt. But sometimes an exec will call me up and try to get me to log in as him, or tell him his password and he thinks I am just goldbricking when tell him that I don't know his password and he will have to go through the reset password procedure like everyone else
You should setup a system where admins can log on "as" any user using their own credentials.
posted by delmoi at 9:47 PM on January 31, 2011 [1 favorite]


Funny, I was reading a big brag a little while ago about how PoF was a one-man-band paragon of Windows' scalability and ease of development.

Turns out the one man built a turd. Plaintext storage of passwords is a horror. You'd be surprised where it pops up; online Kiwi auction site TradeMe does the same thing.

An easy way to find out if sites do this is to try their forgotten password functionality. If they show you your password (or, worse yet, email it!), they're guilty.
posted by rodgerd at 9:52 PM on January 31, 2011 [1 favorite]


stanfordtickets.org: plaintext.
posted by kenko at 10:11 PM on January 31, 2011


You should just forgo the email entirely if the company has ever threatened legal action against a security researcher in the past. If your whitehat, post the exploit directly to 4chan, naming the past misbehaviors. If your blackhat, well.. Indeed, blackhats should ideally aid their whitehat kin by "looking into" sites that've threatened legal action before, umm? You should not however just assume that all companies will behave like plentyofescorts.com.
posted by jeffburdges at 10:24 PM on January 31, 2011


The CEO doesn't sound all that tightly wound, but Russo isn't the sort of "security researcher" I'd trust much either. He previously "researched" the Pirate Bay and eHarmony, and his approach seemed to be "of course they'll hire me to fix the hole I found." Likely quite a bit of miscommunication followed from that.

To be clear: You're not a security researcher if you're trying common SQL injection attacks on popular sites, any more than you're a 'home security expert' if you walk down the street trying doors to find ones unlocked, and then leaving a rate card on the kitchen table.
posted by fatbird at 10:24 PM on January 31, 2011 [2 favorites]


adipocere :2) Wait one hour.

(meaning no disrespect, sincerely). Are you insane? Have you ever worked in a corporation? Do you know how long it takes an infrastructure change to be properly vetted and tested even if is the most urgent possible change?

Current debate around 'responsible disclosure' starts at about a month or so of 'disclosure-to-patch' time (give or take whatever), you seem to propose moving this to a disclosure-to-patch-to-deployment, and then move that from about a month to an hour.

Well, a conversation has to start somewhere.

hattifattener: Adipocere's protocol is the result of a long, intimate dialog between the security community and software and service vendors.

No. No its not. It was proposed as a new temporary protocol; it is a proposal intended to cause crisis and change, not as a viable long term strategy (the effectiveness or wisdom of such a strategy is another conversation, and I doubt it would take much time for the 'responsible' disclosure debate on service vulnerabilities to progress if such a strategy were adopted; collateral damage might be noteworthy, however.)

hattifattener:
Including the site owners? That's silly.

No. No its not. If you find a vuln inadvertently (you view source and find raw SQL code that's passed from the client to the server, for example), the only way you can *demonstrate* the vulnerability is to 'hack' the system in question. Discussing the theoretical vulnerability without demonstration can often be unconvincing (particularly to ignorant audiences). To craft a demonstration within a legal context it's appropriate to require a legal relationship (NDA's, consent to intrusive penetration measures). When disclosing a vuln in off the shelf-software one engages in a lengthy process for no financial benefit; volunteer work for a large multi-national corp. When doing the same task for an online service one would potentially leave themselves vulnerable to a crippling criminal and/or civil legal attack.
posted by el io at 10:28 PM on January 31, 2011 [2 favorites]


any more than you're a 'home security expert' if you walk down the street trying doors to find ones unlocked, and then leaving a rate card on the kitchen table.

Some people need help with the basics.
posted by ryanrs at 10:39 PM on January 31, 2011


4chan: We're Here To Help!

<image of pedobear "helping">

posted by ryanrs at 10:42 PM on January 31, 2011 [3 favorites]


Isn't the idea of finding a security hole and then not reporting it just insanity? If the web has taught me anything, it's that if I come up with an idea that I think is neat, 999 out of 1000 someone else has beat me to it, and done a better job. I can't imagine the same isn't true with hacks.

And plain text storage of passwords is inexcusable. I knew that on my first "learn a bit about MySQL" exercise. It makes a few things moderately easier for site admins. But writing a script to auto-generate a new password and email it to a user takes, what, a few minutes?
posted by maxwelton at 10:52 PM on January 31, 2011


Isn't the idea of finding a security hole and then not reporting it just insanity?

No. Why should it be insane? POF is a business. If they're doing something stupid, why do you need to don your white knight uniform to save them from themselves? You have no obligation to help out the users of the site either. It's a nice thing to inform the site owners of the issue, but it's fraught with legal troubles for the good samaritan, and if someone nastier comes along and exploits the hole more seriously, that's the fault of the site owners, not the researcher who kept his mouth shut.

If I knew about a vulnerability in a site, I'd probably notify someone like Krebs and include enough detail for him to verify the vulnerability, and let the security press handle it. That's a nice bit of volunteerism. Then I'd forget about it. It's not my place to clean up the web.
posted by fatbird at 11:04 PM on January 31, 2011


I use a different email addresses for most websites, so I can tell when they're hacked. I've advised major websites (e.g., BoingBoing) of this a number of times and never. once. have I had a response.
posted by Joe in Australia at 11:51 PM on January 31, 2011


I have to disagree with fatbird and el io about who benefits from security vulnerabilities getting addressed. It seems to me quite possible to personally take some "collateral damage" from a large number of people having their identities compromised or the site itself being compromised in an idiot-caused security breach.

To toss out another analogy: for someone to be aware of a security vulnerability on a site like this and not report it (report it in a fashion that actually gets something done about it, as opposed to just secretly letting the company know about it and their beancounters telling them to take their chances) is like noticing that a business down the street from you is on fire, or has some stupid fire hazard, and not doing anything about it. The fire could spread and your house might burn down (a hacker could plant some exploit code on the site, get into your personal system through some vulnerability in your browser next time you visit, and now you've got a security breach too) or your neighbors' or friends' houses could get burned down (someone you know might have their identity compromised) or maybe the business's insurance doesn't cover everything and so some of the damage or firefighting costs come out of your taxes (costs to the various industries impacted by impersonation / identity theft, passed on to you as another customer of those industries) or maybe you lose your electric / cable / internet / water service due to infrastructure damage caused by the fire (if I think about it enough I'm sure I could come up with a parallel for that too... okay, the server or systems of clueless non-techies visiting the site are recruited into a botnet used for DDoSing another site or service you use! Ha HA!)
posted by XMLicious at 12:49 AM on February 1, 2011


For anyone out there still using the same password for every website, heres a few links: PwdHash, LastPass, 1password, Punchcast (self link)
posted by Lanark at 2:00 AM on February 1, 2011 [3 favorites]


Not quite the same situation but, just for the record, there are plenty of organisations out there that store passwords with reversible encryption. I imagine most large organisation with several kinds of new and historical systems that need the same account copying to all of them do this in some way. I'd be honestly astounded if there weren't banks of all hues doing it. Banks with passwords that are decryptable.

I don't know how Microsoft's ILM works or the old Sun offering (assuming it survived the Oracle takeover) but Novell's IDM identity management product absolutely relies on being able to do this. Even with admin privilidges you have to jump through a huge number of hoops to get at it because human eyes don't need to see it at all, but it is a technical possibility.

Amused to see PlentyOfFish send me a new password for an old account in plain text yesterday though. That's a whole different level of stupid.
posted by vbfg at 2:10 AM on February 1, 2011


So wait, one of these guys extorted another after one obtained usernames and passwords of all sorts of horny people who are hooking up with each other in sexy-style.

Why didn't he just spend his time...

Oh wait...I just realized I'm a huge pervert and not much of an entrepreneur.
posted by hal_c_on at 2:28 AM on February 1, 2011


Aside from Russo's comment thread: Look how small an ATM-skimmer can be made, that mounts right over the slot on an ATM
posted by hank at 3:13 AM on February 1, 2011 [1 favorite]


No good deed goes unpunished.
posted by Obscure Reference at 4:57 AM on February 1, 2011 [1 favorite]


PoF e-mailed me my new, post-hack password yesterday. In plaintext. I was already on the verge of deleting my account. Now it's a certainty.
posted by Eideteker at 5:53 AM on February 1, 2011


Plenty of Fish deletes the accounts of out transgender members, no warning and no notice.

Is that for real? Link?
posted by Theta States at 6:30 AM on February 1, 2011


He works two hours a day and makes as much as $10 million a year

Like most of us, he is overworked and underpaid, you can't blame him for missing a few little details about securing the data of his users! At any point in the seven years the site has been in existence.
posted by asok at 6:35 AM on February 1, 2011 [2 favorites]


You should setup a system where admins can log on "as" any user using their own credentials

Yeah,I should. One more thing for the backlog.
posted by Ad hominem at 6:37 AM on February 1, 2011


I need someone to recap this whole scenario, with attention paid to the alleged extortion and the equally alleged “unhinged” response of Plenty of Fish. Go for understandability, not conciseness, and don’t just call people by their surnames, of which there are too many.
posted by joeclark at 6:53 AM on February 1, 2011


joeclark, could you be more specific about what you don't get about Kokuryu's first comment?
posted by zamboni at 7:17 AM on February 1, 2011


Plenty of Fish deletes the accounts of out transgender members, no warning and no notice.

Is that for real? Link?


Popped into the thread to say this and was pleased that someone already did, but yeah, it's a fairly common experience, apparently.

According to the first link there, the official policy isn't to delete all transgendered accounts on sight, but to delete any accounts that receive complaints and, of course, receiving piles of hate mail seems to be a typical experience for transgendered folks using PoF as well.

Moral of the story? Plenty of less sleazy dating sites in the sea.
posted by byanyothername at 8:32 AM on February 1, 2011 [2 favorites]


I have to disagree with fatbird and el io about who benefits from security vulnerabilities getting addressed. It seems to me quite possible to personally take some "collateral damage" from a large number of people having their identities compromised or the site itself being compromised in an idiot-caused security breach.

Sure, the public benefits from security breaches addressed, just like it does when normal people call 911 when they see a fire or a mugging. But finding a hole isn't spotting a fire, it's looking through your store to see if its up to fire code standards. Finding violations in the course of a b&e doesn't justify the b&e.
posted by fatbird at 10:18 AM on February 1, 2011


I imagine most large organisation with several kinds of new and historical systems that need the same account copying to all of them do this in some way. I'd be honestly astounded if there weren't banks of all hues doing it. Banks with passwords that are decryptable.

All the ones I've worked for in my neck of the woods store customer passwords with strong one-way encryption.
posted by rodgerd at 10:29 AM on February 1, 2011


There is nothing preventing congress from making it a felony for large sites to store passwords without using strong one-way encryption, i.e. plaintext or reversible encryption net you jail time once you've enough users. You'd obviously need exceptions for password handling sites like Lanark linked above, but still.
posted by jeffburdges at 11:41 AM on February 1, 2011


You've not committed breaking & entering if you're merely identifying security holes. You may very well be required to commit breaking & entering before say plentyofescorts.com will recognize the security holes you've identified. If a company has ever threatened legal action against a security researcher, anonymous posts on 4chan become a perfectly moral disclosure route.
posted by jeffburdges at 11:48 AM on February 1, 2011


You've not committed breaking & entering if you're merely identifying security holes.

If you're sending SQL injections to the website, then yes, you're breaking and entering in exactly the same way as if you walk up to someone's house and, finding an open window, climb inside. And if you find that I left my window unlocked, allowing you to climb inside, I'm going to call the police, not hire you to check my other windows.

You may very well be required to commit breaking & entering before say plentyofescorts.com will recognize the security holes you've identified.

You're under no obligation to identify and report security holes, so your act of b&e is not immunized. This is why proper penetration testing involves legal agreements about scope and actions, just to protect the tester from the legal consequences of acts that would be, absent such agreements, illegal.

About all a good samaritan is safe doing is observing, from the outside, that a security vulnerability may exist (such as noticing that logging in submits the plaintext password in the querystring). The good samaritan is also under no obligation to pressure or force the company to fix the hole. Public disclosure? Awesome. Shame the company into fixing things or at least warn the public about the risks they take using the site. But no "security researcher" is the self-appointed sheriff of the Internet.
posted by fatbird at 12:06 PM on February 1, 2011


There is nothing preventing congress from making it a felony for large sites to store passwords without using strong one-way encryption, i.e. plaintext or reversible encryption net you jail time once you've enough users. You'd obviously need exceptions for password handling sites like Lanark linked above, but still.

Keep your doggone liberal hands off my computers.
posted by hal_c_on at 1:21 PM on February 1, 2011


Heh. I'm somewhat ashamed to admit I have a PoF account (never really used it, though I haven't been on a date in almost a year now), and the first time they sent me an EMAIL it had my password in plain text in the email. So I quickly changed it to a unique low-security password because I figured they had to be storing it in plain text.
posted by SirOmega at 1:44 PM on February 1, 2011


Finding violations in the course of a b&e doesn't justify the b&e.

Okay, but this is a completely different argument. Now you aren't mocking the people seeking out security vulnerabilities as engaging in silly volunteerism, you're raising moral or ethical objections to doing so. Worth talking about but it's a different subject from what I responded to above (and I have to say you seem to be taking a throw-everything-I've-got-and-see-what-sticks approach to criticism here.)
posted by XMLicious at 5:20 PM on February 1, 2011


Okay, I'll try to be a little clearer about what I'm responding to, and how I think of the issue.

There's two positions to be in with respect to reporting a security vulnerability. Either you notice through incidental use that there's a likely vulnerability (like observing that POF sends you your password, so they must be storing it in plaintext or reversible encryption), or you probe for vulnerabilities and find them.

The former case is just keeping your eyes open, like noticing in a store that the fire extinguishers have inspection tags indicating that they're long past due for routine maintenance, and will likely not work if needed. There's nothing wrong with noticing this, and it's being a good samaritan to bring it to the attention of someone who might do something about it.

The latter case is morally objectionable. It's the equivalent of testing doors and windows on a building to see if something is unlocked, and going inside if they are. It's digital trespassing, at the very least. It's not a big crime, but if someone approached me and said they wandered around in my unlocked house last night, my initial reaction would be basically hostile to them, even if they had a point about my personal safety.

Where the former becomes the latter is when the samaritan feels some obligation to ensure that I take his report seriously. It's one thing to tell the manager that he needs to check his fire extinguishers. It's another to take one off the wall and spray it around to force the store to buy new ones.

Russo is plainly guilty of the latter sort of "research". He tries common vulnerabilities that require actually penetrating the system, and then notifies the site owners. In combination with offering his services to fix the vulnerabilities, and threats of public disclosure to force corrective action, it's not hard to see why some site owners see Russo as an extortionist. At best, Russo is a silly volunteerist whose enthusiasm exceeds his common sense; at worst, he is, in fact, an extortionist. I'm not certain that he recognizes the difference.

The days when the Internet could be a self-policing community of the knowledgeable are long gone, and what protection consumers of web services should have should be legal or journalistic in nature--such as laws requiring companies to notify customers of data breaches, or journalists like Krebs to make public such incidents so that consumers make an informed choice.
posted by fatbird at 5:37 PM on February 1, 2011


Okay, you're still trying to mock people doing this as "samaritans." What I pointed out above is that you can personally suffer consequences from idiots leaving gaping security holes in publicly-accessible infrastructure. If I look through a neighbor's garage door window and see a big open vat of gasoline, doing something about that is not being a "samaritan", it's because I don't want my own house to burn down or any of the stuff I outlined above to happen. (Yeah - "fire extinguishers need to be checked" is a bit of an inadequate analogy for something like storing passwords as plain text, that is a grossly irresponsible action when you're inviting members of the public, who have a more valid excuse than you for not knowing any better about security, to use your service. Not that my analogies are brilliant or anything, though.) So please cut out the "samaritan" and "volunteerism" crap and stop trying to paint it as though people who think this stuff is important are somehow wishy-washy or unicorns-farting-rainbows idealists.

Now since you are spurning what I think is pretty obviously a valid point on my part, sure I'll consider your broader argument:

I simply do not agree with you that probing for security vulnerabilities is automatically morally objectionable. If I am using a web site and I say to myself, "Wow, this is a horribly engineered application. Look at the stuff that's getting revealed right within the URLs... I wonder, if I change the URL like this and refresh my browser, am I going to be able to see some of my own information that I thought was private?" and it turns out that I'm right - yeah, I may have "probed" for a security vulnerability rather than passively noticing one, but sorry I don't really care if I've violated your "My server is my castle!" sense of your personal space.

I can see that I might be vulnerable to a legal response to those actions but legality and morality are NOT interchangeable. Morally my conscience is completely clear in that case.

Your attitude smacks to me of "The owners of the server are providing a service for free, no matter what they're getting out of it, how DARE anyone question how they choose to do so?" But from my perspective, they're operating within the orbit of the commons, if not right in the commons - they get my data in their database and in their server logs, data that has real commercial value and which I have an interest in (even beyond the mutual security interest between the users and the site and all of the public interests that may arise from the potential collateral damage I talked about above) and from my moral point of view that is all the mandate I need to investigate whether they're being responsible stewards of my data. I do not need to wait for some journalistic or government agent to get around to investigating it for me.

The days of self-policing long gone? Hardly - journalistic or government institutions are less competent now to handle this sort of stuff than ever. We aren't somehow helpless dependents who have to wait for the wiser and supposedly-more-responsible powers that be to get their shit together. It kinda sounds to me like that vexes you - the fact that the users of these services, the mere lowly members of the public, are actually on equal footing with the businessmen or IT administrators that might back a site like this when it comes to investigating and doing something about security vulnerabilities of this sort.

Arguments one way or another aside, the proof is in the pudding - we know from the history of the last couple of decades or so that if security vulnerabilities are kept all down-low and hush-hush out of respect for the vendor, the vendors leave their users twisting in the wind without a second thought and nothing gets done about the security holes.

It's a simple accounting reality: if, because the vulnerability is a secret, there's an x% chance that either nothing bad will ever happen or that no one would ever find out that problems caused were the fault of the vendor's security vulnerability, y is the direct cost to the vendor itself of the security vulnerability being exploited, and z is the cost to fix the vulnerability, if x% × y < z then the vulnerability will get left open no matter how enormous the potential consequences to the users who actually suffer, like getting your identity stolen or my computer getting hacked because I visited a site I though was safe. For the vulnerability to get fixed you have to make sure that the bad publicity from not fixing the vulnerability costs more than z - not for any samaritan reason or for caring about the public in general, just to cover your own ass as a user of the site and a user of the public internet.

tl;dr I don't deny that it's possible an individual who is aware of security issues or possible security issues like these could be too reckless in trying to do something about it, and I don't think anyone should get an automatic assumption that they're acting with good intentions, they should have to demonstrate that's the case - but the "la-la silly volunteerism!" and "harumph, probing for security vulnerabilities is obviously by default immoral!" stuff is pretty obviously a steaming crock of shit. You're just desperately trying to find any possible way to indict and discourage the private investigations of security, even by a site's own users, that might cause problems for Important People.
posted by XMLicious at 7:38 PM on February 1, 2011 [1 favorite]


You've misinterpreted much of what I said because you think I'm using "volunteerism" and "samaritan" in a mocking way, when I'm not. "silly volunteerism" is mocking, yes, but I thought I was careful to distinguish between "good citizen helpfulness" (i.e., notifying the manager about the fire extinguishers, or the police about the open vat of gasoline) and the sort of self-appointed sheriff-ness of someone like Russo.
posted by fatbird at 7:50 PM on February 1, 2011


And to clarify your analogy with probing: You're not looking through your neighbour's garage window, you're picking the lock on the garage to check whether or not he's got a vat of gasoline ready to blow. That, to me, crosses a moral line. You're not seeing something and reporting it, you're actively investigating where you don't have a right to go.

Put it another way: If the only difference between your probing for vulnerabilities and your hacking the site and selling the passwords is that you don't misuse the information you gained, then you're probably on the wrong side of the line.
posted by fatbird at 8:04 PM on February 1, 2011


Ah, I see that we've gone from "trying the door to see if it's unlocked" to "picking the lock on the door". Obviously the first analogy wasn't denigrating and imputing enough.

Typing a bunch of extra characters into a URL is like picking the lock on a garage? No, sorry. The server doesn't have to return anything when I request that URL - in fact it's supposed to NOT return anything, that's exactly the problem.

To return to your original analogy about doors - ya know what? If someone puts their money in a bank, I have absolutely no problem with that person going up to that bank - even at night, how lowlife and disreputable! - and trying all of the doors to see if they're open. And if that person finds an open door and walks in and sees that their money is just lying on the floor in the open instead of being in a vault? And they tell someone about it? I have no goddamn problem with that at all. Not one bit. I don't care if the bank prosecutes its customer for trespassing or breaking and entering until the cows come home, I do not find one iota of moral fault with what the customer has done there.

And do you see there how the only difference between that customer and a bank robber is that the customer didn't misuse the information he'd gained? Right. Not on the wrong side of the line at all. Your attempt to lay out a rule-of-thumb soundbite that would support your desired position has utterly failed, it wasn't worth the electrons it was written with.

The kinds of things we're talking about doing are not the equivalent of international catburglars backed by the resources of millionaire art collectors breaking into the Louvre. There is no resemblance at all to some sophisticated criminal operation. We're talking about figuring out whether a twelve-year-old who read a few things or downloaded a couple of hacking tools could get in. I have no problem with people figuring out whether an organization I do business with - and it is business, whether services are provided for free or not - have left themselves open to being compromised by twelve-year-olds, no matter what intricate analogy could be made to IRL crimes that sound scary or despicable because they usually involve actual damage to or actual theft of actual property.
posted by XMLicious at 10:10 PM on February 1, 2011 [1 favorite]


Your attempt to lay out a rule-of-thumb soundbite that would support your desired position has utterly failed, it wasn't worth the electrons it was written with.

Okay, I'm done.
posted by fatbird at 10:15 PM on February 1, 2011


Yes you are. As they say, you've got nuthin'.

Let me point out that I am not defending Chris Russo; reviewing the OP links again, I don't see anything that is airtight proof that he wasn't running a scam, for certain. But fatbird, you have been trying to develop categorical ways to mock, morally indict, and analogize him to a kind of criminal, and anyone who would do similar things, even if nothing he did was with criminal intentions. And I'm sorry, but you don't have a leg to stand on there, much less a moral high horse to climb up onto.
posted by XMLicious at 10:32 PM on February 1, 2011


Bah, y'know what? I really was rude here, I was reacting too personally to the categorical, moral indictment of this kind of investigative hacking. I stand by the points I've made, but if categorically calling investigative hacking "silly volunteerism" were left off, I could agree that trying to make money in the way Russo is doing (assuming he isn't a scammer) without expecting something like this to happen is foolish, and maybe all that fatbird was trying to get across, at bottom, was that Russo is at least being foolish in that way. Or maybe not - I wouldn't want to speak for fatbird.

In any case, I'm going to MeMail fatbird and apologize for being rude.

(Also, it's not that I'm a super hacker or anything, I've just done things along these lines once or twice - not the trying to make money part, though - and I don't consider myself immoral or criminal for it, for the reasons outlined above.)
posted by XMLicious at 11:00 PM on February 1, 2011


If the only difference between your probing for vulnerabilities and your hacking the site and selling the passwords is that you don't misuse the information you gained, then you're probably on the wrong side of the line.

This was before your time fatbird, but back in 2006 I discovered a bug that let me get the plaintext password for any metafilter account. I found this vulnerability by actively messing with the server (basically hand-crafting requests and cookie data). And while I had noble intentions, my investigative actions were indistinguishable from 'hacking'.

Here's an account of the aftermath. No public announcement was made, presumably because no accounts had been compromised. (There would have been evidence in multiple log files.)

My 'lockpicking' improved metafilter and helped safeguard the passwords and privacy of its users.

Just a datapoint for your consideration.
posted by ryanrs at 2:20 AM on February 2, 2011


Isn't the idea of finding a security hole and then not reporting it just insanity?

No, because so much of the legislation around IT security is such a badly drafted, draconian legal minefield.

For example, in 2005 Daniel Cuthbert, an IT security consultant was convicted and fined £400 + £600 costs under the UK Computer Misuse Act of gaining unauthorised access to the Tsunami appeal Web site. Cuthbert clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing scam. To check, he added ../../../ to the URL in an attempt to access the site's higher directories -- an action that triggered an alarm.

So he gained a criminal record for doing nothing more than loading a page in his web browser. It would be nice to believe that the good guy making a security disclosure won't end up serving a prison term, but the current legal track record in this area is not pretty.
posted by Lanark at 8:11 AM on February 2, 2011


I could agree that trying to make money in the way Russo is doing (assuming he isn't a scammer) without expecting something like this to happen is foolish

I think we all agree on this, yes? Extortion, no. Inappropriate, unprofessional, and vaguely creepy? Yes. "I hacked your site, now pay me to fix it" just isn't on.
posted by Sidhedevil at 2:21 PM on February 2, 2011


Certainly, if anyone had clearly tried at any point to make that specific statement during the above exchange, we could have all agreed on it.

I think that "I hacked your site, now pay me to fix it" could work from a purely entrepreneurial perspective - I mean, having a creepy, ethically questionable business plan with potential serious conflicts of interest is by no means whatsoever a barrier to entry into the business world, this is a pretty conventional "you can't afford not to spend money on my company's products and services to remedy a problem you didn't even know you had!" approach, it's just that this isn't one of the standard sort of creepy, ethically questionable things that "respectable businessmen" do all the time. (Yet.) So from a practical perspective, to avoid fallout like this, Russo would need to come up with an ironclad, unambiguous way to demonstrate to his potential clients that the initial exposure of a security vulnerability really is just a lost leader.

In some ways I find it deeply satisfying that the thing which is intensifying the alarming apparent threat of hacking in this particular case is good, old-fashioned red-blooded capitalism.
posted by XMLicious at 9:32 PM on February 2, 2011


An interesting related note to my parenthetical (Yet.) above: regarding the HBGary fiasco (thread) , an Ars Technica article notes that HBGary, government contractor and self-styled security and social network analysis experts, regularly advertised to many high-powered clients that they have in their possession a cache of zero-day exploits that they've intentionally withheld and left unreported.

(And the high-powered, "legitimate" businessmen who became aware of them offering mercenary hacker services weren't the ones who called down the law on HBGary, of course, nor did the government. My point being that, questions of possible intruding-on-a-man's-castle moral transgressions aside, the notion that all vigilante policing or sheriffing is somehow atavistic, useless, or inherently arrogant because there are journalistic or government or other institutions of society who will take care of it is at minimum naïve and at worst dangerous and a case of letting the foxes guard the henhouse.)
posted by XMLicious at 11:40 PM on February 15, 2011


« Older You may not be familiar with the name Mel Birnkran...  |  2 0 1 0 a year in reviews... Newer »


This thread has been archived and is closed to new comments