Life In 19x19 :: Revealing other site's security holes on L19

Is that actually US law, or just a scaredy-cat interpretation of US law?

And what about negative book reviews? Isn't there a risk of significant losses, too?

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I am a bit disappointed by L19-admin stance on this.

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

... we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem.

But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.

...
I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?)...

... The harming details in question were all present on the Kaya website...

Kirby wrote:

I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

Ummm..we are talking civil law here, not criminal law.
.

RobertJasiek wrote:

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)

Author:	Joaz Banbeck [ Fri Dec 30, 2011 12:15 am ]
Post subject:	Revealing other site's security holes on L19
In the 'Kaya.gs' thread, there were several people explicity describing alleged security flaws of the Kaya site. I asked people not to do this on L19. I'm starting this thread to discuss that policy. IMHO, as a general rule for any forum, when you discover a security flaw in a web site, the best option is to contact the admins there as soon as possible and as discretely as possible. Posting it on a public forum seems to be a last resort, done only when all private attempts to correct the flaw have failed. I think that is a wise policy on L19 or on any forum. Furthermore, there are liability issues. Suppose someone posts a relatively innocuous flaw, and we do nothing, and then later a serious flaw about a second site is posted. If the owner of the second site suffers significant losses, we could be liable because we would have a demonstrable track record of not doing anything to prevent the publication of security flaws. In lawyer jargon, we would have been willfully negligent. I'm in favor of a policy that says that you don't post security flaws on L19. You can say that the site has flaws, but not describe them so that some malicious reader can exploit them. Details should be privately sent to that site's admins.

Author:	jts [ Fri Dec 30, 2011 8:27 am ]
Post subject:	Re: Revealing other site's security holes on L19
Is that actually US law, or just a scaredy-cat interpretation of US law?

Author:	Joaz Banbeck [ Fri Dec 30, 2011 9:03 am ]
Post subject:	Re: Revealing other site's security holes on L19
jts wrote: Is that actually US law, or just a scaredy-cat interpretation of US law? All US law gets interpreted. Indeed, the vast majority of the laws that you and I live under are not 'statute law' - the actual text written by a legislative body - but are 'case law' - that which has been interpreted in a courtroom. ( This, BTW, is why supreme court decisions are newsworthy, for nobody really knows what the law means until the supremes say what it means. ) If you mean to ask, "Is the attorney to whom you spoke a scaredy-cat?", I can say with certainty, "no".

Author:	Phelan [ Fri Dec 30, 2011 12:28 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Like I've said on that thread, I am not in favor of having forum policy say you can't post security flaws. Go program/site security flaws should be able to be publicly discussed at L19. Most Go developers have been open to suggestions and bug reports, but what if one isn't, and just refuses to listen to reason? Such a policy would make it impossible to discuss its flaws here.

Author:	RBerenguel [ Fri Dec 30, 2011 12:54 pm ]
Post subject:	Re: Revealing other site's security holes on L19
There's a legal issue here, and Joaz statement is to the point. I guess we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem. But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.

Life In 19x19 http://www.lifein19x19.com/

Revealing other site's security holes on L19 http://www.lifein19x19.com/viewtopic.php?f=14&t=5233	Page 1 of 2

Author:	hyperpape [ Fri Dec 30, 2011 1:23 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Not that I'm planning anything, but what's the rule on links to security flaws published elsewhere?

Author:	tapir [ Fri Dec 30, 2011 1:41 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Shooting the messenger is a time-honored practice. I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?). The harming details in question were all present on the Kaya website, afair. And what about negative book reviews? Isn't there a risk of significant losses, too?

Author:	hyperpape [ Fri Dec 30, 2011 2:03 pm ]
Post subject:	Re: Revealing other site's security holes on L19
tapir wrote: And what about negative book reviews? Isn't there a risk of significant losses, too? Not as far as I know. In the US, I believe there should only be an issue if the content of the review is libelous. And proving libel is hard: you need to prove that the reviewer knowingly wrote falsehoods designed to damage the reputation of the target. The US is litigious, but also tends towards strong protections of free speech in many areas. That's even aside from the issue of whether the forum would be liable for user reviews--I seem to recall that that's another high bar for the plaintiff to clear. Of course, I'm no lawyer.

Author:	RobertJasiek [ Fri Dec 30, 2011 2:10 pm ]
Post subject:	Re: Revealing other site's security holes on L19
All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

Author:	RBerenguel [ Fri Dec 30, 2011 2:23 pm ]
Post subject:	Re: Revealing other site's security holes on L19
RobertJasiek wrote: All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps. I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)

Author:	Phelan [ Fri Dec 30, 2011 2:46 pm ]
Post subject:	Re: Revealing other site's security holes on L19
RobertJasiek wrote: All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps. I disagree. That should only be done as a last measure, if the developers don't act on private messages.

Author:	Chew Terr [ Fri Dec 30, 2011 3:06 pm ]
Post subject:	Re: Revealing other site's security holes on L19
tapir wrote: I am a bit disappointed by L19-admin stance on this. To be fair, Joaz was suggesting more 'Hey, I think I found a security-related bug in X site. Could someone please put me in contact with a developer so that I can contact them privately'. He's far from shooting the messenger, just saying 'If we discuss this sort of stuff, it's polite to the developers (and covers your backside) if you make sure it doesn't look like you're just trying to spread word so that people can hack into sites. As a metaphor, it's kind of like saying 'Man, there's a lot of go book piracy on the internet. Can someone put me into contact with this author so that I can tell him the site in case he can take action against it?' versus saying 'Here is a list of where each go book can be found illegally on the internet. Piracy is bad and I hope they take it down.' Even if the latter is meant with good intentions, it's too likely to be abused or misunderstood.

Author:	Kirby [ Fri Dec 30, 2011 3:28 pm ]
Post subject:	Re: Revealing other site's security holes on L19
I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid. I guess it has the benefit of encouraging people to go to the source and try to get them to fix it. But it's funny to me that this is required.

Author:	Joaz Banbeck [ Fri Dec 30, 2011 3:51 pm ]
Post subject:	Re: Revealing other site's security holes on L19
RobertJasiek wrote: All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps. I shall keep this in mind if you ever have a broken lock on your front door. Kirby wrote: I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid... Ummm..we are talking civil law here, not criminal law. RBerenguel wrote: ... we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem. But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much. This is stated better than mine. Thanks.

Page 1 of 2	All times are UTC - 8 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/

Author:	Dusk Eagle [ Fri Dec 30, 2011 4:03 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Free speech is protected under the first amendment. I can't see any party that would sue L19 (which is US-based) over a member posting a security flaw having a leg to stand on in court. As well, there would likely be a huge backlash over some party suing us for what one of our members says. I believe the correct policy is to allow members to talk and discuss about whatever they like, as long as it doesn't violate the rules we already have in place. Even in the event that we were to be sued (and I think it's a bit ridiculous to think we would), I believe such a policy would still be the correct one. In short, yes, you should be able to post about security flaws on L19 (though you probably should contact the owner first). Don't add more rules to this forum; it's good as it is.

Author:	Joaz Banbeck [ Fri Dec 30, 2011 4:25 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Here is Dusk Eagles' Visa card number: This would not be covered by the first amendment. If I did reveal his info, and he suffered a loss because of it, I would be liable. tapir wrote: ... I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?)... The concern is not about kaya disclosure. Nobody is going to sue anybody over it. Nobody has suffered any significant harm, nor does anybody have exposure such that they could suffer harm from it. It is the possible NEXT disclosure that concerns me. If, in the future, somebody divulges a security flaw about some other web site on L19, and there is significant harm to someone as a result, then how we handled this one could be relevant. If our actions on the kaya issue reflect a disregard for preventing the spreading of security flaws, it can be argued that we disregarded the later issue too. tapir wrote: ... The harming details in question were all present on the Kaya website... Surprisingly, in US civil law, this is not really relevant. Either we are or are not spreading info about security flaws. That someone else makes such information available too does not cover us. ( Unless they are just blanketing the world with the info such that our actions had no effect whatsoever. )

Author:	LocoRon [ Fri Dec 30, 2011 4:33 pm ]
Post subject:	Re: Revealing other site's security holes on L19
This new policy aside, the original post that sparked this policy really was a special case. As the poster indicated, all the required information for the security hole was already publicly available. It's not like he had to do any sort of non-obvious work to discover the hole. Second, the owner of the website in question has explicitly stated he doesn't even consider it to be a security vulnerability (I personally disagree, but I've been trying to suppress my urge to rant on this, and so I shall continue to suppress that urge). Third, due to the nature of this particular hole, the users were more at risk of attack than the website itself, and as such, I think it is highly important that those very users be made aware of the hole. Anyway, I think this is a generally acceptable policy (if I want to read about security vulnerabilities, I'll find security vulnerabilities newsletters or forums to subscribe to; I come to L19 for the Go); however, I am glad that at least this one hole was mentioned here. After all, Go is such a niche market, that even the highest profile Go website security vulnerabilities probably wouldn't even make a blip on the radar of most security focused sources.

Author:	Kirby [ Fri Dec 30, 2011 5:06 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Joaz Banbeck wrote: Kirby wrote: I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid... Ummm..we are talking civil law here, not criminal law. . RBerenguel wrote: RobertJasiek wrote: All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps. I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before) This is where I got the bit about jail. Anyway, I still think it's kind of silly to punish someone for revealing a flaw in design, particularly if they are only revealing the hole that is there. I think a guy put an app on the apple app store recently to exploit a bug apple had. They revoked his dev account, but no legal action was taken, I think. That, to me, seems fair. If we are going to require people to privately disclose this stuff by law, then how about entitling them to compensation for working on a company's security design? The more I think about this, the more I am skeptical. Can we get a citation of an actual law stating that this is not allowed?

Author:	judicata [ Fri Dec 30, 2011 6:18 pm ]
Post subject:	Re: Revealing other site's security holes on L19
Lawyers are scaredy-cats when it comes to question such as "can I get in legal trouble for X?" It is basically our job. By the way (although I don't think this is the case here) if you ask "Can I be sued for X?", the answer is almost always "yes" because people can file a lawsuit over practically anything. Whether you would likely be held liable along with whether being held liable would have any practical consequences, and whether someone is actually likely to sue are the real questions. And I won't answer them . I think it is basically a non-issue, whether the policy is adopted or not. It isn't like L19 is a resource for finding and exploiting security holes (nor is it a deep pocket). And he policy might chill otherwise helpful communication: as demonstrated in this thread, it isn't entirely clear what posts would be allowed and what wouldn't be. But since the issue is unlikely to come up very often, adopt the policy or don't. You might upset someone's principles either way, but to little ultimate effect.

Author:	illluck [ Fri Dec 30, 2011 7:33 pm ]
Post subject:	Re: Revealing other site's security holes on L19
As the culprit, I wanted to reply when I read this post earlier today, but had to rush to a trip. I must admit that I failed to consider the implications for L19 when I made that post in the K.gs thread, and would like to apologize for any inconveniences I caused to the moderators. I will make sure to avoid posting any details on L19 in the future (though as others remarked, this is likely/hopefully infrequent).