Revealing other site's security holes on L19

[Joaz Banbeck]

In the 'Kaya.gs' thread, there were several people explicity describing alleged security flaws of the Kaya site. I asked people not to do this on L19. I'm starting this thread to discuss that policy.

IMHO, as a general rule for any forum, when you discover a security flaw in a web site, the best option is to contact the admins there as soon as possible and as discretely as possible. Posting it on a public forum seems to be a last resort, done only when all private attempts to correct the flaw have failed. I think that is a wise policy on L19 or on any forum.

Furthermore, there are liability issues. Suppose someone posts a relatively innocuous flaw, and we do nothing, and then later a serious flaw about a second site is posted. If the owner of the second site suffers significant losses, we could be liable because we would have a demonstrable track record of not doing anything to prevent the publication of security flaws. In lawyer jargon, we would have been willfully negligent.

I'm in favor of a policy that says that you don't post security flaws on L19. You can say that the site has flaws, but not describe them so that some malicious reader can exploit them. Details should be privately sent to that site's admins.

[jts]

Is that actually US law, or just a scaredy-cat interpretation of US law?

[Joaz Banbeck]

Is that actually US law, or just a scaredy-cat interpretation of US law?

All US law gets interpreted. Indeed, the vast majority of the laws that you and I live under are not 'statute law' - the actual text written by a legislative body - but are 'case law' - that which has been interpreted in a courtroom. ( This, BTW, is why supreme court decisions are newsworthy, for nobody really knows what the law means until the supremes say what it means. )

If you mean to ask, "Is the attorney to whom you spoke a scaredy-cat?", I can say with certainty, "no".

[Phelan]

Like I've said on that thread, I am not in favor of having forum policy say you can't post security flaws. Go program/site security flaws should be able to be publicly discussed at L19.

Most Go developers have been open to suggestions and bug reports, but what if one isn't, and just refuses to listen to reason? Such a policy would make it impossible to discuss its flaws here.

[RBerenguel]

There's a legal issue here, and Joaz statement is to the point. I guess we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem.

But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.

[hyperpape]

Not that I'm planning anything, but what's the rule on links to security flaws published elsewhere?

[tapir]

Shooting the messenger is a time-honored practice.

I am a bit disappointed by L19-admin stance on this. It is a help neither to L19 (who is going to sue the biggest english language go forum when he starts a new go server basically funded by volunteers all over the world? the same for any other go related software.) nor to Kaya (how will they professionalize when nobody dares to give them feedback on crucial issues?). The harming details in question were all present on the Kaya website, afair.

And what about negative book reviews? Isn't there a risk of significant losses, too?

[hyperpape]

And what about negative book reviews? Isn't there a risk of significant losses, too?

Not as far as I know. In the US, I believe there should only be an issue if the content of the review is libelous. And proving libel is hard: you need to prove that the reviewer knowingly wrote falsehoods designed to damage the reputation of the target.

The US is litigious, but also tends towards strong protections of free speech in many areas.

That's even aside from the issue of whether the forum would be liable for user reviews--I seem to recall that that's another high bar for the plaintiff to clear.

Of course, I'm no lawyer.

[RobertJasiek]

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

[RBerenguel]

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I used to read Slashdot. If you do this against someone big enough, you are for some time in jail (happened in more than one or two instances before)

[Phelan]

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I disagree. That should only be done as a last measure, if the developers don't act on private messages.

[Chew Terr]

I am a bit disappointed by L19-admin stance on this.

To be fair, Joaz was suggesting more 'Hey, I think I found a security-related bug in X site. Could someone please put me in contact with a developer so that I can contact them privately'.

He's far from shooting the messenger, just saying 'If we discuss this sort of stuff, it's polite to the developers (and covers your backside) if you make sure it doesn't look like you're just trying to spread word so that people can hack into sites.

As a metaphor, it's kind of like saying 'Man, there's a lot of go book piracy on the internet. Can someone put me into contact with this author so that I can tell him the site in case he can take action against it?' versus saying 'Here is a list of where each go book can be found illegally on the internet. Piracy is bad and I hope they take it down.' Even if the latter is meant with good intentions, it's too likely to be abused or misunderstood.

[Kirby]

I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid. I guess it has the benefit of encouraging people to go to the source and try to get them to fix it. But it's funny to me that this is required.

[Joaz Banbeck]

All security gaps ought to be published in as great detail and as fast as possible because this is the by far best encouragement to fix the gaps.

I shall keep this in mind if you ever have a broken lock on your front door.

I'm not up on current laws, US or otherwise, but I think a law that would put someone in jail for revealing a security flaw is kind of stupid...

Ummm..we are talking civil law here, not criminal law.

... we can discuss the security issue, but not give the details. Like "I've found a hole related to weak passwords in kaya-alpha, are you aware of this?" Since there are no harming details, there should be no problem.

But if a server/program/whatever loses money because of too much disclosure, he/she can seek legal charges to the forum owners... and this is not good. Better to speak too little rather than too much.

This is stated better than mine. Thanks.

[Dusk Eagle]

Free speech is protected under the first amendment. I can't see any party that would sue L19 (which is US-based) over a member posting a security flaw having a leg to stand on in court. As well, there would likely be a huge backlash over some party suing us for what one of our members says. I believe the correct policy is to allow members to talk and discuss about whatever they like, as long as it doesn't violate the rules we already have in place. Even in the event that we were to be sued (and I think it's a bit ridiculous to think we would), I believe such a policy would still be the correct one.

In short, yes, you should be able to post about security flaws on L19 (though you probably should contact the owner first). Don't add more rules to this forum; it's good as it is.