I’m seriously amazed at how abusive Howard is. I went back to your other post [1] and read his replies, and can’t believe how consistent his attitude is. He seems unreasonable. It was nice to see your patient, level-headed reply.
He's probably just a kid playing around with some cool technology and kicking off because he's young and over-confident (I'm sure many of us can relate to that - even if we weren't so foul mouthed).
One of the great things about the web is it evens the playing field for anyone to build tech. The cost of that is it becomes harder to spot someone with experience from someone who isn't.
In any case, I think you handled the situation far better than most would have.
This is one reason 'tptacek any I are so militant on the "responsible disclosure" issue. People who seem to believe the onus is on security researchers to do whatever song and dance the person who are actually responsible want. That's nonsense: if you find the bug you get to do whatever you want with that information. (Including, I think, trade on it? But I'm not a lawyer and that's not legal advice.)
Well, it's subtle, right? That presupposes they're an incompetent idiot, and if they are, I agree: you should just publish a full disclosure.
A lot of projects/companies fortunately are not staffed by incompetent idiots. I'm also not saying "never disclose to the company/project". It's what I do 100% of the time if it's worth disclosing and I don't have prior evidence that they'll react poorly. I'm saying researchers have no moral obligation to do anything.
Well, I'm happy to walk you through it if you're game. Let's say the company is an incompetent idiot: that also means they're unlikely to respond well to a well-written vuln report. So what protects the general public the most? The bad guys can find vulns too, and you have no idea if you're the first to find a vulnerability, and we're presupposing the company won't handle it well. The _best outcome_ for the general public is full, immediate, public disclosure in that case!
There are other arguments here, like the fact that random people putting bugs in websites are not entitled to a researcher's time.
I'm not going to link to specific github issues but I've seen enough people dropping "vulnerabilities" and yelling at the developers. (I'm pretty sure you know what I'm talking about.) This often gets the developers worked out and gives security people a bad rap. It's a lose-lose situation imo. People need to learn empathy and stop blaming developers.
Of course there are companies that need to be shamed, and that will repeatedly act shady, but too many people use this to excuse their behavior in general.
I disagree that the best outcome is full immediate public disclosure. N (where N may be 0) bad actors abusing the vulnerability is not necessarily worse than releasing the vulnerability to where any script kiddie can abuse it.
A direct example is right here - ArtChain is now completely unusable because someone decided it would be funny to redirect their homepage to Pornhub. Sure, they had it coming, but I'd wager at least a few readers here had to hurried explain to a coworker why they were looking at porn at work.
(Granted, it's not a good example, because the researcher in question did reach out, and the incompetent idiot showed his ass to the entire internet, but immediate full disclosure would have had the same effect.)
I also agree that just sitting on the vuln and pleading with an idiot is not a productive use of anyone's time.
ArtChain had that bug, it was trivially discoverable with automated scanners, someone told them about it, and they did _worse_ than ignoring the report -- so yes, I agree, your example is really more of a counterexample :-D
I know this is irony, but making the joke obvious to the few that might take it seriously: it's not so good to have that visibility when the cause is the author cursing security researchers away because they are trying to delay a couple days your fraudulent CPO by asking you to patch blatantly obvious and basic security holes.
Sadly, this is almost a joke - it seems like any kind of visibility works. Most of people just don't care about the context, they just remember the brand name.
From a bit of searching, it looks like the individual responding to the disclosure emails is a patent attorney, claiming to specialize in bitcoin patents.
I’d be terrified to have him be my lawyer for anything, given his responses here. Artinfo is clearly dead in the water at this point, and I can’t even tell if he is the actual owner of it, or just a legal representative.
The security issues are terrible, but it’d really suck to have your company torpedoed by your unhinged IP counsel.
From the looks of it, this site hasn't done much in the way of actual business. A handful of transactions 180 days ago, probably the original pieces being loaded up, and then crickets. https://etherscan.io/address/0xc40cf3abc0166847c16f1f60f3fdf...
Monograph is a fantastic blockchain art registry, made by Chris Tse, the founder of Cardstack. There are several others that actually demonstrate some of the more novel aspects of this particular use case. https://monegraph.com
33 comments
[ 2.3 ms ] story [ 67.2 ms ] threadEither way the user's suffer...
[1] https://shkspr.mobi/blog/2018/06/how-i-became-leonardo-da-vi...
Yikes.
One of the great things about the web is it evens the playing field for anyone to build tech. The cost of that is it becomes harder to spot someone with experience from someone who isn't.
In any case, I think you handled the situation far better than most would have.
It's not about bending to the will of an incompetent idiot; it's about protecting vulnerable end users from the idiot in question.
A lot of projects/companies fortunately are not staffed by incompetent idiots. I'm also not saying "never disclose to the company/project". It's what I do 100% of the time if it's worth disclosing and I don't have prior evidence that they'll react poorly. I'm saying researchers have no moral obligation to do anything.
I don't think I agree with you, but I understand your point of view, and don't think I can really argue from any sort of objective reasoning.
There are other arguments here, like the fact that random people putting bugs in websites are not entitled to a researcher's time.
Also, even if it’s true, why does the company get to command the researcher’s time?
Finally, as a company, you get to mitigate this by having a serious disclosure policy. It helps if you don’t look like the bad guys.
I'm not going to link to specific github issues but I've seen enough people dropping "vulnerabilities" and yelling at the developers. (I'm pretty sure you know what I'm talking about.) This often gets the developers worked out and gives security people a bad rap. It's a lose-lose situation imo. People need to learn empathy and stop blaming developers.
Of course there are companies that need to be shamed, and that will repeatedly act shady, but too many people use this to excuse their behavior in general.
A direct example is right here - ArtChain is now completely unusable because someone decided it would be funny to redirect their homepage to Pornhub. Sure, they had it coming, but I'd wager at least a few readers here had to hurried explain to a coworker why they were looking at porn at work.
(Granted, it's not a good example, because the researcher in question did reach out, and the incompetent idiot showed his ass to the entire internet, but immediate full disclosure would have had the same effect.)
I also agree that just sitting on the vuln and pleading with an idiot is not a productive use of anyone's time.
With how nasty this guy has been, it's like he's asking for a bad actor to really cause trouble.
I'd be so happy to have anyone file a report like the author did, exposing possible flaws in a platform I operate.
I pulled the link, anyone curious can figure out how to reach artchain dot info on their own time.
Not so funny when you're going there at work, but that was my fault.
Fools get lucky occasionally.
I’d be terrified to have him be my lawyer for anything, given his responses here. Artinfo is clearly dead in the water at this point, and I can’t even tell if he is the actual owner of it, or just a legal representative.
The security issues are terrible, but it’d really suck to have your company torpedoed by your unhinged IP counsel.