Yes, they tried disclosing to officials. Not the ambassador. You're inserting your own interpretation, while I am curious about the intentions of the parent comment. I was assuming no ill-will, by the way.
I think they're saying the Mexican ambassador hasn't been "paying attention", probably meaning they've been ignoring important issues. More like "wake up sheeple".
To clarify, this is the Mexican embassy in Guatemala. I doubt there's anything interesting in there beyond the usual political maneuvering of border countries
So normally he's a white hat that gets paid for bounties, but once he misses a single reply he dumps everything to the public? This barely earns him anything and puts government workers in unnecessary risk.
They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.
Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the company has a bug bounty program then MAYBE disclose. You only stand to lose by trying to be a good samaritan otherwise.
> once he misses a single reply he dumps everything to the public
Also known as "black hat", aka criminal.
Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.
[...] In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said. [...]
Before we speak about responsible disclosure and call people "hackers" in a negative context, we have to talk about irresponsible QA processes. this is true for both tech companies or anyone utilizing technology for whatever means.
it's similar to saying: "yes I left a loaded gun there, but let's blame the evil criminal who picked it up and did a bad thing", ...
... I'm not defending him. My point is responsibility has to be on both sides. Today companies rather participate in PR circle jerks (and mistake bug bounties for real audits) instead of cleaning up their own actual security problems.
Edit: in a similar thread this week we had WIPRO breached which then claimed that they did everything
> “Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”
if they'd really be using industry best practices against phishing they'd have used U2F. Nobody is using it at Wipro though. CISO's today rather point to how well they've outsourced the problem (at least the damage control part) by pointing at their insurance policies (which often won't even cover a breach, and which does nothing to protect the user/data and only protects the company bottom line). Talk is cheap, fuck them all.
You can release a bug, tell other people how it works, publicly shame the government into having better security. But stealing the documents and holding the stolen documents for ransom?
Why should they pay him? He's clearly acting like a criminal, not someone trying to just make a living by making society safer. He's making it worse on purpose because he didn't get his way.
I wasn't saying they should pay him. I don't think they should. But having been on the receiving end of this behavior for far too long my point is that he should be listened to and not ignored like this. It would be OK if it's just ignoring, I've seen companies very eager to use legal threats too especially if the researcher is an isolated individual and not company.
It's not too much to ask to have a security@ mailbox and actually pay attention to it. If you don't have a disclosure process in 2019 then there is no reason you should have your systems exposed (whether that's a gov site or company doesn't make a difference) IMHO
The moment you answered I was still editing my post trying to point out that I'm not defending him. Sorry if there was an overlap here.
35 comments
[ 2.6 ms ] story [ 149 ms ] threadWhat? I'm simply asking a question.
(That was an illustration of how your communication is coming across)
https://www.goodreads.com/book/show/18405492-treaties-trench...
White hat hackers release bugs to get them fixed. This is clearly just a case of extortion. You release a bug, you don't steal documents yourself.
One of their servlets had a query parameter like
/servlet/com.sun.projectname.SuperCrazyServlet?url=some_url_encoded_param
and I found out that it accepted file:// URLs.
They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.
If you really want it fixed post to pastebin and the traffic will bring attention to it. But it's better to just ignore and move on.
nothing in this article concludes that he asked for payment.
Also known as "black hat", aka criminal.
Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.
[...] In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said. [...]
Before we speak about responsible disclosure and call people "hackers" in a negative context, we have to talk about irresponsible QA processes. this is true for both tech companies or anyone utilizing technology for whatever means.
it's similar to saying: "yes I left a loaded gun there, but let's blame the evil criminal who picked it up and did a bad thing", ...
... I'm not defending him. My point is responsibility has to be on both sides. Today companies rather participate in PR circle jerks (and mistake bug bounties for real audits) instead of cleaning up their own actual security problems.
Edit: in a similar thread this week we had WIPRO breached which then claimed that they did everything
> “Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”
if they'd really be using industry best practices against phishing they'd have used U2F. Nobody is using it at Wipro though. CISO's today rather point to how well they've outsourced the problem (at least the damage control part) by pointing at their insurance policies (which often won't even cover a breach, and which does nothing to protect the user/data and only protects the company bottom line). Talk is cheap, fuck them all.
You can release a bug, tell other people how it works, publicly shame the government into having better security. But stealing the documents and holding the stolen documents for ransom?
Why should they pay him? He's clearly acting like a criminal, not someone trying to just make a living by making society safer. He's making it worse on purpose because he didn't get his way.
It's not too much to ask to have a security@ mailbox and actually pay attention to it. If you don't have a disclosure process in 2019 then there is no reason you should have your systems exposed (whether that's a gov site or company doesn't make a difference) IMHO
The moment you answered I was still editing my post trying to point out that I'm not defending him. Sorry if there was an overlap here.