Re: [development] Irresponsible security researcher
I'm not quite sure that giving out his personal information to a group of annoyed developers is a good idea. Something about inciting a riot just seems wrong. We can't force him to play by our rules and see things our way (even though his is wrong. ;) I can say that personally it does cause me to wonder about this "ethical hacker." (It says so on his resume. Really.) Personally, by endangering those who use the software that he exams, I see him more as a passive- aggressive black-hat. And maybe a little over jealous at that. http://drupal.org/node/372836 (which apparently he wasn't credited with) amounts to "if you let someone administer nodes they can change things."... Yes. Better though was http://justin.madirish.net/drupal6-cck-vulnerability. It boils down to 'people with "Use PHP input field settings" permissions can run PHP'... So... I guess that makes this a un-bug report? (Maybe an "Everything is working like it is supposed to." report?) At least now I know one less person that I have to take seriously (on a professional level.) J Rogers On Tuesday 12 May 2009 8:22:08 pm Karoly Negyesi wrote:
Hi,
This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose. This happened more than once. So surely he wont mind if I disclose his mail sent to the security list. According to whois, he is
Justin Klein Keane 1122 Green Street Philadelphia, PA 19123 US Phone: 1-215-2320909 Email: jkeane@madirish.net
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice.
Justin Klein Keane's publications harm the Drupal community and Drupal site owners at glance.
I'm not quite sure that giving out his personal information to a group of Something about inciting a riot just seems wrong.
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice.
I was not asking for riots, violence or harm in any ways. I have chosen my words rather carefully and people apparently did not read them. I was asking for creative, funny pranks which makes him look and feel like the asshat he is.
Sorry. I seem to have forgotten my ;) I didn't really suspect that you wanted to do start a riot. I think we should help him. Personally, I discovered a vulnerability of my own this morning. It's right up his alley. If you have an administrator on your site, it seems that they can change almost anything! (Yes, massively sarcastic.) To make drupal safer, we should get rid of uid 1. Yep... Safer.... ;) Any objections?
I was not asking for riots, violence or harm in any ways. I have chosen my words rather carefully and people apparently did not read them. I was asking for creative, funny pranks which makes him look and feel like the asshat he is.
Karoly Negyesi wrote:
I was asking for creative, funny pranks which makes him look and feel like the asshat he is.
That sounds petty, irresponsible and unprofessional to me. If he's done black hat damage, get him thrown in jail, don't TP his house. -- Earl Cooley III (shiva@io.com)
On Wed, May 13, 2009 at 8:14 AM, Joshua Rogers <me@joshuarogers.net> wrote:
I can say that personally it does cause me to wonder about this "ethical hacker." (It says so on his resume. Really.) Personally, by endangering those who use the software that he exams, I see him more as a passive- aggressive black-hat. And maybe a little over jealous at that.
I'm not sure about "black-hat". As far as I know he's not breaking into sites... He's a system admin for his employer and part of that work is to identify vulnerabilities in their server sotware which happens to include Drupal. It's nice that he is putting effort into finding weaknesses (that's often a huge part of the process). It would be even better if he (and/or his employers) would allocate time to fixing the bugs rather than just finding and shouting about it.
http://drupal.org/node/372836 (which apparently he wasn't credited with) amounts to "if you let someone administer nodes they can change things."... Yes. Better though was http://justin.madirish.net/drupal6-cck-vulnerability. It boils down to 'people with "Use PHP input field settings" permissions can run PHP'... So... I guess that makes this a un-bug report? (Maybe an "Everything is working like it is supposed to." report?)
Exactly! It's not a vulnerability so there's no need to credit someone with finding it... The security team tries to address issues within 2 weeks, but that's often hard. When there is a public disclosure we try harder to address them quickly, but the extra attention and confusion it creates doesn't help. A lot of the decisions from the security team are compromises - we do things for 5.x and 6.x that are guaranteed to work, but are not clean enough to be accepted into Drupal in general (see http://drupal.org/node/449078 for example). The specific SA where Justin did not get credit was another situation of making a compromise: the "vulnerability" was disclosed and nobody on the team felt it was important enough to fix personally. Justin and his employer were unwilling to allocate their resources to fix it. So, given that public disclosure had occurred and that the security team wasn't going to fix it and that we wanted to respond in a timely manner...we did a "public service announcement" reminding people that admin means admin.
At least now I know one less person that I have to take seriously (on a professional level.)
This is somewhat true, and I certainly don't have a lot of love for Justin's online behavior. However, it's easy to get pissed at people online. I imagine that if I got to hang out with Justin over a delicious Philadelphia cheesesteak we'd be pretty friendly. He's got a different philosophy on security disclosure and doesn't prioritize contributing patches the same way that a lot of us do. That different philosophy and lower value on contributing patches doesn't mean he's unprofessional or an evil human. Regards, Greg -- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com Cracking Drupal - Learn to protect your Drupal site from hackers Now available from Wiley http://crackingdrupal.com
On May 13, 2009, at 8:01 AM, Greg Knaddison wrote:
The specific SA where Justin did not get credit was another situation of making a compromise: the "vulnerability" was disclosed and nobody on the team felt it was important enough to fix personally. Justin and his employer were unwilling to allocate their resources to fix it.
So, given that public disclosure had occurred and that the security team wasn't going to fix it and that we wanted to respond in a timely manner...we did a "public service announcement" reminding people that admin means admin.
While I'm not on the security team, I would like to point out that Justin was also not the only person to report a possible XSS vulnerability resulting from the 'administer content types' permission prior to SA-CORE-2009-002 ;) -Mike * Please don't interpret this as my attempt to receive credit or any such thing. The thought of attempting to receive credit for such an obvious and commonly reported issue hadn't even crossed my mind until now. __________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net
participants (5)
-
Earl Cooley III -
Greg Knaddison -
Joshua Rogers -
Karoly Negyesi -
Michael Prasuhn