Irresponsible security researcher
Hi, This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose. This happened more than once. So surely he wont mind if I disclose his mail sent to the security list. According to whois, he is Justin Klein Keane 1122 Green Street Philadelphia, PA 19123 US Phone: 1-215-2320909 Email: jkeane@madirish.net I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice. Mail follows: Hello, First let me state that I love Drupal and evangelize it openly. I run a Drupal users group at my place of employment and have given presentations on the advantages of Drupal at several conferences. I frequently recommend adoption of Drupal and defend its security track record. However, as I said before, I think we've been round the philosophical differences between Drupal security and myself before, and we simply disagree. The first thing I do when I discover a vuln is warn all my colleagues who have Drupal installed. It only makes sense that I warn everyone. I'm not under any illusions that I'm the best at what I do. The "bad guys" get paid to find these vulns, and they don't disclose them. If I've found a vuln, unless you somehow accept that I'm the best at doing this, then you must know that the "bad guys" already know about the vuln. Full disclosure informs end users so they can make an informed decision about whether or not to continue running the system, or whether they need to modify the app or their deployment. I have discovered vulnerabilities before for which Drupal team has not given me credit. Drupal security and I have also disagreed over the severity of security issues which has resulted in patches not being developed (http://drupal.org/node/372836). This combined with the sarcastic replies I often get from the security team, makes me leery of their commitment to credit my discoveries. Furthermore, I've inquired as to contributions I could make to Drupal security team but was rebuffed. So, here's what I have in conclusion: 1) I believe people using Drupal deserve to know about vulnerabilities as soon as possible because "bad guys" already know about them. 2) I don't trust that Drupal security would actually credit me, especially now that relations have sufficiently soured 3) Drupal security seems cliquish and hasn't given me any incentive to work within their framework. I think that leaves us at pretty good loggerheads. I understand you have a tough, and probably thankless job. I laud the contributions you are making to a wonderful open source product. I will be the first to stand up and say you all do a great job at keeping Drupal secure. I will continue to inform Drupal security directly when I discover vulnerabilities, but I would appreciate it if you could respect my motivation for refusing to withhold public disclosure. All the best and keep up the good work, Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org
Seriously, the fact that the info is in the whois database means he is not concerned with it being out there. Furthermore, why act so childish? It is obvious that Mr. Keane is merely concerned with being credited with his discoveries and no matter what you do he will continue down this path of (irresponsible) full disclosure. Should the community stoop to a lower level just because someone does? Do you think this will discourage others from doing the same? The fact is there is a difference in full disclose and responsible full disclosure and Mr. Keane should follow the latter. Read RFP's RFPolicy for a good start on what is considered respnsible for both parties, http://www.wiretrip.net/rfp/policy.html. Adam On Tue, May 12, 2009 at 6:22 PM, Karoly Negyesi <karoly@negyesi.net> wrote:
Hi,
This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose. This happened more than once. So surely he wont mind if I disclose his mail sent to the security list. According to whois, he is
Justin Klein Keane 1122 Green Street Philadelphia, PA 19123 US Phone: 1-215-2320909 Email: jkeane@madirish.net
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice. Mail follows:
Hello,
First let me state that I love Drupal and evangelize it openly. I run a Drupal users group at my place of employment and have given presentations on the advantages of Drupal at several conferences. I frequently recommend adoption of Drupal and defend its security track record.
However, as I said before, I think we've been round the philosophical differences between Drupal security and myself before, and we simply disagree. The first thing I do when I discover a vuln is warn all my colleagues who have Drupal installed. It only makes sense that I warn everyone. I'm not under any illusions that I'm the best at what I do. The "bad guys" get paid to find these vulns, and they don't disclose them. If I've found a vuln, unless you somehow accept that I'm the best at doing this, then you must know that the "bad guys" already know about the vuln. Full disclosure informs end users so they can make an informed decision about whether or not to continue running the system, or whether they need to modify the app or their deployment.
I have discovered vulnerabilities before for which Drupal team has not given me credit. Drupal security and I have also disagreed over the severity of security issues which has resulted in patches not being developed (http://drupal.org/node/372836). This combined with the sarcastic replies I often get from the security team, makes me leery of their commitment to credit my discoveries. Furthermore, I've inquired as to contributions I could make to Drupal security team but was rebuffed. So, here's what I have in conclusion:
1) I believe people using Drupal deserve to know about vulnerabilities as soon as possible because "bad guys" already know about them. 2) I don't trust that Drupal security would actually credit me, especially now that relations have sufficiently soured 3) Drupal security seems cliquish and hasn't given me any incentive to work within their framework.
I think that leaves us at pretty good loggerheads. I understand you have a tough, and probably thankless job. I laud the contributions you are making to a wonderful open source product. I will be the first to stand up and say you all do a great job at keeping Drupal secure. I will continue to inform Drupal security directly when I discover vulnerabilities, but I would appreciate it if you could respect my motivation for refusing to withhold public disclosure.
All the best and keep up the good work,
Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org
On Tue, May 12, 2009 at 6:22 PM, Karoly Negyesi <karoly@negyesi.net> wrote:
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice. Mail follows:
Yeah, you really showed him. -D
Hi, i read from this mail and behavior: - this person wants to improve security of drupal - he made a patch, that maybe wasn't accepted or he was disapointed with the procedures of the community - he made a decission for himself how to handle similiar cases -> so what's wrong with the person? Nothing. (Nobody said, that i or someone else should agree with his decission!) He is just one more who does not believe in the practices of the community. It just files a missed chance of participation. Best Thomas Zahreddin Am Dienstag, den 12.05.2009, 18:22 -0700 schrieb Karoly Negyesi:
Hi,
This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose. This happened more than once. So surely he wont mind if I disclose his mail sent to the security list. According to whois, he is
Justin Klein Keane 1122 Green Street Philadelphia, PA 19123 US Phone: 1-215-2320909 Email: jkeane@madirish.net
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice. Mail follows:
Hello,
First let me state that I love Drupal and evangelize it openly. I run a Drupal users group at my place of employment and have given presentations on the advantages of Drupal at several conferences. I frequently recommend adoption of Drupal and defend its security track record.
However, as I said before, I think we've been round the philosophical differences between Drupal security and myself before, and we simply disagree. The first thing I do when I discover a vuln is warn all my colleagues who have Drupal installed. It only makes sense that I warn everyone. I'm not under any illusions that I'm the best at what I do. The "bad guys" get paid to find these vulns, and they don't disclose them. If I've found a vuln, unless you somehow accept that I'm the best at doing this, then you must know that the "bad guys" already know about the vuln. Full disclosure informs end users so they can make an informed decision about whether or not to continue running the system, or whether they need to modify the app or their deployment.
I have discovered vulnerabilities before for which Drupal team has not given me credit. Drupal security and I have also disagreed over the severity of security issues which has resulted in patches not being developed (http://drupal.org/node/372836). This combined with the sarcastic replies I often get from the security team, makes me leery of their commitment to credit my discoveries. Furthermore, I've inquired as to contributions I could make to Drupal security team but was rebuffed. So, here's what I have in conclusion:
1) I believe people using Drupal deserve to know about vulnerabilities as soon as possible because "bad guys" already know about them. 2) I don't trust that Drupal security would actually credit me, especially now that relations have sufficiently soured 3) Drupal security seems cliquish and hasn't given me any incentive to work within their framework.
I think that leaves us at pretty good loggerheads. I understand you have a tough, and probably thankless job. I laud the contributions you are making to a wonderful open source product. I will be the first to stand up and say you all do a great job at keeping Drupal secure. I will continue to inform Drupal security directly when I discover vulnerabilities, but I would appreciate it if you could respect my motivation for refusing to withhold public disclosure.
All the best and keep up the good work,
Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org
- this person wants to improve security of drupal - he made a patch, that maybe wasn't accepted or he was disapointed with the procedures of the community
He made a patch?
-> so what's wrong with the person?
Check his site. Maybe the fact that he never posts a fix on the issues he discloses (i might have missed some)? And his disclosures include precise, step-by-step exploits? That's not so nice, is it? Regards NK
Hallo Karoly, and community, thank you for beeing accurate: "Drupal security and I have also disagreed over the severity of security issues which has resulted in patches not being developed (http://drupal.org/node/372836)" so he disagreed at least ... I also don't post fixes, since i see so many patches and issues rotting in the issue queue. Sometimes i suggest something and i get 'it is this way by design'. But how to envole the topic? Sometimes i write for hours doku and it disappears (or is no longer accessible for me) These are expieriences over the last two year, i don't have concrete topics i can point to - but they exist and force me in a leecher state. And by the way it is not true, that drupal needs more code, if you think so take all patches form the issue queues. And it is allso not true, that drupal is a dookratie, since all the authors of the patches contributed. I dislike contributing patches that sit for years or for ever in queues So i can't see the value of just another patch. Best Thomas Zahreddin Am Mittwoch, den 13.05.2009, 01:20 -0700 schrieb Karoly Negyesi:
- this person wants to improve security of drupal - he made a patch, that maybe wasn't accepted or he was disapointed with the procedures of the community
He made a patch?
-> so what's wrong with the person?
Check his site. Maybe the fact that he never posts a fix on the issues he discloses (i might have missed some)? And his disclosures include precise, step-by-step exploits? That's not so nice, is it?
Regards
NK
He is just one more who does not believe in the practices of the community.
You, he, me, and everyone else is free to believe whatever one wants to believe. As long as this belief does not result in actions that harm someone else. Justin Klein Keane's publications harm the Drupal community and Drupal site owners at glance. We, the Drupal community, set up and agreed on the security review and announcement process the way it works today. His posts are hi-jacking this process; and that's why he is absolutely irresponsible - no matter whether his findings are valid or not. The result of Justin Klein Keane's actions is that people may think that Drupal is insecure - not providing fixes for potential security vulnerabilities that may exist. Contrary to what Justin Klein Keane thinks; he does not help anyone. Justin's assumpations only make things worse. True is that we cannot prevent him from doing so. True is also that he is not respecting the Drupal community and Security Team by doing so. But true is also that we do not have to respect him for his actions if he even continues to harm everyone after trying to get him on board. sun
Not that we need to have an extensive discussion on this character, but I'm in agreement with sun. JKK is -- as one subculture of slang in America would say -- "dissing" [1] the Drupal community and security team. And although it is only the written word, I detect a personality in his writings which is not the kind of person I'd want to work with or associate with. It's not just that he disagrees, but that he thinks he is better and the rules (if any) in any situation do not apply to him. But as sun wrote, there's not much we can do. It probably won't help our cause to intentionally irritate him. [1] http://en.wiktionary.org/wiki/diss On Wed, May 13, 2009 at 3:36 AM, Daniel F. Kudwien <news@unleashedmind.com> wrote:
He is just one more who does not believe in the practices of the community.
You, he, me, and everyone else is free to believe whatever one wants to believe.
As long as this belief does not result in actions that harm someone else.
Justin Klein Keane's publications harm the Drupal community and Drupal site owners at glance. We, the Drupal community, set up and agreed on the security review and announcement process the way it works today. His posts are hi-jacking this process; and that's why he is absolutely irresponsible - no matter whether his findings are valid or not.
The result of Justin Klein Keane's actions is that people may think that Drupal is insecure - not providing fixes for potential security vulnerabilities that may exist. Contrary to what Justin Klein Keane thinks; he does not help anyone. Justin's assumpations only make things worse.
True is that we cannot prevent him from doing so.
True is also that he is not respecting the Drupal community and Security Team by doing so.
But true is also that we do not have to respect him for his actions if he even continues to harm everyone after trying to get him on board.
sun
On 12-May-09, at 9:22 PM, Karoly Negyesi wrote:
This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose.
Did he report this issue? http://justin.madirish.net/node/339. I still seems exploitable. I see he's been credited for SA's in the past. It's a shame that the noise from him is drowning out the real issues he's finding. If there are a sizeable number of issues on his site which he hasn't reported, any idea how much of a backlog this will create for the SA team? Since the exploits are public, perhaps we should organize to go through his site and figure out what is still exploitable. --Andrew
On Wed, May 13, 2009 at 9:00 AM, Andrew Berry <andrewberry@sentex.net> wrote:
On 12-May-09, at 9:22 PM, Karoly Negyesi wrote:
This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose.
Did he report this issue? http://justin.madirish.net/node/339. I still seems exploitable. I see he's been credited for SA's in the past. It's a shame that the noise from him is drowning out the real issues he's finding.
It's the same as http://drupal.org/node/372836 or maybe it's even the issue that prompted http://drupal.org/node/372836 Either way, it's "addressed." Regards, Greg -- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com Cracking Drupal - Learn to protect your Drupal site from hackers Now available from Wiley http://crackingdrupal.com
Just to clarify, Karoly's position on this does not in any way reflect the position of the Drupal security team as a whole. We have had a few past problems with Justin Klein Keane, but the Drupal security team did not in any way wish to publicly disclose Mr. Keane's personal information, nor mandate action against him. The security team would prefer to work with Mr. Klein, but failing that, we certainly wouldn't want to advocate for any sort of action against him. The security team can be reached at security@drupal.org for any further questions. Regards, Charlie Karoly Negyesi wrote:
I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice.
participants (9)
-
Adam Ely -
Andrew Berry -
Charlie Gordon -
Chris Johnson -
Daniel F. Kudwien -
Domenic Santangelo -
Greg Knaddison -
Karoly Negyesi -
Thomas Zahreddin