I found a Vulnerability. They found a Lawyer

Posted by toomuchtodo 8 hours ago

I found a Vulnerability. They found a Lawyer(dixken.de)

331 points | 156 commentspage 4

nubg 3 hours ago|

> No exploits, no buffer overflows, no zero-days. Just a login form, a number, and a default password that was set for each student on creation.

ai;dr

This is AI slop.

Use your own words!

I would rather read the original prompt!

kmoser 30 minutes ago||

Presuming nobody had found this exploit previously, it actually is a zero-day.

lucb1e 2 hours ago||

Also in the email towards the organization. Makes it sound as condescending "let me dumb it down for you to key points" to the receiver of the email as, well, as LLMs are. Bit off-putting and the story itself is also common to the point of trite. Heck, nothing even ended up happening in this case. No lawyer is mentioned outside of the title, no police complaint was filed, no civil case started, just the three emails saying he should agree to not talk about this. Scary as those demands can be (I have been at the butt end of such things as well, and every time I wish I had used Tor instead of a CIOT-traceable IP address as soon as my "huh, that's odd system behavior"-senses go off. Responsible disclosure just gives you grey hairs in the 10% of cases that respond like this, even if so far 0% actually filed a police complaint or court case)

tverbeure 3 hours ago||

> No ..., no ..., no .... Just ...

Am I the only one who can't stand this AI slop pattern?

silisili 3 hours ago||

Between that and 'Read that again' my heart kinda sank as I went. When if ever will this awful trend end?

lucb1e 1 hour ago||

It's one thing for your blog post to be full of faux writing style, but also that letter to the organization... oof. I wouldn't enjoy receiving that from someone who attached a script that dumps all users from my database and the email, as well as my access logs, confirm they ran it

desireco42 7 hours ago||

I think the problem is the process. Each country should have a reporting authority and it should be the one to deal with security issues.

So you never report to actual organization but to the security organization, like you did. And they would be more equiped to deal with this, maybe also validate how serious this issue is. Assign a reward as well.

So you are researcher, you report your thing and can't be sued or bullied by organization that is offending in the first place.

PaulKeeble 6 hours ago||

If the government wasn't so famous for also locking people up that reported security issues I might agree, but boy they are actually worse.

Right now the climate in the world is whistleblowers get their careers and livihoods ended. This has been going on for quite a while.

The only practical advice is ignore it exists, refuse to ever admit to having found a problem and move on. Leave zero paper trail or evidence. It sucks but its career ending to find these things and report them.

ikmckenz 7 hours ago|||

That’s almost what we already have with the CVE system, just without the legal protections. You report the vulnerability to the NSA, let them have their fun with it, then a fix is coordinated to be released much further down the line. Personally I don’t think it’s the best idea in the world, and entrenching it further seems like a net negative.

ylk 5 hours ago|||

This is not how CVEs work at all. You can be pretty vague when registering it. In fact they’re usually annoyingly so and some companies are known for copy and pasting random text into the fields that completely lead you astray when trying to patch diff.

Additionally, MITRE doesn’t coordinate a release date with you. They can be slow to respond sometimes but in the end you just tell them to set the CVE to public at some date and they’ll do it. You’re also free to publish information on the vulnerability before MITRE assigned a CVE.

desireco42 6 hours ago|||

Yeah, something like that, nothing too much, just to exclude individual to deal with evil corps

janalsncm 6 hours ago|||

Does it have to be a government? Why not a third party non-profit? The white hat gets shielded, and the non-profit has credible lawyers which makes suing them harder than individuals.

The idea is to make it easier to fix the vulnerability than to sue to shut people up.

For credit assignment, the person could direct people to the non profit’s website which would confirm discovery by CVE without exposing too many details that would allow the company to come after the individual.

This business of going to the company directly and hoping they don’t sue you is bananas in my opinion.

iamnothere 3 hours ago||

This would only work if governments and companies cared about fixing issues.

Also, it would prevent researchers from gaining public credit and reputation for their work. This seems to be a big motivator for many.

cptskippy 6 hours ago||

Maintaining Cybersecurity Insurance is a big deal in the US, I don't know about Europe. So vulnerability disclosure is problematic for data controllers because it threatens their insurance and premiums. Today much of enterprise security is attestation based and vulnerability disclosure potentially exposes companies to insurance fraud. If they stated that they maintained certain levels of security, and a disclosure demonstratively proves they do not, that is grounds for dropping a policy or even a lawsuit to reclaim paid funds.

So it sort of makes sense that companies would go on the attack because there's a risk that their insurance company will catch wind and they'll be on the hook.

pixl97 4 hours ago|

Heh, what insurance company you use should be public information, and bug finders should report to them.

FurryEnjoyer 6 hours ago||

Malta has been mentioned? As a person living here I could say that workflow of the government here is bad. Same as in every other place I guess.

By the way, I had a story when I accidentally hacked an online portal in our school. It didn't go much and I was "caught" but anyways. This is how we learn to be more careful.

I believe in every single system like that it's fairly possible to find a vulnerability. Nobody cares about them and people that make those systems don't have enough skill to do it right. Data is going to be leaked. That's the unfortunate truth. It gets worse with the come of AI. Since it has zero understanding of what it is actually it will make mistakes that would cause more data leaks.

Even if you don't consider yourself as an evil person, would you still stay the same knowing real security vulnerability? Who knows. Some might take advantage. Some won't and still be punished for doing everything as the "textbook way".

dboreham 4 hours ago||

Messenger shooting is a common tactic with psychopaths.

refulgentis 7 hours ago||

Wish they named them. Usually I don't recommend it. But the combination of:

A) in EU; GDPR will trump whatever BS they want to try B) no confirmation affected users were notified C) aggro threats D) nonsensical threats, sourced to Data Privacy Officer w/seemingly 0 scruples and little experience

Due to B), there's a strong responsibility rationale.

Due to rest, there's a strong name and shame rationale. Sort of equivalent to a bad Yelp review for a restaurant, but for SaaS.

mzi 7 hours ago||

Dan Europe has a flow as discussed in the article and both the foundation and the regulated insurance branch is registered in Malta.

Nextgrid 7 hours ago||

EU GDPR has very little enforcement. So while the regulation in theory prevents that, in practice you can just ignore it. If you're lucky a token fine comes up years down the line.

newzino 3 hours ago|

The same-day deadline on the NDA is the tell. If they had a real legal position, they wouldn't need a signature before close of business. That's a pressure tactic designed to work on someone who doesn't know any better. The fact that he pushed back and nothing happened confirms it was a bluff.

More comments...