undefined | Better HN

0 pointsolliej2y ago0 comments

No. Black vs white hat is "did you break this and then use it to <do something illegal>.

The responsible vs. irresponsible disclosure question is "do you tell the responsible party ahead of time and give them time to repair it". From articles it certainly appears that ejmr learned how broken their code was prior to this paper being published.

But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".

The problem is that ejmr was not anonymous, and if you publish something that is not anonymous, it is forever not anonymous.

The only option would be to not disclose that there was any problem, not notify people that their posts were not anonymous, and this paper (the actual "research" about where posters lived/worked?) could also not be published. Because any acknowledgement or indication that the you could get form id to ip in any forum would cause people to go "huh, how did they do that?" a Streisand effect your way to everyone knowing.

This is of course assuming that no one else interested in commenter identities has ever looked at ejmr either, because these researchers did not do anything clever to break the scheme.

0 comments

throwaway2902y ago

> Black vs white hat is "did you break this and then use it to <do something illegal>.

That is a very narrow interpretation of "black hat". I think mainstream take is that black hat includes many legal but ethically dubious actions. Maybe you would call it "grey hat", I don't know. But publishing vulnerability without a responsible disclosure can be considered unethical.

> But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".

Yes, I don't know if you misread but by 'responsible disclosure' I meant 'tell ejmr about this before publishing'.

> The only option

No. If they were informed about this issue, after changing the schema EJMR could take down all preexisting posts made with the old schema and request public archives to remove them (and reindex new ones). It's not foolproof because many posts may happen to be archived independently but it would be something. And of course notify users.

olliejOP2y ago

> But publishing vulnerability without a responsible disclosure can be considered unethical.

Yes, there is debate on that, and there are arguments on either side. But given ejmr went 12 years without changing their "anonymization" scheme, and then changed it a short time prior to an article being published that demonstrated the scheme was broken, I think it's reasonable to presume ejmr was notified prior to publication, and had time to correct the flaw, which is the canonical example of responsible disclosure.

That ejmr did not tell its users is an example of the behavior that the anti-responsible disclosure folk point to. Organizations that say "you should tell us about vulnerabilities in our products, but you cannot tell our users, and neither will we" are a large part of the reason some people oppose responsible disclosure.

> No. If they were informed about this issue, after changing the schema EJMR could take down all preexisting posts made with the old schema and request public archives to remove them (and reindex new ones).

There are multiple existing libraries online to support scraping ejmr specifically, as well as who knows how many archives and search engines we don't know about.

Every person who posted need to be made aware that their posts could be tracked at least to the IP (though at any institution you're behind a NAT so generally IP != person, and the idea of ISPs having per hour IP<->user logs from a decade ago seems suspect).

Also we know that ejmr found out about the gaping hole somehow - we don't know exactly, we just know they addressed the incompetence, though I assume they're still doing it wrong - and they didn't even pull and re-index their own archive let alone ask anyone else to do so.

> It's not foolproof because many posts may happen to be archived independently but it would be something.

Either you're anonymous or you're not, so you can't just say "we doubt there are any other archives so you're safe". The user IPs are not secret, as they were never secret.

We also have no way to know if anyone else had already done this, and we likely never will.

> And of course notify users.

Which they also did not do.

throwaway2902y ago

> Either you're anonymous or you're not

False on many levels and dangerous belief.

You are never ever fully anonymous writing online. It all depends on how difficult it is and how determined the threat.

Everything you post can be correlated with your other writing and online activity (even if you fake the style), ISP subpoenaed and tor nodes compromised. But most people are sorta anonymous because no one bothers to go through the trouble.

j / k navigate · click thread line to collapse

0 pointsolliej2y ago0 comments

No. Black vs white hat is "did you break this and then use it to <do something illegal>.

But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".

The problem is that ejmr was not anonymous, and if you publish something that is not anonymous, it is forever not anonymous.

This is of course assuming that no one else interested in commenter identities has ever looked at ejmr either, because these researchers did not do anything clever to break the scheme.

0 comments

throwaway2902y ago

> Black vs white hat is "did you break this and then use it to <do something illegal>.

> But responsible vs irresponsible disclosure is not a question of "should this be disclosed at all?", which the security community as whole seems to have determined that the answer is "yes".

Yes, I don't know if you misread but by 'responsible disclosure' I meant 'tell ejmr about this before publishing'.

> The only option

olliejOP2y ago

> But publishing vulnerability without a responsible disclosure can be considered unethical.

There are multiple existing libraries online to support scraping ejmr specifically, as well as who knows how many archives and search engines we don't know about.

> It's not foolproof because many posts may happen to be archived independently but it would be something.

Either you're anonymous or you're not, so you can't just say "we doubt there are any other archives so you're safe". The user IPs are not secret, as they were never secret.

We also have no way to know if anyone else had already done this, and we likely never will.

> And of course notify users.

Which they also did not do.

throwaway2902y ago

> Either you're anonymous or you're not

False on many levels and dangerous belief.

You are never ever fully anonymous writing online. It all depends on how difficult it is and how determined the threat.

j / k navigate · click thread line to collapse