ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    Scheduled Pinned Locked Moved News
    7.4k Posts 83 Posters 3.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1337 @DustinB3403
      last edited by

      @DustinB3403 said in Miscellaneous Tech News:

      At what point does someone go from being a security researcher who's raised the red flag to a platform who apparently refuses to fix simple but large vulnerabilities to a black-hat?
      There are numerous cases of White-Hats saying "hey we gave them months to fix this issue and we were continually ignored, for the security of the users, we're making this public to get the platform to fix this issue"

      The difference between a hacker and a security researcher is the intent.

      This is from the arstechnica article:
      "To recap, the scraping was pulled off by a hacker who goes by the handle donk_enby. She originally set out to archive content posted to Parler last Wednesday in hopes of preserving self-incriminating material before account holders came to their senses and deleted it."

      That is obviously not security research in any way shape or form.

      donk_enby goes on:
      “I want this to be a big middle finger to those who say hacking shouldn’t be political,”

      So a hacktivist.

      scottalanmillerS 2 Replies Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @1337
        last edited by

        @Pete-S said in Miscellaneous Tech News:

        That is obviously not security research in any way shape or form.

        Not from the technical side. But in a weird way, it's like a technical hacker using hacking to do social security research.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @JaredBusch
          last edited by

          @JaredBusch said in Miscellaneous Tech News:

          File under: Fucking Duh.....

          https://www.cnbc.com/2021/01/12/signal-telegram-downloads-surge-after-update-to-whatsapp-data-policy.html

          Signal and Telegram downloads surge after WhatsApp says it will share data with Facebook

          That explains why my Telegram is blowing up with new members.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @DustinB3403 said in Miscellaneous Tech News:

            @Pete-S said in Miscellaneous Tech News:

            @Obsolesce said in Miscellaneous Tech News:

            70TB of Parler users’ messages, videos, and posts leaked by security researchers

            The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken

            Security researchers don't leak information. They let the platform know they found a leak and work with them to close it.

            If they leak information, they are be definition hackers (crackers, black hats, hacktivists etc).

            At what point does someone go from being a security researcher who's raised the red flag to a platform who apparently refuses to fix simple but large vulnerabilities to a black-hat?

            There are numerous cases of White-Hats saying "hey we gave them months to fix this issue and we were continually ignored, for the security of the users, we're making this public to get the platform to fix this issue"

            Well, at some point, maybe you are both. One person's researcher is another person's black hat. To me, as a customer, knowing that vendor X has a vulnerability and that I need to be aware of it is research. To that vendor, sharing their mistakes might be perceived as black hat.

            It's a bit like terrorism. Every terrorist is someone's army. What we called Patriots in the American Revolution, the British considered terrorists. It's all perspective.

            So in one sense, every white hat is also a black hat. If you find a vulnerability and tell the vendor, and not the customers, you are a black hat to their customers, but a white hat to the vendor. If you tell the customers before the vendor has a fix, you are a black hat to the vendor, and a white had to the customers.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @1337
              last edited by

              @Pete-S said in Miscellaneous Tech News:

              So a hacktivist.

              Something we could say about anyone in a white hat, in a way.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in Miscellaneous Tech News:

                You are a black hat when you're main goal is to simply steal and dump or steal and do other bad things.

                This is true and simple. But what about if you get the data and don't share it with the people impacted? Isn't that also a black hat move? To conceal a known vulnerability that others might be using to steal data to protect a vendor?

                Not that it's only about protecting a vendor, but that's a huge force at play in those cases.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Miscellaneous Tech News:

                  No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                  I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                  As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Miscellaneous Tech News:

                    But really, if you're white - YOU should never dump someone else's data. Period. Dumping is very likely an act that is over the line and makes you a black hat.

                    Hacking to get access and actually taking data are two different steps. The one is about "getting in", cracking the safe or whatever.

                    The question between white and black is... if you can crack a safe, do you tell someone? If so, who and when? But there's no question that cracking a safe AND stealing the contents is always stealing.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Miscellaneous Tech News:

                      You don't need to dump their data to embarrass the hell out of a company... just tell the world about them, and post how you found said data - others will go and pull it out and post it...

                      Exactly, and this is where we get back to.... to the vendor you're a black hat, to their customers, the public, competitors, you are a white hat.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in Miscellaneous Tech News:

                        @Dashrender said in Miscellaneous Tech News:

                        No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                        I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                        As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                        So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                        Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                        DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in Miscellaneous Tech News:

                          @Dashrender said in Miscellaneous Tech News:

                          You don't need to dump their data to embarrass the hell out of a company... just tell the world about them, and post how you found said data - others will go and pull it out and post it...

                          Exactly, and this is where we get back to.... to the vendor you're a black hat, to their customers, the public, competitors, you are a white hat.

                          Many customers will decry you as well if you publicly announce this hack before there is any chance of remediation. Right or wrong, they'll do it.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • DustinB3403D
                            DustinB3403 @Dashrender
                            last edited by

                            @Dashrender said in Miscellaneous Tech News:

                            @scottalanmiller said in Miscellaneous Tech News:

                            @Dashrender said in Miscellaneous Tech News:

                            No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                            I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                            As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                            So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                            Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                            No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                            DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in Miscellaneous Tech News:

                              @scottalanmiller said in Miscellaneous Tech News:

                              @Dashrender said in Miscellaneous Tech News:

                              No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                              I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                              As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                              So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                              Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                              The difference is, whose fault is it. If you tell customers that they are at risk, they can take action immediately. If you only tell someone else, they can take action immediately.

                              The issue is that we give the upper hand to vendors to hide problems and/or to leverage vulnerabilities for a long period of time while the customers are left in the dark.

                              So my question is... if you are at risk, do you want to be told, or do you want the person who put you at risk to be told? If you totally trust the person who put you at risk, you might answer one thing. But unless you do, you'll definitely answer the other.

                              Imagine it's your door lock. Someone discovers that your door lock doesn't actually lock from midnight to 1am and people could just walk in. Do you want that kept secret from you and only told to other people? Or would you like to know so that you can do something about it?

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @DustinB3403
                                last edited by

                                @DustinB3403 said in Miscellaneous Tech News:

                                @Dashrender said in Miscellaneous Tech News:

                                @scottalanmiller said in Miscellaneous Tech News:

                                @Dashrender said in Miscellaneous Tech News:

                                No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                DustinB3403D 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @DustinB3403
                                  last edited by

                                  @DustinB3403 said in Miscellaneous Tech News:

                                  @Dashrender said in Miscellaneous Tech News:

                                  @scottalanmiller said in Miscellaneous Tech News:

                                  @Dashrender said in Miscellaneous Tech News:

                                  No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                  I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                  As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                  So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                  Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                  No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                  Only paying customers leaves for a lot of problems. What about free software?

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @Dashrender said in Miscellaneous Tech News:

                                    You don't need to dump their data to embarrass the hell out of a company... just tell the world about them, and post how you found said data - others will go and pull it out and post it...

                                    Exactly, and this is where we get back to.... to the vendor you're a black hat, to their customers, the public, competitors, you are a white hat.

                                    Many customers will decry you as well if you publicly announce this hack before there is any chance of remediation. Right or wrong, they'll do it.

                                    Yes, but the fault is theirs in that case.

                                    1 Reply Last reply Reply Quote 0
                                    • DustinB3403D
                                      DustinB3403 @Dashrender
                                      last edited by

                                      @Dashrender said in Miscellaneous Tech News:

                                      @DustinB3403 said in Miscellaneous Tech News:

                                      @Dashrender said in Miscellaneous Tech News:

                                      @scottalanmiller said in Miscellaneous Tech News:

                                      @Dashrender said in Miscellaneous Tech News:

                                      No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                      I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                      As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                      So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                      Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                      No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                      How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                      I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                      scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        Bottom line, if Google Project Zero discovers a vulnerability, and chooses to hide it from me, and I get compromised because they were complacent (or whose), I think that there is criminal culpability. If they research the software that I am running, that's fine. If they find a vulnerability, though, telling me makes them innocent, not telling me makes them guilty. If you are going to do security research you have ethical responsibilities and, hopefully, criminal ones as well.

                                        DashrenderD NashBrydgesN 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @DustinB3403
                                          last edited by

                                          @DustinB3403 said in Miscellaneous Tech News:

                                          @Dashrender said in Miscellaneous Tech News:

                                          @DustinB3403 said in Miscellaneous Tech News:

                                          @Dashrender said in Miscellaneous Tech News:

                                          @scottalanmiller said in Miscellaneous Tech News:

                                          @Dashrender said in Miscellaneous Tech News:

                                          No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                          I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                          As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                          So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                          Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                          No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                          How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                          I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                          There is not.

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @DustinB3403
                                            last edited by

                                            @DustinB3403 said in Miscellaneous Tech News:

                                            @Dashrender said in Miscellaneous Tech News:

                                            @DustinB3403 said in Miscellaneous Tech News:

                                            @Dashrender said in Miscellaneous Tech News:

                                            @scottalanmiller said in Miscellaneous Tech News:

                                            @Dashrender said in Miscellaneous Tech News:

                                            No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                            I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                            As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                            So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                            Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                            No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                            How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                            I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                            Perhaps, perhaps not. Scott makes a great point - Free software, there likely is no list. Bitvice is a great example (chosen completely at random) I've never told them I use their software, though i should still be notified when there is a known vul.

                                            the only way that could happen is either a public announcement and pry I'm monitoring the location of the announcements - or the vendor provides an update and my software phones home and updates.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 356
                                            • 357
                                            • 358
                                            • 359
                                            • 360
                                            • 372
                                            • 373
                                            • 358 / 373
                                            • First post
                                              Last post