ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    Scheduled Pinned Locked Moved News
    7.4k Posts 83 Posters 3.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in Miscellaneous Tech News:

      @Dashrender said in Miscellaneous Tech News:

      No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

      I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

      As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

      So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

      Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said in Miscellaneous Tech News:

        @Dashrender said in Miscellaneous Tech News:

        You don't need to dump their data to embarrass the hell out of a company... just tell the world about them, and post how you found said data - others will go and pull it out and post it...

        Exactly, and this is where we get back to.... to the vendor you're a black hat, to their customers, the public, competitors, you are a white hat.

        Many customers will decry you as well if you publicly announce this hack before there is any chance of remediation. Right or wrong, they'll do it.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403 @Dashrender
          last edited by

          @Dashrender said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @Dashrender said in Miscellaneous Tech News:

          No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

          I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

          As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

          So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

          Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

          No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

          DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in Miscellaneous Tech News:

            @scottalanmiller said in Miscellaneous Tech News:

            @Dashrender said in Miscellaneous Tech News:

            No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

            I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

            As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

            So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

            Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

            The difference is, whose fault is it. If you tell customers that they are at risk, they can take action immediately. If you only tell someone else, they can take action immediately.

            The issue is that we give the upper hand to vendors to hide problems and/or to leverage vulnerabilities for a long period of time while the customers are left in the dark.

            So my question is... if you are at risk, do you want to be told, or do you want the person who put you at risk to be told? If you totally trust the person who put you at risk, you might answer one thing. But unless you do, you'll definitely answer the other.

            Imagine it's your door lock. Someone discovers that your door lock doesn't actually lock from midnight to 1am and people could just walk in. Do you want that kept secret from you and only told to other people? Or would you like to know so that you can do something about it?

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @DustinB3403
              last edited by

              @DustinB3403 said in Miscellaneous Tech News:

              @Dashrender said in Miscellaneous Tech News:

              @scottalanmiller said in Miscellaneous Tech News:

              @Dashrender said in Miscellaneous Tech News:

              No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

              I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

              As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

              So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

              Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

              No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

              How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

              DustinB3403D 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @DustinB3403
                last edited by

                @DustinB3403 said in Miscellaneous Tech News:

                @Dashrender said in Miscellaneous Tech News:

                @scottalanmiller said in Miscellaneous Tech News:

                @Dashrender said in Miscellaneous Tech News:

                No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                Only paying customers leaves for a lot of problems. What about free software?

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Miscellaneous Tech News:

                  @scottalanmiller said in Miscellaneous Tech News:

                  @Dashrender said in Miscellaneous Tech News:

                  You don't need to dump their data to embarrass the hell out of a company... just tell the world about them, and post how you found said data - others will go and pull it out and post it...

                  Exactly, and this is where we get back to.... to the vendor you're a black hat, to their customers, the public, competitors, you are a white hat.

                  Many customers will decry you as well if you publicly announce this hack before there is any chance of remediation. Right or wrong, they'll do it.

                  Yes, but the fault is theirs in that case.

                  1 Reply Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @Dashrender
                    last edited by

                    @Dashrender said in Miscellaneous Tech News:

                    @DustinB3403 said in Miscellaneous Tech News:

                    @Dashrender said in Miscellaneous Tech News:

                    @scottalanmiller said in Miscellaneous Tech News:

                    @Dashrender said in Miscellaneous Tech News:

                    No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                    I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                    As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                    So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                    Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                    No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                    How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                    I would assume there is a list of customers somewhere that would have these contact details that could be used.

                    scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      Bottom line, if Google Project Zero discovers a vulnerability, and chooses to hide it from me, and I get compromised because they were complacent (or whose), I think that there is criminal culpability. If they research the software that I am running, that's fine. If they find a vulnerability, though, telling me makes them innocent, not telling me makes them guilty. If you are going to do security research you have ethical responsibilities and, hopefully, criminal ones as well.

                      DashrenderD NashBrydgesN 2 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @DustinB3403
                        last edited by

                        @DustinB3403 said in Miscellaneous Tech News:

                        @Dashrender said in Miscellaneous Tech News:

                        @DustinB3403 said in Miscellaneous Tech News:

                        @Dashrender said in Miscellaneous Tech News:

                        @scottalanmiller said in Miscellaneous Tech News:

                        @Dashrender said in Miscellaneous Tech News:

                        No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                        I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                        As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                        So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                        Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                        No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                        How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                        I would assume there is a list of customers somewhere that would have these contact details that could be used.

                        There is not.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @DustinB3403
                          last edited by

                          @DustinB3403 said in Miscellaneous Tech News:

                          @Dashrender said in Miscellaneous Tech News:

                          @DustinB3403 said in Miscellaneous Tech News:

                          @Dashrender said in Miscellaneous Tech News:

                          @scottalanmiller said in Miscellaneous Tech News:

                          @Dashrender said in Miscellaneous Tech News:

                          No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                          I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                          As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                          So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                          Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                          No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                          How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                          I would assume there is a list of customers somewhere that would have these contact details that could be used.

                          Perhaps, perhaps not. Scott makes a great point - Free software, there likely is no list. Bitvice is a great example (chosen completely at random) I've never told them I use their software, though i should still be notified when there is a known vul.

                          the only way that could happen is either a public announcement and pry I'm monitoring the location of the announcements - or the vendor provides an update and my software phones home and updates.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in Miscellaneous Tech News:

                            Bottom line, if Google Project Zero discovers a vulnerability, and chooses to hide it from me, and I get compromised because they were complacent (or whose), I think that there is criminal culpability. If they research the software that I am running, that's fine. If they find a vulnerability, though, telling me makes them innocent, not telling me makes them guilty. If you are going to do security research you have ethical responsibilities and, hopefully, criminal ones as well.

                            They have made the choice to do the following - report to vendor, put a 90 day clock on it. Either the vendor makes a public announcement within 90 days or Google does.

                            This has been happening for years, and as of yet, I don't believe google's been sued over it.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by

                              @scottalanmiller said in Miscellaneous Tech News:

                              @DustinB3403 said in Miscellaneous Tech News:

                              @Dashrender said in Miscellaneous Tech News:

                              @DustinB3403 said in Miscellaneous Tech News:

                              @Dashrender said in Miscellaneous Tech News:

                              @scottalanmiller said in Miscellaneous Tech News:

                              @Dashrender said in Miscellaneous Tech News:

                              No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                              I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                              As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                              So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                              Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                              No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                              How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                              I would assume there is a list of customers somewhere that would have these contact details that could be used.

                              There is not.

                              LOL, right - let's see.. Google finds a bug in SolarWinds software - calls them up - uh yeah, hey there, You know that client list you have? yeah.. ummm... I'm going to need you to give that me to me, K? Greeeeat.. Thanks.

                              -Lumberg

                              All the while not telling them why they want it... LOL

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in Miscellaneous Tech News:

                                @scottalanmiller said in Miscellaneous Tech News:

                                @DustinB3403 said in Miscellaneous Tech News:

                                @Dashrender said in Miscellaneous Tech News:

                                @DustinB3403 said in Miscellaneous Tech News:

                                @Dashrender said in Miscellaneous Tech News:

                                @scottalanmiller said in Miscellaneous Tech News:

                                @Dashrender said in Miscellaneous Tech News:

                                No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                There is not.

                                LOL, right - let's see.. Google finds a bug in SolarWinds software - calls them up - uh yeah, hey there, You know that client list you have? yeah.. ummm... I'm going to need you to give that me to me, K? Greeeeat.. Thanks.

                                -Lumberg

                                All the while not telling them why they want it... LOL

                                Right. And Solarwinds is a great example. A company that you absolutely can't trust. Now sure, I'd have to be insane to be a Solarwinds client in the first place. But if I was forced to be for some reason, and Google was in cahoots with them sharing vulnerability information in MY network with a known malicious vendor, I'd be livid and definitely consider criminal charges for Google informing my enemies how to breach my network.

                                Just because Google identifies someone as the owner of a commercial product, doesn't give said vendor some special legal right to knowledge of my network.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Miscellaneous Tech News:

                                  @scottalanmiller said in Miscellaneous Tech News:

                                  Bottom line, if Google Project Zero discovers a vulnerability, and chooses to hide it from me, and I get compromised because they were complacent (or whose), I think that there is criminal culpability. If they research the software that I am running, that's fine. If they find a vulnerability, though, telling me makes them innocent, not telling me makes them guilty. If you are going to do security research you have ethical responsibilities and, hopefully, criminal ones as well.

                                  They have made the choice to do the following - report to vendor, put a 90 day clock on it. Either the vendor makes a public announcement within 90 days or Google does.

                                  This has been happening for years, and as of yet, I don't believe google's been sued over it.

                                  No, but it sure seems like they should be. Why do they have such a choice to get to make?

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @Dashrender said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @DustinB3403 said in Miscellaneous Tech News:

                                    @Dashrender said in Miscellaneous Tech News:

                                    @DustinB3403 said in Miscellaneous Tech News:

                                    @Dashrender said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @Dashrender said in Miscellaneous Tech News:

                                    No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                    I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                    As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                    So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                    Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                    No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                    How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                    I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                    There is not.

                                    LOL, right - let's see.. Google finds a bug in SolarWinds software - calls them up - uh yeah, hey there, You know that client list you have? yeah.. ummm... I'm going to need you to give that me to me, K? Greeeeat.. Thanks.

                                    -Lumberg

                                    All the while not telling them why they want it... LOL

                                    Right. And Solarwinds is a great example. A company that you absolutely can't trust. Now sure, I'd have to be insane to be a Solarwinds client in the first place. But if I was forced to be for some reason, and Google was in cahoots with them sharing vulnerability information in MY network with a known malicious vendor, I'd be livid and definitely consider criminal charges for Google informing my enemies how to breach my network.

                                    Just because Google identifies someone as the owner of a commercial product, doesn't give said vendor some special legal right to knowledge of my network.

                                    Well, I'm here to tell you - they are doing it nearly daily.
                                    https://en.wikipedia.org/wiki/Project_Zero

                                    Google has reported to nearly every big tech name some vulnerability they found before it went public.

                                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      Here is an example that would test Google's goals pretty easily....

                                      Windows has vulnerabilities. Chinese military swoops in and buys Microsoft. Google finds a back door in Windows. Does Google tell the Chinese military how to get in through a backdoor that they probably didn't know about? Or does Google warn customers that they have a back door?

                                      There's a clear right choice, and clear wrong choice. Sure, it's an absurdly extreme example. But the edge cases normally shine a light where more frivolous situations make it feel like a grey area.

                                      Under what condition is a vendor given a special privilege by a hacker where the customer is not given a chance to defend themselves? If anything happens, how is Google not actively participating in a crime?

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in Miscellaneous Tech News:

                                        @scottalanmiller said in Miscellaneous Tech News:

                                        @Dashrender said in Miscellaneous Tech News:

                                        @scottalanmiller said in Miscellaneous Tech News:

                                        @DustinB3403 said in Miscellaneous Tech News:

                                        @Dashrender said in Miscellaneous Tech News:

                                        @DustinB3403 said in Miscellaneous Tech News:

                                        @Dashrender said in Miscellaneous Tech News:

                                        @scottalanmiller said in Miscellaneous Tech News:

                                        @Dashrender said in Miscellaneous Tech News:

                                        No one is calling Google's Project Zero hackers/black hats because they give a, what 90 day window to companies to fix their shit before they post about it.

                                        I call that black hat, absolutely. Because they know that customers are at risk and don't tell them. Maybe it's the right decision, maybe it is not, but that's 90 days of wearing a black hat if I'm a customer and they are holding secret information about how to breach me and they've chosen to tell someone other than me, the customer.

                                        As a customer, I have more right to be told than anyone and I believe telling vendors before customers should be considered a crime. I don't agree with the "black hat for a while" thing that people have sold.

                                        So you propose that Google's Project Zero should make a public announcement about every vulnerability they find the moment they find them - there would be no other way Google would know who is using said software.

                                        Yeah, that seems utterly irresponsible. I mean I get why you think that, but in doing so you've also just released another zero day to the masses of hackers. While it's possible that no one was being hacked by this vulnerability, with your announcement, there is zero chance that someone new won't be hacked by this.

                                        No, don't announce it to the general public, but to paying customers, yes absolutely disclose the vulnerability and remediation (if the client has to do something).

                                        How do you propose getting that client list if you are Google's Project Zero, and you found a vul in Bitvice SSH client?

                                        I would assume there is a list of customers somewhere that would have these contact details that could be used.

                                        There is not.

                                        LOL, right - let's see.. Google finds a bug in SolarWinds software - calls them up - uh yeah, hey there, You know that client list you have? yeah.. ummm... I'm going to need you to give that me to me, K? Greeeeat.. Thanks.

                                        -Lumberg

                                        All the while not telling them why they want it... LOL

                                        Right. And Solarwinds is a great example. A company that you absolutely can't trust. Now sure, I'd have to be insane to be a Solarwinds client in the first place. But if I was forced to be for some reason, and Google was in cahoots with them sharing vulnerability information in MY network with a known malicious vendor, I'd be livid and definitely consider criminal charges for Google informing my enemies how to breach my network.

                                        Just because Google identifies someone as the owner of a commercial product, doesn't give said vendor some special legal right to knowledge of my network.

                                        Well, I'm here to tell you - they are doing it nearly daily.
                                        https://en.wikipedia.org/wiki/Project_Zero

                                        Google has reported to nearly every big tech name some vulnerability they found before it went public.

                                        Of course they do, and one of the reasons I have no trust for Google.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in Miscellaneous Tech News:

                                          Google has reported to nearly every big tech name some vulnerability they found before it went public.

                                          Right, because they put big business interests before end user. That's exactly who Google is, in every way.

                                          Same Google in trouble for firing their ethics people, right?

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in Miscellaneous Tech News:

                                            @Dashrender said in Miscellaneous Tech News:

                                            @scottalanmiller said in Miscellaneous Tech News:

                                            Bottom line, if Google Project Zero discovers a vulnerability, and chooses to hide it from me, and I get compromised because they were complacent (or whose), I think that there is criminal culpability. If they research the software that I am running, that's fine. If they find a vulnerability, though, telling me makes them innocent, not telling me makes them guilty. If you are going to do security research you have ethical responsibilities and, hopefully, criminal ones as well.

                                            They have made the choice to do the following - report to vendor, put a 90 day clock on it. Either the vendor makes a public announcement within 90 days or Google does.

                                            This has been happening for years, and as of yet, I don't believe google's been sued over it.

                                            No, but it sure seems like they should be. Why do they have such a choice to get to make?

                                            I assume they did because they considered the greater good. Not saying it's right or wrong.. just that it is.

                                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 352
                                            • 353
                                            • 354
                                            • 355
                                            • 356
                                            • 372
                                            • 373
                                            • 354 / 373
                                            • First post
                                              Last post