Geeky Randomness

Geeky Randomness

Tia Marie  //  

 
Jul 8 / 11:20am

This is NOT a case of responsible disclosure

Clipped from: krebsonsecurity.com (share this clip)

As I'm gearing up to head to Def Con, this particular story jumped up at me and slapped me in the face with anger. Many times in the past we've read news about famous people and websites getting hacked and people's information leaked and from the outside it's easy to point or laugh or scorn people for not taking the proper security measures needed to ensure their information is safe. What we are forgetting though is that  responsible disclosure is key.

So what happened?  Some Argentinian hacker discovered some SQL injection vulnerabilities at the Pirate Bay that led them straight to user information on the site. The kind of information they had was usernames, email addresses, IP addresses and MD5 hashed passwords.  

If there were any damned place that responsible disclosure is important it's here.  The entertainment industry have long been waging war against regular people over copyright infringement.  They aren't even interested in justice or doing the right thing.  The RIAA is happy to throw out thousands of people in scattershot style cases.  They've even sued people for filesharing who didn't even own a computer. Seriously? Everyone knows that RIAA and the MPAA are going to do absolutely everything they can to get ahold of this information and potentially ruin almost 4 million pirate bay users. 

Russo maintains that at no time did he or his associates alter or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies employed by entertainment industry lobbying groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA),
 
The hacker responsible for finding this vulnerability should've disclosed this directly to the Pirate Bay administrators and let them deal with the situation.  Instead, he touted that he did it to show people how private they really are on the internet.  No, fuck that. This guy wanted to get a shot at the media so that he could pimp out his "subscription-based software vulnerability exploit service."  There was nothing altruistic about this, it was greed and hubris. Nothing makes me more angry than blackhat douche nozzles who use their skills for malice.  I think Bruce Schneier needs to woop his ass. 

“Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told KrebsOnSecurity.com in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”