Hacker News new | ask | show | jobs
by arice 5232 days ago
I manage Facebook's Whitehat program (https://www.facebook.com/whitehat). We have taken an incredibly open stance towards security researchers and welcome the contributions they make towards securing the internet. Our policy towards this research is documented quite succinctly:

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

His attempt to access data was outside our whitehat guidelines, had clear malicious intent, and included extensive and destructive efforts to remain undiscovered and anonymous. In addition, he made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is false and insulting to the community of responsible security researchers.
5 comments
bobz 5232 days ago 

  ...insulting to the community of responsible security researchers
Bravo.
link
david_shaw 5232 days ago
As an infosec professional myself, I applaud you for the stance you take. Offering a public bug bounty is an excellent way to allow researchers to conduct their experiments in an ethical fashion while protecting all parties involved.

At first glance at the article, it seemed that Facebook may have reneged on its offer of protection, but based on your explanation, it now seems that the hacker was indeed malicious, and only used the "white hat defense" as a shield.

I'm a huge advocate of ethical and responsible disclosure, so kudos to you for encouraging it where appropriate.

link
lawnchair_larry 5232 days ago
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

You think you can sue someone for sharing vulnerability information?

link
arice 5232 days ago
Unfortunately, much of the internet industry has an established history of doing just that. This heavy-handed approach to vulnerability disclosure has led to an atmosphere of distrust and is bad for everyone. Facebook's policy is intended to alleviate much of the tension involved with vulnerability disclosure.

If you're curious, the EFF has published a number of great articles on the topic:

https://www.eff.org/issues/coders/vulnerability-reporting-fa...

https://www.eff.org/deeplinks/2010/12/knowledge-power-facebo...

link
lawnchair_larry 5232 days ago
I think you are confused. I've been in the security industry for about 10 years. Disclosing a vulnerability is not illegal. Over the years, some companies have tried to sue over this, but these censorship attempts do not turn out well.

Not only is it legal to disclose unfixed vulnerabilities, but it is legal to sell them. Presently, the biggest buyer of them is none other than the US government.

link
tptacek 5232 days ago
Whoah. Whoah. Whoah. You're handwaving around the real issue. It's not legal to find vulnerabilities by testing other people's running web applications without permission, and it never has been.

People obviously do it, all the time, against sites that haven't officially given permission (as Google and Facebook have), and most of the time they get away with it, but they are rolling the legal dice every time they do. People have been getting in trouble for doing this for years.

The people selling vulnerabilities are generally running the software themselves. Huge difference.

link
lawnchair_larry 5232 days ago
My post, and his reply, were only discussing the disclosure of vulnerability information. I didn't say it was legal to attack a live system that you don't own. I see how you are making that logical leap in the case of facebook, but it isn't necessarily a given. There are ways one can legally become aware of vulnerabilities in facebook, and share that information.
link
bwarp 5231 days ago
Now the big questions:

Are you the law?

Should you make your own rules?

Should you have your own court?

Because that's how you are operating.

You made your own law and tempted people to break "common law". Double standards.

link
palish 5232 days ago
His attempt to access data...

How much data did he access?

link
nbm 5232 days ago
I don't know the specific amount of data (as a percentage or bytes) accessed, but I think there are two main reasons you might want to know:

If you're wondering whether it affected the privacy of data created by people who use Facebook, the referenced article has a statement that it was not, but it appears this was added after the article was published, so you may have missed it.

If you're wondering whether it might be a small amount that a security researcher might collect to verify their report, from what I understand it was more than that.

link