Hacker News new | ask | show | jobs
by ig1 5222 days ago
What the guy did was not only morally irresponsible but also criminal.

The security community has long has an accepted standard of responsible disclosure, which involves informing the vulnerable party beforehand and allowing them time to fix the problem before publicly disclosing it.

Publishing a vulnerability before giving those vulnerable a chance to fix it is irresponsible, using it to compromise a system is criminal. He was getting off light from getting his account suspended, GitHub could push for a criminal prosecution resulting in deportation and serious jail-time for his actions.

It doesn't matter what he did after the compromise (whether it was benevolent or not), the compromise of an account not held by him puts him clearly into the "black-hat" category.
2 comments
obtu 5222 days ago
The vulnerability was public, known for years, and no doubt already exploited. Making a splash about it on GitHub, popular as it is with rails hackers, is the best thing that could happen to the security of the rails ecosystem.
link
ig1 5222 days ago
The class of vulnerabilities was known but not this particular case. That's like saying people should be publish 0-day buffer overflows because it's a known vulnerability class.
link
Karunamon 5222 days ago
>the compromise of an account not held by him puts him clearly into the "black-hat" category.

That's not what "black-hat" means.

link
ig1 5222 days ago
Yes it does.

Gain unauthorized access to an account and using it falls under pretty much any standard definition of "black-hat" and in practical terms breaks computer security laws in pretty much all legal jurisdictions which have them.

link
Karunamon 5222 days ago 

    >Gain unauthorized access to an account and using it
Screw the motivations or the ends! The means are ALWAYS bad!
link
ig1 5222 days ago
If you steal a loaf of bread to feed your family it's still a crime.

Regardless of whether or not you think what he did was justified it's still illegal. And there's very few serious crimes for which "publicity stunt" will generally be regarded as a good reason.

link
Karunamon 5222 days ago
> it's still illegal.

Screw the law. Thinking that right/moral == legal is a very naive view of the world.

link