[nukem222]

Eh, finger pointing does nobody any good, emphatically including this comment. Finger pointing towards someone who actually found a vulnerability is just bleak. I would not willingly associate with anyone who engaged in such behavior.

Maintaining software is hard, but this does not imply a right to be babied. People should simply lower their expectations of security to match reality. Vulnerabilities happen and only extremely rarely do they indicate personal flaws that should be held against the person who introduced it. But it's your job to fix them. Stop complaining.

[gruez]

>Finger pointing towards someone who actually found a vulnerability is just bleak. I would not willingly associate with anyone who engaged in such behavior.

Nobody is "finger pointing" Rachel for the vulnerability. They're calling her out for how she communicated it. I feel that's totally justified. For instance if someone found a critical RCE, but the report was a barely coherent stream of consciousness, it's totally fine to call the latter part out. That's not "finger pointing".

>But it's your job to fix them. Stop complaining.

It's the developers job to respond to bug reports in the form of vaguely written blog posts?

[cenamus]

Yeah shame on the people irresponsibely publishing the vulnerability, but the people putting them in? Who cares

[gruez]

>but the people putting them in? Who cares

Literally nobody is arguing this.

[cenamus]

But everyone is grilling the author for publishing. Maybe they should sell it next time, no negative reaction that way

[gruez]

>But everyone is grilling the author for publishing

What's the alternative? Having no quality bar for vulnerability reports, and give no pushback for poorly written vulnerability reports, even if they're crayon scribbles on a napkin? I agree that not everyone can write a detailed and thoroughly researched bug report like the ones project zero puts out, but I think most can agree that "you might want to stop using [software]" is well below any reasonable quality bar.

>Maybe they should sell it next time, no negative reaction that way

Yeah I'm sure 0day groups are going to be paying top dollar for weird crashes.

[amiga386]

Fingerpointing is bad, but we have to have an honest conversation.

One person posted the vague post. They clearly did not expect the reaction it got, though they could have anticipated some of it, they are aware their blog is widely read. Their reaction is commendable, to quickly post a followup appealing for calm and sharing some details, to quell the problems caused by the intense vagueness.

What people from HN did, because of the vagueness, was assume this a super-secret-squirrel mega-vulnerability and Rachel is gagged by NDAs or the CIA or whatever... and they've gone off and harrassed the developers of atop while trying to find the issue.

Imagine a person of note saying "the people at 29 Acacia Road are suspicious", then a mob breaks down the door and start rifling through all the stuff there, muttering to themselves "hmm, this lamp looks suspicious... this fork looks suspicious"... absolute clowns, all of them.

For example, this asshole who went straight in there with bad-faith assumptions on the first thing they saw: https://github.com/Atoptool/atop/issues/330#issuecomment-275...

No, you dummies, it's not going to be in the latest commit, or easily greppable.

This is exactly why CVEs, coordinated disclosure, and general security reporting practises exist. So every single issue doesn't result in mindless panic and speculation.

There's now even a CVE purely based on the vaguepost, assigned to a reporter who clearly knows fuck all about what the problem is: https://www.cve.org/CVERecord?id=CVE-2025-31160 - versions "0" through "2.11.0" vulnerable, eh? That would be all versions, and the reason the reporter chose that is because they don't know which versions are vulnerable, and they don't know what it's vulnerable to either. But somehow, "don't know", the absence of information, has become a concrete "versions 0 to 2.11.0 inclusive"... just spreading the panic.

I don't know why Rachel is vagueposting, but I can only hope she has reported this correctly, which is to:

1. Contact the security of the distro you're using. e.g. if you're using atop on debian, then email security@debian.org with the details.

2. Allow them to help coordinate a response with the packager, the upstream maintainer(s) if appropriate, and other distros, if appropriate. They have done this hundreds of times before. If it's critically important, it can be fixed and published within days, and your worries about people being vulnerable because you know something they don't can be relieved, all the more quickly.

[freeopinion]

I commend you for writing what you think should be done and not just complaining about what was done. It is more helpful to express the correct procedure than to only label things as the wrong procedure.

[whatnow37373]

I never quite understood why computing is so different from literally all other branches of reality. Systems need to be secure, I get it. But if we have a bunch of folks dedicating their life to breaking your shit I don't get how that is in any way acceptable and why the weight of responsibility solely lies with people responsible for security.

We apparently have a society/world that normalizes breaking everyone's shit. That's not normal - IMO.

If I break into a factory or laboratory of some kind and just walk out again I have not found a "vulnerability" and I certainly won't be remunerated or awarded status or prestige in any way shape or form. I will be prosecuted. Everyone can break into stuff. It's not that stuff is unbreakable, it's that you just don't do that because the consequences are enormous (besides obvious issues with morality). Again, breaking stuff is the easy part.

I am certainly completely ignorant and should be drawn and quartered for it, but for me it is hard to put my finger where I'm so wrong.

I can see how the immaterial nature of software systems changes the nature of the defense, but I don't see how it immediately follows that breaking stuff that's not allowed to be broken by you is suddenly the norm and nothing can be done against that. We just have to shrug and accept our fate?

[hyperpape]

Leaving aside the ethics of vulnerability research in server-side software, you're neglecting the fact that atop runs on your own machine.

So it's not like breaking into a factory. It's like noticing that your dishwasher makes the deadbolts in your house stop working (yes...a weird analogy--there are ways software isn't like physical appliances).

Surely you have the right to explore the behavior of your own house's appliances and locks, and the manufacturer does not have the right to complain.

As for server side software, I think the argument is a simple consequentialist one. The system where vulnerability researchers find vulnerabilities and report them quietly (perhaps for a bounty, perhaps not) works better than the one where we leave it up to organized crime to find and exploit those issues. It generates more secure systems, and less harm to businesses and users.

[whatnow37373]

I'm sorry for being the ignoramus and lazy ass that I am, having not read a single sentence of the article.

You are, of course, right. Examining stuff to be brought into your own home is categorically different from meticulously analyzing and publishing the security vulnerabilities of your local power plant.

I can get behind the consequentialist argument. Sometimes we've just gotta go with what works, but I wonder if we give up too easily..

[dcminter]

I find your view bizarre.

If I buy a physical product, take it home, and then publish the various issues I find with it then ... nobody has a problem with that

I'm as sad as the next guy that the safe and trusting internet of academia is long gone, but the generally accepted view nowadays is that it's absolutely full to the gills with opportunistic criminals. Letting people know that their software is insecure so they don't get absolutely screwed by that ravening horde is a public service and should be appreciated as such.

Pen testing third party systems is a grey area. Pen testing publicly available software in your own environment and warning of the issues is not, particularly when the disclosure is done with care.

[whatnow37373]

I agree and conforming to HN rules, guidelines and established practices I did not, in fact, read or engage with the article at all (and I apologize).

Your view is one I agree with completely for a device bought to bring into your own home.

What I find less understandable is how finding (and exploiting) security flaws in publicly facing structures is normalized to the degree that it is. I can easily analyze some public stucture and publish detailed records on how you would most efficiently break into my local hardware store. I'm not sure I'm seeing the net win for society.

[dcminter]

How is it better to not look into or share such information when we know that a vast army of assholes are doing the same thing for nefarious purposes?

Yes, they might not spot it themselves, but we know that in practice they often do and the results are horrible. If we stop looking then they will definitely be the first to find vulnerabilities - as it is they are only sometimes the first (and the vulnerabilities they find are likely to be the lesser appalling ones).

Privately sharing the issue with the authors lets them fix it in a timely way, publicly announcing the issue after a reasonable period of time incentivises them to do so - corporate authors often won't bother unless their arms are twisted.

If those black-hat hackers were not really out there then I might agree with you, but they are, and they don't care that we don't like it.

[whatnow37373]

In a way I am definitely seeing your perspective here. Letting "good guys" win this race ocassionally is an improvement over never letting them win.

It's just that I think we can do better, because I think the web is a hostile, vitriolic open sewer and must be governed properly before civilized business can be conducted on it. It was perhaps a great innovative place, but it now is a dumpster fire causing endless headaches and beyond redemption. I think it's time to face this reality instead of trying to dress up the turd.

[dcminter]

That's an equivalent demand to expecting the world as a whole to be "governed properly" and thus won't be achieved for exactly the same reasons.

[dagss]

Well also in the real world, if you look at history, people DID exploit the neighbouring tribe with impunity if they could not defend themselves ("what idiots don't have a guard during night"), or built stone fortresses with 3 metre stone walls.

When living under those conditions, people probably did put the responsibility to be safe on the victim..

We have been able to remove this waste due to the introduction of the national state, laws, "monopoly on violence", police...

It is THOSE things that allows the factory in your analogy to not spend resources on a 3 metre stone wall and armed guards 24/7.

Now on the internet the police, at least relatively to the physical world, almost completely lack the ability to either investigate or enforce anything. They may use what tools they can, but it does not give them much in the digital world compared to the physical.

If we want internet to be like the real world in this respect, we would have to develop ways to let the police see a lot more and enforce a lot more. Like they can in the physical world.

[whatnow37373]

> If we want internet to be like the real world in this respect, we would have to develop ways to let the police see a lot more and enforce a lot more. Like they can in the physical world.

I agree and it's exactly this that's often so violently opposed by the technical community who are routinely frothing at the mouth at the suggestion that law enforcement needs access to be able to function while that community, and often especially that community with their fancy, expensive lives, enjoys widespread, comfortable physical and legal protection afforded by that very same law enforcement which is only made possible by this agency having far-reaching legal and lethal powers.

It can be abused and it will be abused, but I guess it comes down to do we want comfortable lives or do we want to be free?

IMO it's a matter of time before some nation-state level actor will unleash a digital shit-storm of astronomic proportions which will necessitate swift political decisions and it's my guess we better have an open, realistic discussion about it now instead of then.

[cturner]

"If I break into a factory or laboratory of some kind and just walk out" This is a weak analogy. In the situation you describe, right-and-wrong is easily understood by the layman, there is a common legal framework, there is muscle to enforce the legal framework.

In the computing space - if someone breaks the rules, it is only a bunch of us that understand what rule was broken, and even then we are likely to argue over the details of it. The people doing the breaks are often anonymous. There is no shared legal framework, or enforcement, or courts. The consequences of a break are usually weak. Consider the lack of jail time for anyone involved with Superfish. Many of these people were located in the developed world.

The computing world often resembles the lawlessness of earlier eras - where only locally-run fortifications separated civilian farmers from barbarian horsemen. A breach in this wall leads to catastrophe. It needs to be unbreakable. People who maintain fortifications shoulder a heavy responsibility.

[whatnow37373]

Maybe it's more like analyzing and publishing the security vulnerabilities of said factory or laboratory. It's not trivially right or wrong to do so. It seems acceptable, because you are helping them make it more secure (right?) yet most societies are quite adamant that it's not, in fact, normal - and legal - to do so. You'll get yourself in quite a bit of trouble if you do that.

Just moving to Nigeria and publishing security bulletins on how to break into Walmarts is still a shaky proposition, but perhaps it's safer than I think it is. The international judiciary is opaque to me.

> The computing world often resembles the lawlessness of earlier eras - where only locally-run fortifications separated civilian farmers from barbarian horsemen. A breach in this wall leads to catastrophe. It needs to be unbreakable. People who maintain fortifications shoulder a heavy responsibility.

Sounds about right. I'm not too happy about it, although I guess this particular era has its advantages as well.

[grumbelbart2]

Lockpicking is probably a close analogy; and that is an perfectly accepted and legal hobby in all western countries, with thousand of youtube videos on how to pick common locks.

Computing is actually different. There are laws for example in Germany ("Hackerparagraph") that make it illegal to produce "hacking" tools.

[immibis]

We can lock down the Internet so hard that every IP packet is associated with a physical address, then go and arrest people who allow bad packets to be sent from their address. This is what many governments are persistently trying to do. Is it a good idea?

[whatnow37373]

Not sure, but I don't see why we can't have a civil discussion about it and I'm not seeing much of that.

It's either A) we The People are completely free and nobody can intervene in any way or B) The Government is a tyrannical overlord that controls every packet that dares to enter the internet.

Absolute freedom never was and never will be a good idea. If we don't at least talk about it, somehow, someday, and maybe quite soon, They will ram it down our throats and we'll end up closer in scenerio B than A.

The internet reminds me in many ways of the international road network. There are clear boundaries and there are checks and, yes, they suck. It's not a complete free for all, yet it's workable. I know this analogy breaks down eventually, but I'm wondering if there's some middle ground here.

I guess I am jaded by some branches of "hacker culture" with a proclivity for taking pride in activities or mindsets - breaking in, finding exploits, destruction - that I don't find particularly palatable without understanding the social and eventual political backlash that will strip away your freedoms faster than you can say "papers, please".

[dcminter]

> It's either A) we The People are completely free and nobody can intervene in any way or B) The Government is a tyrannical overlord that controls every packet that dares to enter the internet.

Do you mean the various efforts to weaken crypto stuff? I don't think I object in principle to law enforcement having access to the information for law enforcement purposes, but we know that any kind of access is subject to scope creep particularly when you lower the threshold for that access. First it's to enforce reasonable laws, then it's to enforce unreasonable laws, then it's because someone bribed a policeman. Not necessarily in that order.

Besides, the main problem with safety on the internet is not that law enforcement has no tools, it's that the crimes cross political borders. You can (in principle) identify the culprit in Russia easily enough when the money is laundered, but how exactly do you plan to bring them to justice?

[immibis]

Where I live, the police have raided people's homes for protesting things Israel did. And when I was a victim of an actual violent crime, they kept saying how they should arrest me - according to demographic profiling, I was the perpetrator (I was there, I wasn't), all the way up to the courtroom where the actual perpetrator barely avoided prison time. So no, I don't really trust them to access my private anything. Any society with a hope of stability obviously needs some way to enforce laws, but this isn't it.

[dcminter]

You and I vehemently agree.

But even if the police where you live were perfect, handing them the keys to the internet wouldn't resolve crimes committed outside their jurisdiction.

I see why the idea is appealing to politicians, but even they ought to think twice about the risks inherent in third parties accessing their most private communications - given that whatever sides of the political aisles they sit upon they are likely to be much more interesting targets to better resourced assailants than us average schmucks.

[whatnow37373]

The analogy is not perfect, but physically the police already has extreme powers and they can (and ocassionally are) abused, but that's the price you pay for protection. If we don't, we accept bad guys will be running all over us for eternity and everybody and their mothers has to have, at minimum, a couple of AK-47s for basic safety.

[frontfor]

I second this. The pompous holier-than-thou I-know-better attitude some members of the computer security community has always rubbed me the wrong way. This behaviour of complaining is a manifestation of the typical “putting down” and dismissing someone who isn’t part of the tribe.