[nknighthb]

It's telling that your first concern is for Coursera (which deserves no concern at all) and only then its users.

There are definite benefits for Coursera's existing users -- at the very least, they now know it is vulnerable to cross-site attack and can be sure to log out before visiting other sites.

Another set of people clearly benefiting are those I've already alluded to, who now know not to sign up for Coursera.

[shortstuffsushi]

I'm not really sure how you infer the first line there. I'm in no way defending Coursera -- clearly they need to run their services through some better security checks.

I still generally disagree with your second point -- informing users of a security breach/flaw could (and should, even now after this article was published) be done by Coursera. In this situation, they should be the ones who come forward to their users and A. describe what the issues at hand are and B. describe how to avoid falling victim to them. The author of this article doesn't provide any suggestions for the non-tech-savvy.

Regarding users not signing up, perhaps you're right. It does prevent them from potentially losing their private information. In all likelihood, though, users who don't sign up after reading this article will never sign up. Yes, I realize this primarily hurts Coursera, so in this case, my concern is for them. It also means that potential users miss out on whatever they might gain from the site. A better option that Coursera itself might offer is a temporary "hey, we aren't accepting new users right now -- check back in a week" or something.

And again, I do not believe Coursera should just forgiven for something like this. As I mentioned, I've never been on the site, probably never would, and now am even less likely to do so, as I have no faith in them. I still don't believe that publishing open security holes is the right solution, unless they specifically said something along the lines of "yeah, we're not gonna fix that."

[nknighthb]

Your exact words were: "does making these publicly known benefit Coursera".

Whether it benefits Coursera isn't just the last question anyone should ask, it should never be asked. It's nobody's responsibility to provide any benefit to Coursera.

Your argument that "[Coursera] should be the ones who come forward" seems out of place, save as another attempt to deflect attention from Coursera's failings. That someone has a duty to act does not generally preclude others from acting.

"The author of this article doesn't provide any suggestions for the non-tech-savvy." implies that we should be less concerned for tech-savvy users. Why would that be, exactly? Do they have less to lose, or is this another attempt to deflect responsibility?

Your claims to not be defending Coursera sit uneasily with clear attempts to deflect responsibility from them.

[shortstuffsushi]

If you pick just those words, then yes, I'm only considering Coursera. If you take the comma into consideration, sure, you could even claim that I'm taking their best interest before their customers. It's a stretch, but if we want to pick apart words, sure.

Why would you never ask if it benefits Coursera? There are people who have an interest in them not failing, whether it be people making money, or people using the service. It seems you're only considering the people with money at stake. What about the people who rely on Coursera for the educational content?

I don't understand how Coursera being the one to come forward in any way deflects attention from their failings. It would literally be them bringing attention to the issue. Maybe I'm misunderstanding you here, but to me it seems that the company coming forward show not only responsibility, but maybe even some humility -- acknowledging their failure rather than trying to cover it up. And maybe you'll find that a bit of a stretch, but I'll try to give some credit for attempting at least.

That said, the message they did publish (see the current top comment on the post) doesn't really seem to do a great job of stating what actually happened, or what they're doing now, so it's not the best I've ever seen. It's also going to be 'too little, too late' in many people's eyes, as they now look like they're trying to backtrack to cover themselves after being exposed by the author of the article.

The "precluding others from acting" thing is what I've been trying to say this whole time. No, his findings, and being told that they are in the process of fixing it does NOT prevent him from publishing his findings (clearly, as he did). However, they made clear they were working on it (or at least enough so that he acknowledged they were), and it seems to me that he has now kind of cut their legs out from under them, exposing their failings while they were working on them and before they made the announcement themselves. It just seems tactless to me, regardless of who it benefits. I don't mean this as "oh, poor Coursera, they've been made fool of on the internet" or anything like that, it just kind of rubs me the wrong way. Take that for what you will, clearly you don't feel the same way.

Regarding the less tech savvy, you've got it backwards. I in no way mean that we should be less concerned for less savvy users -- just the opposite. If we're going to expose a vulnerability that affects them, we should go out of our way to defend them (or, the responsible party should). The author of this article does not do this, and consequently leaves them exposed without any opportunity for remediation.

I really think you're misunderstanding me. I think Coursera should have all the blame, and I think they should be the ones responsible for coming forward with their problems, what they're doing about it, and what their users can do about it. If they had failed to do so, then yes, absolutely someone should come forward and warn the public. That wasn't the situation here -- when contacted, they immediately began working to fix the problems.

The only thing they didn't do was immediately announce to everyone that there may be security flaws. Should they have? Perhaps, but then at that point, they're making themselves a target until they complete their fixes. Announcing the problem after the fix seems a pretty standard procedure to me. So again, to make clear and alleviate any remaining doubts you have, yes, Coursera screwed up. I think everyone knows this by now. They've also gone through the steps they needed to take to fix the problems now (as far as we know). I still don't think it was responsible for the author of the article to release this before they had completed those fixes, though.

[nknighthb]

It's amusing that you read my statements exactly backwards, but think I'm the one misunderstanding you.

You're reciting all the standard arguments in favor of "responsible disclosure". You're literally saying nothing new. I've heard it all a thousand times. It's crap.

The longer vulnerabilities are hidden, the longer users are left at the mercy of black hats, unable to protect themselves, and the less incentive there is for developers to act.

You see it even here, where the developer "acted", but only after being exposed. You even acknowledge it, but fail to reach the logical conclusion.

This scenario has played out over and over again throughout history. Corporations will never act in the best interests of anyone but themselves. The people holding them to account are not the villains.