Hacker News new | ask | show | jobs
by nknighthb 4303 days ago
Your exact words were: "does making these publicly known benefit Coursera".

Whether it benefits Coursera isn't just the last question anyone should ask, it should never be asked. It's nobody's responsibility to provide any benefit to Coursera.

Your argument that "[Coursera] should be the ones who come forward" seems out of place, save as another attempt to deflect attention from Coursera's failings. That someone has a duty to act does not generally preclude others from acting.

"The author of this article doesn't provide any suggestions for the non-tech-savvy." implies that we should be less concerned for tech-savvy users. Why would that be, exactly? Do they have less to lose, or is this another attempt to deflect responsibility?

Your claims to not be defending Coursera sit uneasily with clear attempts to deflect responsibility from them.
1 comments
shortstuffsushi 4303 days ago
If you pick just those words, then yes, I'm only considering Coursera. If you take the comma into consideration, sure, you could even claim that I'm taking their best interest before their customers. It's a stretch, but if we want to pick apart words, sure.

Why would you never ask if it benefits Coursera? There are people who have an interest in them not failing, whether it be people making money, or people using the service. It seems you're only considering the people with money at stake. What about the people who rely on Coursera for the educational content?

I don't understand how Coursera being the one to come forward in any way deflects attention from their failings. It would literally be them bringing attention to the issue. Maybe I'm misunderstanding you here, but to me it seems that the company coming forward show not only responsibility, but maybe even some humility -- acknowledging their failure rather than trying to cover it up. And maybe you'll find that a bit of a stretch, but I'll try to give some credit for attempting at least.

That said, the message they did publish (see the current top comment on the post) doesn't really seem to do a great job of stating what actually happened, or what they're doing now, so it's not the best I've ever seen. It's also going to be 'too little, too late' in many people's eyes, as they now look like they're trying to backtrack to cover themselves after being exposed by the author of the article.

The "precluding others from acting" thing is what I've been trying to say this whole time. No, his findings, and being told that they are in the process of fixing it does NOT prevent him from publishing his findings (clearly, as he did). However, they made clear they were working on it (or at least enough so that he acknowledged they were), and it seems to me that he has now kind of cut their legs out from under them, exposing their failings while they were working on them and before they made the announcement themselves. It just seems tactless to me, regardless of who it benefits. I don't mean this as "oh, poor Coursera, they've been made fool of on the internet" or anything like that, it just kind of rubs me the wrong way. Take that for what you will, clearly you don't feel the same way.

Regarding the less tech savvy, you've got it backwards. I in no way mean that we should be less concerned for less savvy users -- just the opposite. If we're going to expose a vulnerability that affects them, we should go out of our way to defend them (or, the responsible party should). The author of this article does not do this, and consequently leaves them exposed without any opportunity for remediation.

I really think you're misunderstanding me. I think Coursera should have all the blame, and I think they should be the ones responsible for coming forward with their problems, what they're doing about it, and what their users can do about it. If they had failed to do so, then yes, absolutely someone should come forward and warn the public. That wasn't the situation here -- when contacted, they immediately began working to fix the problems.

The only thing they didn't do was immediately announce to everyone that there may be security flaws. Should they have? Perhaps, but then at that point, they're making themselves a target until they complete their fixes. Announcing the problem after the fix seems a pretty standard procedure to me. So again, to make clear and alleviate any remaining doubts you have, yes, Coursera screwed up. I think everyone knows this by now. They've also gone through the steps they needed to take to fix the problems now (as far as we know). I still don't think it was responsible for the author of the article to release this before they had completed those fixes, though.

link
nknighthb 4303 days ago
It's amusing that you read my statements exactly backwards, but think I'm the one misunderstanding you.

You're reciting all the standard arguments in favor of "responsible disclosure". You're literally saying nothing new. I've heard it all a thousand times. It's crap.

The longer vulnerabilities are hidden, the longer users are left at the mercy of black hats, unable to protect themselves, and the less incentive there is for developers to act.

You see it even here, where the developer "acted", but only after being exposed. You even acknowledge it, but fail to reach the logical conclusion.

This scenario has played out over and over again throughout history. Corporations will never act in the best interests of anyone but themselves. The people holding them to account are not the villains.

link