UPDATED
A security hole in the Blogrolling software is fixed.
Elliot Noss, who runs the company that owns Blogrolling, is unhappy that I linked to Hoder’s original posting about this earlier today. Here’s his site’s update on the issue.
Hoder says he did notify the company before posting his item some hours later (after not hearing from them). Nonetheless, I have to agree with the people who are taking me to task for linking to it myself: I shouldn’t have.
Posted by: Joey deVilla on May 12, 2004 10:21 AM
From the blogrolling.com news blog:
===
This morning at roughly 9:05am EST, Brent Ashley brought a security vulnerability to our attention. The issue was escalated to our on call developer who crafted a hot-patch and fixed the problem by roughly 9:54am EST.
===
The right thing to do in such a situation is to notify us and give us a chance to fix the bug. If you ever find a security flaw in any Tucows product, you can drop me a line at jdevilla@tucows.com. It’s part of my job to handle things like this. I’ll make sure the appropriate alarms are sounded, action is taken and even pull strings to make sure that we send you some kind of gift of gratitude.
The wrong thing to do is to point out the flaw to the world, tell people how to exploit it and even make creative suggestions. That’s just anti-community behaviour.
Joey deVilla
Technical Community Development Coordinator
Tucows, Inc.
Posted by: Phil Ringnalda on May 12, 2004 02:31 PM
You’re running Movable Type here, right, Dan? As it happens, I know a fresh and incredibly severe MT exploit. Would you like it on my blog? Shall I post it on one of the security email lists that you don’t subscribe to, but every single cracker does?
I understand the urge to publish, I feel it myself. Even just to hint. But while I’d enjoy the momentary fame, I don’t think people getting hosed would be that happy about my full exposure.
Do you back up your MT installation? Often?
Posted by: Irene on May 14, 2004 01:45 AM
Dan, if it were a Windows bug, what would you do?
You cry foul when the Pentagon tries to minimize coverage of embrassing events. Yet you agree with those who try to minimize publication of software bugs?
Regardless how fast anyone fixes bugs, it takes time for administrators to upgrade their software. Bugs are bugs. It shouldn’t matter whose fault it is – bugs and security holes are not acceptable.
If lawsuits are the only way to make cars safer, then humiliation may be the only way to force software developers more proactive. It shouldn’t a race to see who can fix bugs faster, it should be about not having any in the first place!
I write software. I also have to use a lot of crap. That is why I take these things very seriously.
Posted by: Kevin Aylward on May 12, 2004 07:12 AM
Considering that he published the exploit before notifying the vendor (which he never did) he’s no different that the people creating exploits like Beagle and Sassar.
Good job linking someone advocating and providing instructions on how to hack a commercial software service. Very tech savvy of you…