Perhaps I'm being particularly dim here, but I'm sure someone will point this out if so...
This guy freely gave information about the flaw, in such a way that the flaw could be fixed before it was public knowledge.
The details of what precisely the flaw was are sketchy, but it appears that it allowed a person without appropriate privileges to access the database.
How precisely is one supposed to determine if the flaw exists without accessing data? That's like saying 'well, the airbags aren't working quite right, but I'm not going to test them, you'll have to take my word for it'. Sure, people will listen to that.
It sounds to me like the poor guy's only error was to even care about the flaw and report it. Had he kept quiet, it might not have been noticed, and instead some actual malicious person would either be being prosecuted, or more likely, laughing in some non-extradition country.
Since the details are sketchy it could be that he acted in an inappropriate way, accessing more data than needed to expose the flaw. However, this article taken alone sends the message that people who expose flaws will be prosecuted. Talk about killing the messenger.
This guy freely gave information about the flaw, in such a way that the flaw could be fixed before it was public knowledge.
The details of what precisely the flaw was are sketchy, but it appears that it allowed a person without appropriate privileges to access the database.
How precisely is one supposed to determine if the flaw exists without accessing data? That's like saying 'well, the airbags aren't working quite right, but I'm not going to test them, you'll have to take my word for it'. Sure, people will listen to that.
It sounds to me like the poor guy's only error was to even care about the flaw and report it. Had he kept quiet, it might not have been noticed, and instead some actual malicious person would either be being prosecuted, or more likely, laughing in some non-extradition country.
Since the details are sketchy it could be that he acted in an inappropriate way, accessing more data than needed to expose the flaw. However, this article taken alone sends the message that people who expose flaws will be prosecuted. Talk about killing the messenger.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/191/905#905