This is why, if you maintain software, your first words when you respond to bug reports are always “thank you”. That bug report means that someone cares enough about your software to try to make it better. If you can’t write a response to the bug report starting with “thank you”, then take a bit of time off and try again later.
I’m somewhat surprised to see bitwarden left out of the comparison here. It’s open source and (I think) a very popular alternative to 1password and lastpass within the tech world. Perhaps there weren’t any security vulnerabilities found and the quality of their response could therefore not be compared?
I hadn’t found any flaws in Bitwarden at the time, but I need to do a thorough review of it. Since it’s open source, it’s one of the few I can thoroughly review.
While I have a lot of respect for the author, I do sympathize with LastPass in this situation.
There are a lot of people that blast out low quality security reports so it can be hard to triage those reports. So I can see the temptation in handing over triaging responsibilities to a vendor who can specialize in that skillset. Now Bugcrowd should be better if they are going to provide triaging services. It’s a hard problem but that’s the entire business they are in.
But once Bugcrowd messes up, I am not surprised that LastPass’s support folks had no idea how to handle actual security issues. They wouldn’t be trained for it because the assumption would be that the existing process for getting security issues would handle the security reports.
So to me, the only problem is with Bugcrowd not handling security reports properly.
The typos and sentence structure in the LastPass emails suggests to me that it’s being outsourced to a developing-world support farm which may not even be familiar enough with LastPass to provide any kind of support beyond “read this webpage”.
Yeah, I had the same reaction. I totally get being frustrated at Bugcrowd but from an outside perspective it seemed to me like this author shot the messenger when talking to support.
It almost always pays to put in the effort to be polite. It’s VERY rare that you’re going to be better off being harsh, because when you do, the other person’s defenses automatically go up. It doesn’t matter if it’s their job to listen to you, it’s an evolutionary reaction and ultimately it’s mutually beneficial to be nice (you have a greater chance of your stuff being resolved, they have a better day).
Perhaps the author’s email to LastPass support would have gone better if they had politely explained (very broadly) to support why Bugcrowd had screwed up, instead of harshly asserting that they had. For example:
Bugcrowd incorrectly closed my report because it did not include proof of concept code. However, proof of concepts are not industry standard for the type of vulnerability I’m reporting (a flaw that makes LastPass’s encryption weaker than it should be) because they’re difficult and expensive to develop.
This is much better than what was actually sent to support - something along the lines of:
Bugcrowd triage shat the bed.
The reason it’s better is because it’s empathetic to support’s situation (they don’t know anything about security) and doesn’t talk down to them. Instead, it explains the situation in an understandable way and gets support on your side. The last email did this a little bit, but by then it’s too late - to this support person you’re already just another rude rando they have to deal with.
To be clear, it’s absolutely ridiculous that support needed to be involved at all and Bugcrowd needs to do way better. They did shit the bed. But given that imperfect reality I don’t really have a lot of sympathy for someone who curtly contacted people who know nothing about security and expected an instant correct response.
I disagree. If you hand over something to a third party and they mess up that’s your problem.
If then someone tries hard to get around it and you still are unable to handle it. You it’s your problem and if that repeats it’s even worse
You have all the responsibility for your product. If you use a third party and outsource that doesn’t mean it’s not your problem, because after all is still your product and your decision to outsource.
While I have a lot of respect for the author, I do sympathize with LastPass in this situation.
There are a lot of people that blast out low quality security reports so it can be hard to triage those reports. So I can see the temptation in handing over triaging responsibilities to a vendor who can specialize in that skillset.
This is challenging for password managers and encrypted messaging apps. You need cryptographic expertise. Bug bounty hackers typically don’t have the same skillsets.
I’m sympathetic to anyone running a bug bounty program (I used to in my professional name), but that only goes so far.
What really bothers me about the poor responses is the lack of humility. For some strange reason, a lot of people believe that software with positive functionality (e.g. storing passwords) must lack negative functionality (e.g. data-exfiltration side-channels). The ideal response should include an emotional component which indicates an openness and willingness to improve software without ego.
I would like to think that my response to security research is amusement. Not to be derisive, but to celebrate their effort and acknowledge their achievement.
Mine is closer to panic: “oh shit that looks bad, I need to investigate right this second”.
So far my panic has been warranted once. The rest were either false positives or minor issues. I still believe it’s worth it: without the pressing need to thoroughly pin down the issue, I could have missed the one time it turned out to be a critical vulnerability. Heck, even the false positives are interesting: they cause me to understand things I didn’t before, and that’s progress.
Very much agree there. I try to live up to those standards myself, I hope I succeed.
Now I’ve also been on the receiving end of… feedback let’s call it, that were less than helpful. I mean, I’m deeply thankful for all the reports I got on my work that were addressed directly to me (typically by email or bug tracker). I am less enthused by those who shit on my work with nothing more than a superficial reading (and I daresay sketchy understanding) of my self-disclosure. Or when people “politely” suggest to my face I just shut up forever because of one mistake I made 2 years prior.
My point being, just like authors and companies don’t want to drive security researchers to go full disclosure or Black Hat every time they find something, people who find or hear about issues should not shame authors for promptly disclosing issues. We want software writers to keep disclosing their own issues.
Now to be clear, as far as I can tell @soatok is a considerate security researcher. Thank you for that, keep at it. My salt is directed elsewhere.
This is generally correct, but there’s a case where I saw recently where a “security researcher”, attempted to get RCE on an OSS project’s CI infrastructure. They did this not by filing a bug report saying “your CI looks suspicious may I do C?”, but by creating a new GitHub account and posting a bunch of different patches targeting the CI.
It was only during the work being spent trying to identify whether things were under an attack did it come out that they were actually employed by a “pentesting” company that had no relationship with anyone or thing involved with the project. Their presumed intent was a server compromise and then a bug report saying “look we compromised your servers”.
Your right to pull the “I’m a security researcher and they shit in me card” goes out the window once you’re actively attacking and targeting code execution on a system that does not belong to you.
Yeah, that’s why I never send traffic to any systems I don’t control. I only study source code, and rarely reverse engineer apps.
Criminal activity is a horrible way to start a relationship with a business.
(n.b. I never do API testing. Yes, even if there’s a Safe Harbor declaration somewhere. Aaron Swartz’s prosecution happened despite MIT and JSTOR not wanting to pursue hacking charges. I do not trust the US government, so it’s best to never run afoul of the Computer Fraud and Abuse Act if you can help it.)
Here are two rough uBlock rules to remove most of those stupid furry-pictures. This makes the blog much more bearable for me. I hope it helps somebody.
||*soatok.blog*soatok*^
||*soatok.blog*Soatok*^
Regarding the topic itself: The author raises a valid point. I am often surprised how unprofessional even large corporations are in this regard. In the long term, quite a few whitehats will probably choose to become grey- or blackhats. Not only is the pay much better and consistent (you don’t have to nudge companies to pay promised bounties like an idiot), it also usually is safer, given there have been quite a few cases where companies “killed the messenger” and sued the security researcher instead of thanking them for the free service.
Was there a need to post these ublock rules though?
Or a need to refer to the pictures in such a way as “stupid”, it seems fairly unkind to me and not really living up to the standards of this site.
The rules you provided also filter out some of the screenshots, so you end up missing important context by doing this. Not sure I would recommend hobbling the communication to others, just because of a weird personal aversion to cartoon animals.
Do you really expect anyone to read any further, if that’s how you open your comment ? You could have added this separately, as a P.S. or anything else.. Oh and without getting personal.
I am making the call as a moderator that I believe both the motivation and effect of this comment are at odds with the type of community we are trying to be. In particular, there seems to be some sort of ideology in play here - I won’t try to guess at what, I don’t want to put words in your mouth.
If you don’t like an article, don’t read it, but it is not appropriate to use lobste.rs as a place to share tips on how to excise the author’s identity from their work. @Absolucy, this goes for you as well.
Additionally, the furry community is a vibrant one that prizes creative expression, and one I am proud to be an ally to. With this in mind, it is not appropriate to spread rhetoric falsely claiming that an entire demographic is inherently sexual, as your other comment below does. I also do note that, though you’ve said nothing that would positively indicate this, in many cases attacks on the furry community function as coded attacks on the queer community; the rhetoric you’re using could apply, without modification, to both, and is equally inappropriate and counter-factual in both cases.
My apologies to everyone for how long it took to put a formal response together. These things can have lasting impact, so despite the fact that it was several days ago, the mod team deemed it important enough to respond to.
FRIGN, by some miracle you have not had a formal warning before, so this is your warning: If this happens again, you will be banned.
Don’t worry, I’ve recognized that I shouldn’t have posted what I did, and I do not plan to do anything like that again. Sorry for causing trouble, and I wish everyone here to have a nice day.
Posting them on the lobsters post the author has submitted to the blog post in which they ask people not to do that is weirdly passive-aggressive behaviour from both you & FRIGN.
I think the author is being a bit passive-aggressive here. The internet should be such that everyone can choose to block any content they want, with all advantages and disadvantages, even if it blocks part of the content because the content creator makes it deliberately hard to block certain elements on their website.
I also don’t see @Absolucy cowering and crying over being called a “jackass”. I don’t think calling something “stupid”, as I did, is something to get so hung up about. The author @soatok appears to be immature and thin-skinned to react in such a way, which is sad given his article is really excellent.
As a side remark: Furry art is not just cartoon animals. The overwhelming context I see them used in is of lewd or pornographic nature, and I don’t want to be reminded of that when I’m just interested in the technical content. I don’t mean to imply the author with such an intent of sexualization, which is evidently not the case, but it’s how I sadly perceive furry art on the internet.
It’s not a personal attack against @soatok that I want to block the furry art, it’s just that I don’t like furry art.
This is why, if you maintain software, your first words when you respond to bug reports are always “thank you”. That bug report means that someone cares enough about your software to try to make it better. If you can’t write a response to the bug report starting with “thank you”, then take a bit of time off and try again later.
I’m somewhat surprised to see bitwarden left out of the comparison here. It’s open source and (I think) a very popular alternative to 1password and lastpass within the tech world. Perhaps there weren’t any security vulnerabilities found and the quality of their response could therefore not be compared?
I hadn’t found any flaws in Bitwarden at the time, but I need to do a thorough review of it. Since it’s open source, it’s one of the few I can thoroughly review.
I’d be interested in the results and their reaction when you get to it!
My read’s the latter case, yeah. Two issues he found, and then another issue he’s familiar with.
While I have a lot of respect for the author, I do sympathize with LastPass in this situation.
There are a lot of people that blast out low quality security reports so it can be hard to triage those reports. So I can see the temptation in handing over triaging responsibilities to a vendor who can specialize in that skillset. Now Bugcrowd should be better if they are going to provide triaging services. It’s a hard problem but that’s the entire business they are in.
But once Bugcrowd messes up, I am not surprised that LastPass’s support folks had no idea how to handle actual security issues. They wouldn’t be trained for it because the assumption would be that the existing process for getting security issues would handle the security reports.
So to me, the only problem is with Bugcrowd not handling security reports properly.
The typos and sentence structure in the LastPass emails suggests to me that it’s being outsourced to a developing-world support farm which may not even be familiar enough with LastPass to provide any kind of support beyond “read this webpage”.
Yeah, I had the same reaction. I totally get being frustrated at Bugcrowd but from an outside perspective it seemed to me like this author shot the messenger when talking to support.
It almost always pays to put in the effort to be polite. It’s VERY rare that you’re going to be better off being harsh, because when you do, the other person’s defenses automatically go up. It doesn’t matter if it’s their job to listen to you, it’s an evolutionary reaction and ultimately it’s mutually beneficial to be nice (you have a greater chance of your stuff being resolved, they have a better day).
Perhaps the author’s email to LastPass support would have gone better if they had politely explained (very broadly) to support why Bugcrowd had screwed up, instead of harshly asserting that they had. For example:
This is much better than what was actually sent to support - something along the lines of:
The reason it’s better is because it’s empathetic to support’s situation (they don’t know anything about security) and doesn’t talk down to them. Instead, it explains the situation in an understandable way and gets support on your side. The last email did this a little bit, but by then it’s too late - to this support person you’re already just another rude rando they have to deal with.
To be clear, it’s absolutely ridiculous that support needed to be involved at all and Bugcrowd needs to do way better. They did shit the bed. But given that imperfect reality I don’t really have a lot of sympathy for someone who curtly contacted people who know nothing about security and expected an instant correct response.
I disagree. If you hand over something to a third party and they mess up that’s your problem.
If then someone tries hard to get around it and you still are unable to handle it. You it’s your problem and if that repeats it’s even worse
You have all the responsibility for your product. If you use a third party and outsource that doesn’t mean it’s not your problem, because after all is still your product and your decision to outsource.
This is challenging for password managers and encrypted messaging apps. You need cryptographic expertise. Bug bounty hackers typically don’t have the same skillsets.
I’m sympathetic to anyone running a bug bounty program (I used to in my professional name), but that only goes so far.
What really bothers me about the poor responses is the lack of humility. For some strange reason, a lot of people believe that software with positive functionality (e.g. storing passwords) must lack negative functionality (e.g. data-exfiltration side-channels). The ideal response should include an emotional component which indicates an openness and willingness to improve software without ego.
I would like to think that my response to security research is amusement. Not to be derisive, but to celebrate their effort and acknowledge their achievement.
My default emotion response to someone telling me about a security flaw in my code is a mix of curiosity, excitement, and good humor.
I’m alwaus worried it won’t come across that way, however.
Mine is closer to panic: “oh shit that looks bad, I need to investigate right this second”.
So far my panic has been warranted once. The rest were either false positives or minor issues. I still believe it’s worth it: without the pressing need to thoroughly pin down the issue, I could have missed the one time it turned out to be a critical vulnerability. Heck, even the false positives are interesting: they cause me to understand things I didn’t before, and that’s progress.
Yep. I always learn from security people.
That’s why I fursuit at DEFCON.
Very much agree there. I try to live up to those standards myself, I hope I succeed.
Now I’ve also been on the receiving end of… feedback let’s call it, that were less than helpful. I mean, I’m deeply thankful for all the reports I got on my work that were addressed directly to me (typically by email or bug tracker). I am less enthused by those who shit on my work with nothing more than a superficial reading (and I daresay sketchy understanding) of my self-disclosure. Or when people “politely” suggest to my face I just shut up forever because of one mistake I made 2 years prior.
My point being, just like authors and companies don’t want to drive security researchers to go full disclosure or Black Hat every time they find something, people who find or hear about issues should not shame authors for promptly disclosing issues. We want software writers to keep disclosing their own issues.
Now to be clear, as far as I can tell @soatok is a considerate security researcher. Thank you for that, keep at it. My salt is directed elsewhere.
This is generally correct, but there’s a case where I saw recently where a “security researcher”, attempted to get RCE on an OSS project’s CI infrastructure. They did this not by filing a bug report saying “your CI looks suspicious may I do C?”, but by creating a new GitHub account and posting a bunch of different patches targeting the CI.
It was only during the work being spent trying to identify whether things were under an attack did it come out that they were actually employed by a “pentesting” company that had no relationship with anyone or thing involved with the project. Their presumed intent was a server compromise and then a bug report saying “look we compromised your servers”.
Your right to pull the “I’m a security researcher and they shit in me card” goes out the window once you’re actively attacking and targeting code execution on a system that does not belong to you.
Yeah, that’s why I never send traffic to any systems I don’t control. I only study source code, and rarely reverse engineer apps.
Criminal activity is a horrible way to start a relationship with a business.
(n.b. I never do API testing. Yes, even if there’s a Safe Harbor declaration somewhere. Aaron Swartz’s prosecution happened despite MIT and JSTOR not wanting to pursue hacking charges. I do not trust the US government, so it’s best to never run afoul of the Computer Fraud and Abuse Act if you can help it.)
Here are two rough uBlock rules to remove most of those stupid furry-pictures. This makes the blog much more bearable for me. I hope it helps somebody.
Regarding the topic itself: The author raises a valid point. I am often surprised how unprofessional even large corporations are in this regard. In the long term, quite a few whitehats will probably choose to become grey- or blackhats. Not only is the pay much better and consistent (you don’t have to nudge companies to pay promised bounties like an idiot), it also usually is safer, given there have been quite a few cases where companies “killed the messenger” and sued the security researcher instead of thanking them for the free service.
Was there a need to post these ublock rules though? Or a need to refer to the pictures in such a way as “stupid”, it seems fairly unkind to me and not really living up to the standards of this site.
The rules you provided also filter out some of the screenshots, so you end up missing important context by doing this. Not sure I would recommend hobbling the communication to others, just because of a weird personal aversion to cartoon animals.
Do you really expect anyone to read any further, if that’s how you open your comment ? You could have added this separately, as a P.S. or anything else.. Oh and without getting personal.
Let me quote you from 1 month ago:
Now I feel like I need some ublock rules for users.
I am making the call as a moderator that I believe both the motivation and effect of this comment are at odds with the type of community we are trying to be. In particular, there seems to be some sort of ideology in play here - I won’t try to guess at what, I don’t want to put words in your mouth.
If you don’t like an article, don’t read it, but it is not appropriate to use lobste.rs as a place to share tips on how to excise the author’s identity from their work. @Absolucy, this goes for you as well.
Additionally, the furry community is a vibrant one that prizes creative expression, and one I am proud to be an ally to. With this in mind, it is not appropriate to spread rhetoric falsely claiming that an entire demographic is inherently sexual, as your other comment below does. I also do note that, though you’ve said nothing that would positively indicate this, in many cases attacks on the furry community function as coded attacks on the queer community; the rhetoric you’re using could apply, without modification, to both, and is equally inappropriate and counter-factual in both cases.
My apologies to everyone for how long it took to put a formal response together. These things can have lasting impact, so despite the fact that it was several days ago, the mod team deemed it important enough to respond to.
FRIGN, by some miracle you have not had a formal warning before, so this is your warning: If this happens again, you will be banned.
Don’t worry, I’ve recognized that I shouldn’t have posted what I did, and I do not plan to do anything like that again. Sorry for causing trouble, and I wish everyone here to have a nice day.
Thank you.
the ublock rules work just as well if you don’t throw unnecessary hurtful insults. i appreciate the illustrations 🤷.
[Comment removed by author]
The fact that the rules exist is fine.
Posting them on the lobsters post the author has submitted to the blog post in which they ask people not to do that is weirdly passive-aggressive behaviour from both you & FRIGN.
I think the author is being a bit passive-aggressive here. The internet should be such that everyone can choose to block any content they want, with all advantages and disadvantages, even if it blocks part of the content because the content creator makes it deliberately hard to block certain elements on their website.
I also don’t see @Absolucy cowering and crying over being called a “jackass”. I don’t think calling something “stupid”, as I did, is something to get so hung up about. The author @soatok appears to be immature and thin-skinned to react in such a way, which is sad given his article is really excellent.
As a side remark: Furry art is not just cartoon animals. The overwhelming context I see them used in is of lewd or pornographic nature, and I don’t want to be reminded of that when I’m just interested in the technical content. I don’t mean to imply the author with such an intent of sexualization, which is evidently not the case, but it’s how I sadly perceive furry art on the internet.
It’s not a personal attack against @soatok that I want to block the furry art, it’s just that I don’t like furry art.
We all know your actual beliefs. Your excuses don’t hide them.
How you respond to security researchers says everything about you.
Thank you for your much more refined ruleset! I really appreciate it! :)