
I got access to all of BitTorrent Inc's source code and sensitive documents - simplyinfinity
http://forum.ragezone.com/f10/bittorrent-source-dns-reward-948810/
======
citricsquid
Looks like he acquired login information, he didn't exploit some sort of major
vulnerability that needed to be fixed which is generally what bug bounties
seem to be for. He's insulted he didn't get paid for not being an asshole,
what a strange world we live in. Facebook (or any other company) wouldn't pay
out if one of their support staff accidentally made a random user an admin,
why should this be any different.

~~~
Andrenid
He didn't get credentials, they never secured their admin panels:

> A friend was looking for a hosting provider and wanted it all secure, I
> checked a network range and found the Jenkins panel of BitTorrent. This was
> all 100% accidental, truth! At the end of the day If I wanted to 'hack'
> BitTorrent I wouldn't even know where to begin. I mean, there is no real
> skill or talent involved in what I did to find the information on
> BitTorrent. They forgot to set a user/pass to the admin panel, that had
> access to github from a master account. Github accounts had user/passes that
> was linked to everything.

> No hacking, just random find. Mad huh?

------
otterley
I find the author's righteous indignation that he did not receive the ransom
he thought he deserved amusing at best.

~~~
MentaLTorrent
I contacted BitTorrent and told them EXACTLY what I did , what information I
had access to and what user/passes needed updating, including SSH keys and
more. Whilst I gave a small generalization of what was at hand on the thread,
there was a considerable amount of data available to me.

\- MentaL (RZ Thread Starter).

~~~
biot
Scenario 1: You find a boy who is lost and take him to the police station. The
family gives you $500 in reward.

Scenario 2: You find twin boys who are lost and take them to the police
station. The family gives you $500 in reward.

Would the fact that you get the same reward regardless of the number of people
lead you to act differently in the future? So if next week you found lost
twins again, would you let them stay lost or try to sell them on the black
market because you know you'll only get $500 when you think it should be
$1000?

Or is doing the right thing its own reward regardless of whatever amount you
get in recognition for acting honorably?

~~~
eli
Who wouldn't help a lost boy for free ?!

~~~
angersock
Many otherwise sweet young women (or men!) several of us probably went to
school with, for a start. :|

Edit: Was trying to give some help to somebody puzzled about this, which is
why I bring it up. Turns out that, if you're a lost young man, there's
probably a point in your travels where you zigged instead of zagging and thus
lost your way.

~~~
bigiain
In the "lost child" scenario, it seems to me there's some ranking like:

1) helping out 'cause it's the right thing to do.

2) helping out with some hope there'll be a reward.

3) not helping out, 'cause there's probably nothing in it for you.

4) helping out with an expectation of a reward.

5) helping out with an expectation of reward then complaining publicly 'cause
it's "not enough"

…

VERY_LARGE_INT) Abducting the child.

While there's a long way between 1-5 and the biottom of that list - there's no
doubt in my mind that 1 & 2 speak significantly better of the "helper" than 3,
4, & 5\. (and interestingly, there's no "outside" difference between 1 and 2
or 4, unless you choose to admit your mercenary inclinations to onlookers.)

Things are a bit murkier in the guy in the article's case, since "bug
bounties" are known about and perhaps "expected", and I think Bit Torrent
handled this badly, but further down the thread he admits "This was all 100%
accidental, truth! At the end of the day If I wanted to 'hack' BitTorrent I
wouldn't even know where to begin. I mean, there is no real skill or talent
involved in what I did to find the information on BitTorrent." That makes it
hard for me to feel sympathy for him failing to get a windfall "bug bounty".

------
fibbery
Just because someone leaves their car door unlocked and you tell them about
it, doesn't mean they are obligated to give you any of its contents.

~~~
kaybe
On the other hand, if you find a wallet, you are entitled to 10% of the
cash.(1) (Bad fit as an example, I know, but the question is what is a good
comparison..)

(1) at least in Germany.

~~~
letney
Is this German law? I wish that were the case in the US, as I've found a
number of wallets over the years and would have made at least a few hundred
USD by now.

~~~
th0br0
It is. But only if the wallet contains >50€ or so.

------
lukeman
You got my hopes up that we'd finally be able to audit Bittorent Sync.

~~~
nivla
lol I was hoping for that too. A great piece of software but a waste since it
can't be trusted for anything secure. To make it worse, this news just adds
more fuel to the fire. How can you trust them with security if they can't even
remember to add a basic authentication to their Admin Panel?

~~~
bigiain
I've got it syncing EncFS encrypted directories - which in the broad view
doesn't help - I've got un-audited code running with my user privs, which
_claims_ to "not do anything evil" without being (easily) verified.

At least it does mean I've got some extra encrypted-on-the-wire and encrypted-
at-rest data floating around - I strongly suspect BTSync's SHA256 encrypted
wire protocol moving AES encrypted EncFS files means that data is secure
against the NSA's ubiquitous surveillance programs - the cleartext of those
files won't be showing up in XKeyscore in response to bored or curious NSA (or
Boos-Hamilton) staff. (While acknowledging that if the NSA becomes interested
in _me_ specifically (or probably interested enough in any of my social
network) - my privacy will be easily and wantonly violated. And I'm actually
_mostly_ OK with that.)

------
GBiT
You have to be proud of yourself for not abusing it no mater how they
responded. You did right thing here. Hope Bitorrent Inc will fix this
misunderstanding.

------
0x0
If one guy could accidentally stumble upon this, what are the chances others
have too? Would it be possible or even likely that the source code or binaries
or web servers or private keys have already been compromised or trojanized?

------
EasyCo
Some thoughts: From the perspective of the company, what kind of financial
impact would they have suffered should that information have fallen in
different (malicious) hands? Providing an adequate award not only shows
appreciation but it sets a precedent should something similar happen again.
The 'finder' who might otherwise usually go the malicious route will be more
likely to do as MentalL has.

------
mrlinx
By submitting this information to BT, he indeed closed a access point to all
this data, thus reducing the likelyhood of it being badly used. Isn't this
exactly why bounties were created? Because its better to give a few bucks and
increase the system's security than to have it compromised for worse costs.

------
hack_edu
Stay classy!

~~~
cupcake-unicorn
Indeed...This seems rather petty to me. They did offer him some money, which
he's not even automatically entitled to in the first place...companies can
chose whether they do bug bounties, or how much they pay.

~~~
ascendantlogic
You don't seem to understand that access to something that widely used would
be worth tens of thousands of dollars on the black market for those sorts of
things. For every "good" person that reports the information for free, there
are people out there actively looking for this sort of thing that are not good
people. If this company sets a precedent that they won't make it worth your
while to "turn in the evidence", that sort of thing will just go to the
highest bidder out there on the Internet and undoubtedly used for something
extremely malicious.

tl;dr: small payouts and jerking this guy around sets a bad precedent that
will encourage future people to sell on the black market.

------
jongraehl
It's not the amount of money so much as the "so invoice us" attitude.

------
jheriko
whilst i agree they are ungrateful and inept i can't help but notice that you
want a reward for doing the right thing?

get over it... life isn't this nice, you are entitled to nearly nothing. deal.

