
Choose Your Own Security Disclosure Adventure - walterbell
http://hackingdistributed.com/2018/05/30/choose-your-own-security-disclosure-adventure/
======
tptacek
The dynamics here are pretty specific to cryptocurrency (real companies do
often have crappy responses to disclosure, but the only drama that ensues from
those reactions tends to be pile-ons) and I'm reasonably sure the subtext here
is IOTA.

~~~
el33th40r
>BTW, as you read the scenarios outlined below, I'm sure you'll be convinced
that I'm criticizing some specific coin or project, except no two readers will
agree on which coins. This post is not about The DAO or the-coin-which-cannot-
be-named-or-else-they-conjure-a-butthurt-online-brigade and also no-not-that-
one-the-other-one or even oh-my-god-they-all-do-that. It's about all of us.
The entire set of scenarios are synthetic -- an amalgamation of Sorry-For-
Your-Loss (SFYL) events I've seen play out in cryptocurrencies over the years.
No need to make it personal, it already is.

It really wasn't intended to single out any specific project. All the "funny
anecdotes" are real events that happened to me or to people I know, and now
that I think about it, none of them involve Iota.

~~~
tptacek
Don't worry, I'm sure the Iota people are reasonable enough to presume that
was the truth anyways.

------
zaarn
I choose B if I can get away with it and it results in me squeezing some money
out of the cryptocoin market while also discrediting it, C otherwise.

I'm not a moral/ethical rolemodel and I hope nobody thinks I am.

>They did not invent their own crypto. At the risk of going on a side-rant:
what is it with disciplines that teach people to stay away from their
discipline? Why is it that cryptographers get to tell people to leave
cryptography to others, but somehow it's OK to build your own consensus
protocol, "eventually-consistent" NoSQL engine that is actually plain old
inconsistent, or your own programming language with weird "wat?" semantics?

Because it's cool and you can impress others at parties with smalltalk or even
reach the HN frontpage!

------
crankylinuxuser
There's another, much darker side, that absolutely should be discussed when
talking about security disclosures....

There's __*.onion IRC servers that run illegal ops. I can hop on one right now
(with no proxy goofiness using this document I
made:[https://cdn.hackaday.io/files/12985555550240/Linux%20DNS%20R...](https://cdn.hackaday.io/files/12985555550240/Linux%20DNS%20Resolver%20for%20Onions.txt)
)

And on that IRC server, I can auction and sell various things, including 0day
exploits. And I would potentially get paid in bitcoin or whatever I wish.

So here's the math, companies... If you're not willing to purchase them from
me, there are other buyers. And they are far unfriendlier. And they pay better
too.

Of course, that's if you have the "No Ethics" but don't want to get your hands
dirty actually running the exploit code.

~~~
matte_black
I’d love to be selling exploits to the highest bidder for a living. I have
little to no ethics.

