
Security Community Raises Money for Researcher Snubbed by Facebook Bounty - SonicSoul
http://www.wired.com/threatlevel/2013/08/researcher-denied-facebook-bounty/?mbid=social10973184
======
ck2
Going to research it a bit to make sure he will get the funds and then I am
also donating [http://www.gofundme.com/3znhjs](http://www.gofundme.com/3znhjs)

I am concerned "gofundme" will not be able to pay out to Palestine , I don't
think paypal will work there and I don't even think USPS will deliver there? I
know Israel will not allow Palestine to mail out internationally.

    
    
       update: they will NOT likely be able to pay out
    

[https://gofundme.zendesk.com/entries/22590777-Is-my-
country-...](https://gofundme.zendesk.com/entries/22590777-Is-my-country-
supported-)

[https://www.paypal-community.com/t5/Getting-
started/Palestin...](https://www.paypal-community.com/t5/Getting-
started/Palestinian-Territories/td-p/94355?profile.language=en-gb)

Palestine is not listed ->
[https://www.paypal.com/worldwide/](https://www.paypal.com/worldwide/)

\----

Guy lives in a place with 22% unemployment and has not been able to work in
two years.

Watch this interview if you have not already
[http://www.cnn.com/2013/08/19/tech/social-
media/zuckerberg-f...](http://www.cnn.com/2013/08/19/tech/social-
media/zuckerberg-facebook-hack/)

~~~
bennyg
Where there's a will, there's a way. They'll be able to get him the money - it
just might not be through Paypal.

~~~
ck2
Yes, I realize (and encourage) that individuals will help him.

But I don't think gofundme will be able to pay out and therefore everyone's
donations will have to be refunded.

------
dsl
Hopefully BeyondTrust will use the opportunity to also train him in
responsible disclosure.

Regardless of the response you get from a vendor, you don't make use of an
exploit against a vulnerable target. That is the line that separates the good
guys from the bad. Period.

Facebook has invested heavily in sandbox environments and automated generation
of test accounts with test data explicitly for researchers to help demonstrate
vulnerabilities. It is even mentioned many times on the page where you go to
find the address to report issues to and learn about the bounty program.

~~~
peterkelly
In order of desirability, the methods of dealing with a discovered exploit
are:

1\. Report to vendor and do not publicly discuss until they've fixed it

2\. Demonstrate the exploit in public to prove that it works

3\. Sell on the black market to Mafia/NSA/etc

The guy attempted approach (1), and didn't do a very good job of it, but it
seems this was at least in part due to inexperience. Should he have worked
more carefully to pursue option (1) first? Sure. But Facebook should have
asked him for more information, perhaps pointing him to the guidelines.

So next he went to option (2). Facebook found the bug, and fixed it. Option
(2) is infinitely better than option (3). I think Facebook should be extremely
grateful to this guy - he even apologised for having to take this option in
his post on MZ's wall, after (1) failed. Regardless of his & facebook's
mistakes, they still should be thankful for him reporting it.

~~~
diminoten
Option 2 is not "Post on real user's account", option 2 is "create account,
use" or "use on established test account".

He was wrong, period, to post to a user's page. 100% wrong, and has no right
to ask for the money, because of that. Facebook's response is exactly the
correct response - fix the miscommunication, but remain firm in the denial of
money to someone who broke clear rules.

~~~
dalek_cannes
> "create account, use"

You mean create a fake account? Isn't that against TOS?

> "use on established test account"

Where the instructions are in English, even after changing language?

> He was wrong, period, to post to a user's page

Mark Z. is not just any user. FB is publicly traded, yes, but he _is_
basically Facebook. It's not like he 'hacked into' someone's account.

~~~
dalorin
The initial proof of concept post went to another user, not Mark Z. That was
Facebook's basis for denying the claim.

~~~
dalek_cannes
You're right. Point withdrawn.

------
616c
And he lives in Hebron in Palestine. How will they give him the money?

Answer: not easily. The financial blocks between that area and the rest of the
world are just as real as the geopolitical ones. It will be impressive if they
do it, short of a guy meeting him at a checkpoint and throwing an envelope to
him.

~~~
diminoten
Bitcoin's here, to save the day!

~~~
joosters
How will that solve the problem? Great, he'll have a wallet full of bitcoins.
How many vendors in Palestine accept them as payment for goods & services?

~~~
Raphmedia
He can still get online stuff with it. Online subscriptions. Video games.
Pornography. Etc.

~~~
joosters
He could have been gifted online stuff anyway. Get an account, send him the
password.

Bitcoins for these services add nothing other than some extra % costs when
using them, and still don't solve the problem of getting physical goods where
he is.

~~~
Raphmedia
Don't you think it would be a bit weird to give the guy a subscription to Anal
Magazine? Give him money, even if he can't get it physically, he can still use
it online.

------
Fuxy
Language barrier or not as far as i know code is still written the same way.
The least the Facebook guys could have done is ask for details not just reply
this is not a bug.

And once you fix a bug reported by someone you don't get to deny their bounty.
The best you can do is complain about the methods used to demonstrate it.
You're not in a position to f __k with hackers we are ultimately the ones
helping you.

We have something that is ultimately more valuable on the black market that
Facebook are paying us so they should be handing out bonuses not stealing what
we earned.

------
bencollier49
I don't understand how someone _could_ discover a security exploit in the
first place without breaching the Facebook ToS. Doesn't that give them a
getout for anything that's reported to them?

~~~
wepple
facebook have a well-established program to allow anyone to look for security-
related bugs. There are indeed terms and conditions associated with it
however, including not interfering with real data/people.

~~~
aestra
Terms and conditions which are only available in English.

~~~
aroch
They're available in Arabic and many other languages as well:
[https://www.facebook.com/legal/terms?locale=ar_AR](https://www.facebook.com/legal/terms?locale=ar_AR)

~~~
esailija
Those are not the whitehat terms at all.

But that doesn't matter since the argument was ridiculous in the first place.
If you cannot understand or read rules, that doesn't meant they don't apply to
you. Also, he _understands_ English very well.

------
enterx
nice. he made the world a safer place.

else {

    
    
       //Meanwhile somewhere in the black market
    
        $parent->postFacebook("I'll be early from work today and have lost my key. Leave the key in the flowers.");
    
        $child->postFacebook("Ok, no problemos.");
    }

~~~
_mulder_
He hadn't managed to actually impersonate another user, just post on someone's
wall who hadn't friended him.

Personally, I wouldn't leave my keys in the flowers because a random person I
didn't know posted it on my wall.

~~~
enterx
What if: the random person has a matching name and a photo? :D

~~~
walid
Good one!

