
Quora engineers accused of vandalizing a clone’s website - betolive
http://www.greyreview.com/2011/03/17/quora-engineers-accused-of-vandalizing-a-clones-website/
======
nbpoole
The full quote from Rick Ross is "I am grateful that Ben Newman and Albert
Sheu of Quora have identified a (now fixed) XSS vulnerability in our test
site, but I am surprised that Quora policy permits developers to engage so
openly in vandalizing other people's websites." which is slightly nicer than
that article makes it sound.

Personally, I think the Quora engineers involved made some poor decisions.
Anyone who looks for security vulnerabilities on websites they don't own or
control is on shaky legal footing (there are exceptions: Google, Mozilla,
Facebook, and a few other companies provide systems for the responsible
disclosure of vulnerabilities). However, publicly disclosing vulnerabilities
on a competitor's website (and making your proof of concept mildly malicious)
is never going to work out well for anyone: it makes your company look like a
bully and exposes you to potential legal ramifications.

~~~
dacort
As a former web application security guy, and now developer, identifying and
disclosing vulnerabilities on websites is still very much a troubled area.
Most companies don't have proper security@ email addresses set up or
monitored, and still don't take kindly to vulns being reported.

That said, publicly disclosing a flaw in addition to defacing the website,
even temporarily, is certainly not a classy way to go about it.

------
bravura
[edit: Troll answers have been deleted, but you can still read the trolling
comment thread: [http://www.quora.com/Is-Qato-a-serious-Quora-clone-
attempt/a...](http://www.quora.com/Is-Qato-a-serious-Quora-clone-
attempt/all_comments/Ben-Newman) and [http://www.quora.com/Is-Qato-a-serious-
Quora-clone-attempt/a...](http://www.quora.com/Is-Qato-a-serious-Quora-clone-
attempt/all_comments/Samuel-Codsaw) ]

On the Quora thread, [http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-
simi...](http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-similar-
looking-Q-A-site) there are some answers by trolls pretending to represent
Qato.

"Sameul Codsaw" writes: 'Also, we are using Ruby on Rails, so we expect to
have less trouble scaling and finding devs than Quora has.'

Rick Ross, president of DZone (developers of OSQA and Qato), replies in the
comments: 'This imposter has no connection with Qato and does a disservice to
both Quora and DZone by posting this nonsense.'

"Kevin McDougal" answers and comments, also trying to make DZone look bad.
("Rick, our plan to sabotage the Quora community is working. Did Hernani
create the 100 fake Quora accounts yet?" ... "Hold on. Was that message
private or public?") It's pretty juvenile and makes me question the quality of
the Quora moderation system.

Why are there all these sock puppet accounts (<http://www.quora.com/Kevin-
McDougal> and <http://www.quora.com/Samuel-Codsaw>) popping up and pretending
to represent Qato? They have only one answer on the entire site, and its on
this thread.

Are Quora engineers behind these trolls, or who? Regardless of who is behind
it, the trolling reflects poorly on Quora, not Qato.

The comments by Ben Newman (Quora dev) honestly are quite juvenile, and do a
disservice to Quora, regardless of any ethical considerations on the part of
Quora or Qato. I would prefer to see him take the moral high road.

~~~
joshu
Quora has a lot of passionate users.

~~~
darklajid
I've got a hard time not writing

"Quora has a lot of trolls" FTFY

with that kind of comment. Impersonation is crap and childish behavio(u)r and
not about being "passionate" about a site or a technology.

I don't think Quora guys are to blame, but

\- These comments should be moderated/removed/shouldn't have been allowed in
the first place

\- Calling idiots that do things like that "passionate users" does both the
service and the internet in general a disservice. They are idiots. Period.
That's not funny, that's not cool or helpful. Your reply seems kind of
supportive and I don't get why.

~~~
joshu
I am making an observation.

You seem very angry.

------
rickross
Just for the record, I meant it sincerely when I said that we were grateful
that Ben Newman and Albert Sheu showed us an XSS hole in Qato, and that has
now been fixed.

The site in question was just an unpromoted testing prototype which barely has
any content and happened to have the Quora-like skin on at that moment. It
probably shouldn't even have been publicly accessible.

Another Qato site on the same server is <http://robofaqs.com>, which is
sporting our OSQA clone theme. It doesn't look anything like Quora at all, but
is powered by literally the same server instance. That's what we're trying to
say - Qato is the general purpose Q&A engine under the skin, and these various
skins just modulate the way a Qato site looks.

~~~
jasonkester
FYI, underlined hyperlinks make it impossible to tell the difference between a
"q" and a "g" in a URL. As such, I'd suggest you spend some time finding a
better name for that unfortunately named site you linked.

~~~
nbpoole
So I take it you're not a fan of <http://www.gamefaqs.com> ? ;-)

~~~
potatolicious
Gamefaqs has a self-describing name that pertains to their main business
(Game. FAQs.) Qato doesn't have the same thing going for it.

------
jrockway
Vandalism is a stupid word to use. I imagine the process went something like
this: "I wonder what happens if I add <script>$.fadeOut() as the text of the
question" "Oh crap, it worked".

This is called experimentation. If you're in chemistry class and you mess up a
lab, you're not accused of vandalizing apparatus... it's simply what happens
when you are trying something out. Similarly, when you have a text box on a
test website, someone is going to type something in, and if that causes the
page to disappear, well... fix the bug and move on.

~~~
nbpoole
I disagree.

1\. There are plenty of proof of concepts you can develop that don't destroy
the page.

2\. The Quora engineers in question didn't enter stuff into a textbox and
leave it alone. They went and publicly disclosed a cross-site scripting
vulnerability in a competitor's website.

Edit: Ben deleted his "answer" which disclosed the XSS. However, the comments
on the answer are still accessible (for now) if anyone is curious about them:
[http://www.quora.com/Is-Qato-a-serious-Quora-clone-
attempt/a...](http://www.quora.com/Is-Qato-a-serious-Quora-clone-
attempt/all_comments/Ben-Newman)

Edit 2: Rick Ross posted a comment there I think is worth highlighting.

"In a way, we're grateful to these guys (Ben and Albert) for helping us close
a hole. Their method of publicly vandalizing a test site and bragging about it
is another matter. A simple email would have sufficed."

~~~
jrockway
The "ethics" of "full disclosure" are a long-running subject, but many people
agree that the technique is fine. Don't shoot the messenger.

------
fmavituna
Same thing happened in my friend's company and they fired the engineer who
identified and exploited the permanent XSS in their competitor's website.
Personally I would do the very same thing.

1\. It's against the law 2\. Extremely unprofessional and childish 3\. There
are better ways to report security vulnerabilities

~~~
nbpoole
I sincerely hope that's not what happens here. I would hate to see someone
lose their job over what seems to have been a temporary lapse in judgement.

~~~
rhizome
Temporary lapses in judgement are exactly what "fireable offenses" are
designed to prevent. Bright lines for tolerable acts, especially in regards to
outside resources, help everybody know how to stay on the good side of
management.

By way of example, some years ago a story went around about HP support being
prohibited from suggesting a user adjust their BIOS. This was back in the day
when checking BIOS to see if hard drives, ports and RAM were being detected
properly (say, Win98 era), but for HP it was a fireable offense. It may not
have resulted in the death of any user's computer in any given instance, but
the risk of problems was great enough that they couldn't allow support people
to deviate from the troubleshooting matrix in this way.

In this case it seems more a problem of ethics than policy, and no doubt Quora
is not very large of a company and does not yet have stringent policies like
HP's, but to argue "no harm no foul" is to set a bad precedent at the peak of
a slippery slope.

------
joshu
I just left the following comment:

\-- It's pretty lame to copy the design and trade dress of another product. It
does not bode well for your skill or ability.

Backstory: A long time ago I wrote Delicious. We had hundreds of copycats and
competitors. The ones that weren't direct copies were the ones that did
better.

I'm sure this doesn't apply to you for whatever reason.

~~~
rudiger
If Qato is going to copy someone's design, can't they find something better
than _Quora_?

I mean, Quora's design isn't going to win them any awards; it looks like Quora
didn't even use Photoshop, just straight-up CSS.

~~~
joshu
Because they are unoriginal followers. If they had any sense of direction
they'd be able to build something of their own.

~~~
rhizome
Originality is overrated. Various sites with CSS-only layouts and minimal
interfaces are best described as an emergent aesthetic. Expect more like this.

There are simply too many people drawing from the historical experiences and
examples laid by e.g. Metafilter, Digg, image boards, etc. for it to
consititute individual acts of copying. That there are so many whitelabel apps
& plugins ready for the implementing only accelerates this evolution.

~~~
joshu
There is a big difference between convergent evolution and wholesale copying.

~~~
rhizome
It's not convergent evolution when people are copying, but copying doesn't
obviate emerging aesthetics. Once upon a time, websites did not all have menu
bars across the top, is this a result of despicable copying, or of lots of
people simply deciding it was a good idea? Whether or not _I_ think a given UX
trope is useful is irrelevant to others choosing so.

~~~
joshu
Straw man.

We are discussing wholesale duplication.

~~~
rhizome
My assertion is quantity-neutral. I simply don't think it matters how much is
copied, just the fact that any copying is going on at all signals that the
look and functionality is having an influence.

------
famousactress
Everyone's right that it was an ill-advised thing to do, but stepping back
ignoring the law (I know..) and just asking yourself the gut question:

What's worse? injecting a relatively harmless script into the product (that
frankly caused them to fix an issue that could have been very painful for them
if someone more devious had found it first), or Qato's ripoff of Quora in the
first place?

~~~
bigiain
For what it's worth, my takeaway on this is not that Qato "ripped off Quora",
to me its quite clear they're building an engine for Q&A websites, and they've
used Quroa (and Stackoverflow) as examples of what you can build with it. Not
so much "ripping off" - I see it more like the sort of Photoshop demo where a
guy on stage recreates some well known image to show off Photoshop as a tool.

The problem is, their tool has at least one xss vulnerability. I've been there
myself, and usually a single xss vulnerability is an indication that the
underlying design of the system didn't take xss (and probably web security in
general) seriously enough. It's _possible_ this was just a single place where
user supplied data sanitisation wasn't done correctly, but I'd bet good money
that it's indicative of a development mindset that failed to be paranoid
enough. I'll bet there's a bunch of places they're going to find exactly the
same error, and won't be at all surprised to find SQL injection
vulnerabilities, http header vulnerabilities, and any of a whole bunch of
other "common web programming" errors. I'll be amazed if right now there
aren't a bunch of people running fuzzers against any site suspected of having
the Qato "engine" underneath it. I'll not be at all surprised to hear several
of them get compromised before the weekend and start running dick-pill-seo
spam...

~~~
famousactress
All really fair points. For me, they still seem to fall into the 'Harbor
Freight Tools of the Internet' category.

[Edit: I already feel kind of bad about this comment. I love me some 3$ multi-
meters. Still. Analogy stands.]

------
mgrouchy
I certainly don't think the Quora Engineers were right to vandalize the clones
website in this case.

I'm all about people making Q/A websites and releasing products that are
clones of other products. Ideally this kind of competition can make the
original product better.

That being said, I find making a clone of someones product and then releasing
said product at least in this sense, distasteful. Seeing that it has such
similarity to the original that if you weren't familiar with the original you
probably couldn't tell the difference.

~~~
joshu
Design clones are super lame.

~~~
hackinthebochs
Why? What separates design clone vs functionality clone, making one legitimate
and the other distasteful?

------
shalmanese
Original Quora thread: [http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-
a-simi...](http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-similar-
looking-Q-A-site/all_comments/Ben-Newman)

~~~
kmfrk
Make sure to read the comments.

~~~
jdp23
Yeah really. I wonder what Quora's investors are thinking right now?

------
strebel
Don't condone it, but understand their motivation. Knockoff's are kinda out of
hand of late.

------
phlux
I've had a couple of my comments on Quora vandalized by engineers there as
well, marking a few of them "unhelpful" even!

:P

------
BenSchaechter
From the comment thread:

"So Qato was caught plagiarizing and now they're complaining about supposed
"vandalism"? Reminds of those newspaper headlines where the robber hurts
himself breaking into a home and tries to sue the family."

I have to agree. This is basic javascript injection. Can you say, "blown out
of proportion"?

