Hacker News new | past | comments | ask | show | jobs | submit login

So since they were unable to pivot laterally, you pat them on the back and call it a win. But last time someone did successfully pivot laterally, you threatened his employer? You guys are really sending mixed messages! Are they allowed to escalate or not? And if that's the new policy, shouldn't you pay the other guy who did escalate?

We detached this subthread from https://news.ycombinator.com/item?id=11543926 and marked it off-topic.

That's not what that person did, and you know that, because you were on the thread where this was picked apart.

The person who had problems with Facebook didn't "pivot laterally".

He popped a shell, dumped and banked directories from the server, held them secretly, and used their contents more than a month after reporting the bug to Facebook as a cudgel in a dispute over a bounty.

I just went to that thread, read both articles and the HN thread. Your post is completely inaccurate.


(a) No, we didn't. Stamos was running Domain Services by the time NCC acquired Matasano --- a totally different line of business. I have never worked with Stamos. I've never been in an organization that shared a number with Stamos. For the overwhelming majority of my pentesting career, I knew Stamos primarily as my arch-competitor at iSEC.

(b) Please don't accuse me of commenting in bad faith. I don't care whether you use a calm tone of voice or not. It's especially weird to be accused of being in the tank for someone by an anonymous account.

(c) If I'm really incorrect, you should make an actual argument, rather than a drive-by snipe.

No, I shouldn't. You know as well as I do that it would be a waste of both of our time. Sometimes I'm ok with that, but this horse was already beaten to death.

I humbly submit for your consideration that my assumption of you making comments in bad faith is not unlike yours and Alex's assumptions of bad faith on the part of the researcher, and perhaps we could all improve a bit here.

Snipe aside (which was fired at facebook, not you), I am genuinely confused about their ambiguous policy, and it looks like other commenters are too.

If you had a real argument here, you'd make it, rather than suggesting that I'm commenting because of a fictitious working relationship with Alex Stamos.

That's kinda disingenuous and you know it. From the previous discussion[0], you should know not to take one side of the story at face value.


Having participated in that conversation I can say that the timelines and statements from facebook were suspect. I'm sure the researcher didn't make the best choices but how facebook handled it was horrible and should make anyone participating in that bug bounty carefully consider every action they take against facebook's infrastructure.

Wow. That was an interesting set of comments to read. The consensus of the crowd was actually against Facebook in that probably due to their overpromising on bounties for big compromises and under delivering plus going after dude's job. A number of security professionals, including a friend of Stamos, were against that because he dumped and sat on data plus had his business info involved. Cited expectations of pentesters and responsible disclosure. What a mess.

I don't think Wes acted in good faith in that one but neither did Facebook in anything privacy-related. Who cares about fundamental ethics given parties involved. I will say his actions were nearly warranted if Facebook was promising huge bounties for something that could cause them big problems which that case seemed to be from that thread's comments. I don't know for sure.

Far as escalation or downloading data, I found that to be the only way to get taken seriously by management. Had to be done non-disruptively with trusted personnel, protection of that data (eg RAMdrives, crypto), and assurance it was gone after. Rarely even read it as filenames & credentials were enough. Nothing like showing marketing plans or private emails to execs with a contract that's vague enough for it to be legal to get security taken seriously. Responsible disclosure debates of 90's showed us that letting vendor decide almost always resulted in them downplaying risk saying it "hypothetically" could do something but probably overstated. People playing that game usually get bounties that yearly add up to less than a median IT person.

Rather not play that game. If the company bullshits, do what you can within their legal framework to call them on it and provably without doing any damage. If they didn't in that case, then he went way overboard and looks like he's running an extortion racket. I think key parts of the story aren't published and I can't be sure. Good news is Facebook and Wes both of don't mean shit to me. Moving on. Appreciate the entertainment and different perspectives, though. :)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact