On Wed, May 13, 2009 at 8:14 AM, Joshua Rogers <m...@joshuarogers.net> wrote: > I can say that personally it does cause me to wonder about this "ethical > hacker." (It says so on his resume. Really.) Personally, by endangering > those who use the software that he exams, I see him more as a passive- > aggressive black-hat. And maybe a little over jealous at that.
I'm not sure about "black-hat". As far as I know he's not breaking into sites... He's a system admin for his employer and part of that work is to identify vulnerabilities in their server sotware which happens to include Drupal. It's nice that he is putting effort into finding weaknesses (that's often a huge part of the process). It would be even better if he (and/or his employers) would allocate time to fixing the bugs rather than just finding and shouting about it. > http://drupal.org/node/372836 (which apparently he wasn't credited with) > amounts to "if you let someone administer nodes they can change things."... > Yes. Better though was http://justin.madirish.net/drupal6-cck-vulnerability. > It boils down to 'people with "Use PHP input field settings" permissions can > run PHP'... So... I guess that makes this a un-bug report? (Maybe an > "Everything is working like it is supposed to." report?) Exactly! It's not a vulnerability so there's no need to credit someone with finding it... The security team tries to address issues within 2 weeks, but that's often hard. When there is a public disclosure we try harder to address them quickly, but the extra attention and confusion it creates doesn't help. A lot of the decisions from the security team are compromises - we do things for 5.x and 6.x that are guaranteed to work, but are not clean enough to be accepted into Drupal in general (see http://drupal.org/node/449078 for example). The specific SA where Justin did not get credit was another situation of making a compromise: the "vulnerability" was disclosed and nobody on the team felt it was important enough to fix personally. Justin and his employer were unwilling to allocate their resources to fix it. So, given that public disclosure had occurred and that the security team wasn't going to fix it and that we wanted to respond in a timely manner...we did a "public service announcement" reminding people that admin means admin. > At least now I know one less person that I have to take seriously (on a > professional level.) This is somewhat true, and I certainly don't have a lot of love for Justin's online behavior. However, it's easy to get pissed at people online. I imagine that if I got to hang out with Justin over a delicious Philadelphia cheesesteak we'd be pretty friendly. He's got a different philosophy on security disclosure and doesn't prioritize contributing patches the same way that a lot of us do. That different philosophy and lower value on contributing patches doesn't mean he's unprofessional or an evil human. Regards, Greg -- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com Cracking Drupal - Learn to protect your Drupal site from hackers Now available from Wiley http://crackingdrupal.com
