Looks like he acquired login information, he didn't exploit some sort of major vulnerability that needed to be fixed which is generally what bug bounties seem to be for. He's insulted he didn't get paid for not being an asshole, what a strange world we live in. Facebook (or any other company) wouldn't pay out if one of their support staff accidentally made a random user an admin, why should this be any different.
He didn't get credentials, they never secured their admin panels:
> A friend was looking for a hosting provider and wanted it all secure, I checked a network range and found the Jenkins panel of BitTorrent. This was all 100% accidental, truth! At the end of the day If I wanted to 'hack' BitTorrent I wouldn't even know where to begin. I mean, there is no real skill or talent involved in what I did to find the information on BitTorrent. They forgot to set a user/pass to the admin panel, that had access to github from a master account. Github accounts had user/passes that was linked to everything.
Like he says on the forum thread, he did not acquire any login information. Just the opposite, in fact. They neglected to set a username/password to their admin panel. That's a gaping security hole if I've ever seen one.
I contacted BitTorrent and told them EXACTLY what I did , what information I had access to and what user/passes needed updating, including SSH keys and more. Whilst I gave a small generalization of what was at hand on the thread, there was a considerable amount of data available to me.
Scenario 1: You find a boy who is lost and take him to the police station. The family gives you $500 in reward.
Scenario 2: You find twin boys who are lost and take them to the police station. The family gives you $500 in reward.
Would the fact that you get the same reward regardless of the number of people lead you to act differently in the future? So if next week you found lost twins again, would you let them stay lost or try to sell them on the black market because you know you'll only get $500 when you think it should be $1000?
Or is doing the right thing its own reward regardless of whatever amount you get in recognition for acting honorably?
Many otherwise sweet young women (or men!) several of us probably went to school with, for a start. :|
Edit: Was trying to give some help to somebody puzzled about this, which is why I bring it up. Turns out that, if you're a lost young man, there's probably a point in your travels where you zigged instead of zagging and thus lost your way.
In the "lost child" scenario, it seems to me there's some ranking like:
1) helping out 'cause it's the right thing to do.
2) helping out with some hope there'll be a reward.
3) not helping out, 'cause there's probably nothing in it for you.
4) helping out with an expectation of a reward.
5) helping out with an expectation of reward then complaining publicly 'cause it's "not enough"
…
VERY_LARGE_INT) Abducting the child.
While there's a long way between 1-5 and the biottom of that list - there's no doubt in my mind that 1 & 2 speak significantly better of the "helper" than 3, 4, & 5. (and interestingly, there's no "outside" difference between 1 and 2 or 4, unless you choose to admit your mercenary inclinations to onlookers.)
Things are a bit murkier in the guy in the article's case, since "bug bounties" are known about and perhaps "expected", and I think Bit Torrent handled this badly, but further down the thread he admits "This was all 100% accidental, truth! At the end of the day If I wanted to 'hack' BitTorrent I wouldn't even know where to begin. I mean, there is no real skill or talent involved in what I did to find the information on BitTorrent." That makes it hard for me to feel sympathy for him failing to get a windfall "bug bounty".
Scenario 3: Same as scenario 1, but a month earlier a different person saw a "missing boy, reward" sign for the same child and searched them out. They received $30000 from the family.
Wouldn't you find that unfair?
Or was the post misleading and the other bounty was a different company, in which case I take it back.
Seriously? In this case it's more like there was a reward for their son, and this guy found their missing dog. Either way, you would complain about not getting a reward for finding a missing child? Full stop. Prior information doesn't matter, what was the alternative? If you had known there was no reward, would you have acted differently?
They offered $500 as a nice and thankful gesture. If you wanted money, take it and don't cry about not getting more. You're not entitled to more money nor do you deserve more.
If you were able to break into Valve because they failed to secure some login, and as a result got access to their Source Engine. Would $500 be enough to silence you?
Worse than that, you have probably (as I have) reported plainly-obvious security vulnerabilities with at least a faint twitch of nervousness that the recipient is going to flip out and start suing or something. Worse than no expectation of reward from a utility point of view!
If you use someone's non-protected wifi for illegal activities, like downloading porn, then the owner of that "hotsport" is responsible at court. (At least in Germany afaik)
This is no different and I'm sure that you could win at court with a good lawyer
The problem the previous poster was descrbibing wasn ot when you act as an ISP, but when someone manages to log into your wifi (either because it's unprotected or unintentionally vulnerable), and performs criminal activity. The US legal system has reliably shown itself willing to pursue the owner of an IP address, without going to the trouble of showing the owner was in fact the one using the IP for that purpose.
Someone using your wifi means you are Providing Internet Service to them. Is the problem that you're not incorporated? If it's based on IP allocation, what if your home connection has 8 IPs and you give one to each user?
If your WiFi get's hacked because it had too low security standards, like WEP, then you're still responsible for what's being done with your line. But you're irresponsible if you have taken care of security by following the router's wizard. There is no such case, that the manufacturer was blamed to offer too low security until now though (afaik).
what ransom? he did not threaten them with anything; he's just annoyed now because he feels they didn't reward him sufficiently. not the same thing as trying to extort money out of them to reveal the vulnerability.
of course not. but i would not think it weird if you rewarded me for finding you and telling you your door was open.
more to the point, there is a social expectation that large companies will be grateful for vulnerability reports, and reward the reporter accordingly; the poster is well within his rights to be disappointed that they did not.
On the other hand, if you find a wallet, you are entitled to 10% of the cash.(1) (Bad fit as an example, I know, but the question is what is a good comparison..)
Is this German law? I wish that were the case in the US, as I've found a number of wallets over the years and would have made at least a few hundred USD by now.
If someone also left the family jewels lying on the seat, someone might want to make sure that people are encouraged or rewarded for doing the right thing.
lol I was hoping for that too. A great piece of software but a waste since it can't be trusted for anything secure. To make it worse, this news just adds more fuel to the fire. How can you trust them with security if they can't even remember to add a basic authentication to their Admin Panel?
I've got it syncing EncFS encrypted directories - which in the broad view doesn't help - I've got un-audited code running with my user privs, which _claims_ to "not do anything evil" without being (easily) verified.
At least it does mean I've got some extra encrypted-on-the-wire and encrypted-at-rest data floating around - I strongly suspect BTSync's SHA256 encrypted wire protocol moving AES encrypted EncFS files means that data is secure against the NSA's ubiquitous surveillance programs - the cleartext of those files won't be showing up in XKeyscore in response to bored or curious NSA (or Boos-Hamilton) staff. (While acknowledging that if the NSA becomes interested in _me_ specifically (or probably interested enough in any of my social network) - my privacy will be easily and wantonly violated. And I'm actually _mostly_ OK with that.)
The hope is more that the protocol will be published once it's stable and then FLOSS implementations can spring up. The protocol is clearly still in flux, as some versions of the client have had backwards-incompatible changes.
You have to be proud of yourself for not abusing it no mater how they responded. You did right thing here. Hope Bitorrent Inc will fix this misunderstanding.
If one guy could accidentally stumble upon this, what are the chances others have too? Would it be possible or even likely that the source code or binaries or web servers or private keys have already been compromised or trojanized?
Some thoughts:
From the perspective of the company, what kind of financial impact would they have suffered should that information have fallen in different (malicious) hands? Providing an adequate award not only shows appreciation but it sets a precedent should something similar happen again. The 'finder' who might otherwise usually go the malicious route will be more likely to do as MentalL has.
I'm the thread starter from RZ. The reason I mention uTorrent is because the source code was also in the BitTorrent repository for the company including all other source materials and more (Websites/Database user/passwords and more).
By submitting this information to BT, he indeed closed a access point to all this data, thus reducing the likelyhood of it being badly used. Isn't this exactly why bounties were created? Because its better to give a few bucks and increase the system's security than to have it compromised for worse costs.
Indeed...This seems rather petty to me. They did offer him some money, which he's not even automatically entitled to in the first place...companies can chose whether they do bug bounties, or how much they pay.
You don't seem to understand that access to something that widely used would be worth tens of thousands of dollars on the black market for those sorts of things. For every "good" person that reports the information for free, there are people out there actively looking for this sort of thing that are not good people. If this company sets a precedent that they won't make it worth your while to "turn in the evidence", that sort of thing will just go to the highest bidder out there on the Internet and undoubtedly used for something extremely malicious.
tl;dr: small payouts and jerking this guy around sets a bad precedent that will encourage future people to sell on the black market.
It would make a lot more sense to just sell the vulnerability to blackhats than to spend time and effort (and expose yourself to more legal liability) by trying to take advantage of it yourself.
