A fair amount of personal information dissemination certainly happens on 4chan and similar places. I guess this is what he is referring to rather than high quality security research.

How can you tell? You are looking at a PR piece that links to a web site that mentions 'security experts' in every other sentence. It's not proven to be valuable or well executed.

Where's the research? Where's the white papers? Where's the detailed technical blogs of some security related issues he's handling?

The guy is an impostor. He's been an impostor his entire life. He's just highly intelligent and really good at it.

Because there is not data that specifies the opposite in the link (and extra info was lacking when I wrote it), thus is a reasonable and logical first thing to check.

> Is there a reason you automatically assume that the security researcher is irresponsible...?

Please, don't put words in my mouth. I didn't called irresponsible anybody and I didn't automatically assume anything. To be honest, I couldn't care less about who, if one, has the responsibility here. I'm trying to learn something. Not more, not less.

Captain fucking obvious is a nice title. We'll have a safer world when people start paying notice to a lot of fucking obvious and boring things. This reminds me a lot to the outrageous lexNET case (that was much, much, worse than internet knowing who has a sweet tooth for buns).

I think you are incorrect, and your comment is not really within the site guidelines.

He has done security work on all that you mention above, and many others.

Since you obviously don't know who Homakov is I can't take your post very seriously.

Homakov has exposed several serious security flaws at Facebook and Google before. I'm pretty sure Google is actively trying to headhunt him since he is one of the best in the web security field.

It usually doesn't protect you even if you don't take anything.

That's why there's a huge backlash against "responsible disclosure".

Yeah... uhm... I used to do exactly this sort of thing...

When I was a teenager, I would look at the URL of whatever site I was on, and would change a number here, or a letter there; and see what I got.

Sometimes you get nothing, sometimes you get something. Sometimes that something is quite interesting.

Yeah once you start using a vulnerability maliciously to obtain confidential data for your own personal gain, even if its a stupid vulnerability, you're not really good-guy security researcher anymore.

If all you did was the bare minimum to demonstrate the vuln exists, that's cool. If after you do that you continue to use it to obtain confidential info for your own gain or curiosity, that's not so cool.

> Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.

You literally just admited to being a malicious actor in the paragraph above.

He markets himself as an expert on computer law. He also brags about working on a government panel that studied privacy and other security related topics.

You cannot be an expert on computer law if you lack the context that is provided by a basic understanding of privacy / network security issues.

The man is an incompetent fraud at best. Shortsighted and technologically ignorant people acquiring authority is a large part of the reason the United States' computer laws are terrible.

We aren't talking about a complex issue that requires domain specific knowledge, this guy was genuinely surprised that a backdoor designed for admin access could be used by those with malicious intent. If he really cared about justice, he would hand over his license to practice and refrain from talking while there are adults in the room.

My main issue with the article was the way he presented the story as if it was based on facts instead of a few unproven claims. Subsequently, the story spread to other non-technical platforms, re-reported as fact.

> Robert Graham (...)

Well, that doesn't really matter.. extraordinary claims were made in the complete absence of extraordinary proof. And then a multi-page story was written based on nothing.

> I think Green is being a bit unfair to GPG in this piece

I agree, his comments were slightly smug.

I wonder if this analysis is based on a data set with leaked clear text passwords or cracked hashes.

Given that never all hashes are cracked but only the crackable (whatever that means) that would heavily bias the analysis.

Yes, based on my personal experience and that of others. But I wouldn't call myself elite... I just know a little bit ;-)

I am saying giving them any sort of heads up is not good praxis, since the police have so thoroughly abused the access they already have.

See: https://www.vice.com/en/article/k7bqew/us-marshal-securus-ph...

Totally agreed.

> Had I approached them with these vulnerabilities ahead of time, it's highly likely that they would have used their considerable cash reserves to strong-arm me legally into not releasing this data, and the issue would not have been resolved.

I guess we'll never know will we?

Edit: To be fair, I don't have a stake in this either way, and I'm glad the end result is that they're taking the threat seriously.

Could you actually point to where the issues are rather than make such generic claims?

In your opinion.

I do not share that opinion.

> why wouldn't you use it on something much much higher profile and with a lot more (i.e. any) profit potential?

Because it dramatically increases the likelihood of getting caught. Selling access to valuable but not high profile accounts is exactly what I'd do if I was a cautious insider looking to make a little extra cash on the dark web.

This guy happened to get lucky and his story caught some attention. Most don't.

I don't see why. I am still convinced there are security issues. The comment under discussion made all sorts of grandiose yet completely unsupported claims. If the paper he linked had backed up his assertions, I'd be inclined to give him the benefit of the doubt, but it doesn't. Therefore I don't believe him.

Consultants write like high school students with a ten page research paper requirement. If you don’t have real content pad it with extra background, bulleted lists and superfluous tables.

The final product needs to be long enough so people think real work was done but boring enough that they don’t actually read it.

Yes exactly. Ultimately security is deeply involved with threat modeling. It is likely that the author's boss did not prioritize her pet security issues because they were a low risk in the threat model.

>How can you possibly believe that a bunch of white supremacists are not a threat?

Domain expertise. Frankly I am somewhat surprised that people with what is apparent to be a television soap opera level of understanding of american dissident activity make public posts on the topic with the confidence they do on here. Not you, of course, but others.

Unfortunately, the most believable interpretation of this story is very boring office politics: Our author, having failed to make a case to her boss, drummed up some internet post in an attempt to get her way. We've all known people like this... they have varying amounts of self-awareness. It is characteristic of such actors to manufacture exactly the sort of attack they imagine to be the most relevant. This is likely to be such a case. What gives her away is that this is some fantastical story that makes sense only in pop culture: if there is even one WS cyber attack on an american federal platform for every 10,000 chinese attacks I will eat my hat and livestream it. These are simply not people with competence in the field of cyber security.