Slashdot Mirror
Security Flaw Hits VAserv; Head of LxLabs Found Hanged
Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."
I guess there's not much to say...
Why? Why!?
According to the article, there have been other suicides in the family a few years ago. Let's just discuss tech, and let the personal stay personal.
My condolences to Mr. Ligesh's family.
I think it is quite disturbing with all of the disrespectful comments on this article. I could Mod some of this, but not all of it. The guy obviously hit hard times with death of two family members by suicide and the tanking of his company. It is clear he had depression in his family and was not able to bear all of this hitting him. It is sickening that so many of you think it is a joke.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
I'm sure this guy was already unstable but can't help but believe that the attacks were what finally pushed him over the edge. Legally this would be difficult to prosecute as murder but morally those little script kiddies who so impressed with themselves should consider the unintended consequences of their actions. We are all responsible for our own actions (suicide) but should be equally concerned with how our actions affect others (hackers).
Why is it not an option? It isn't the best option, which is to announce that an exploit exists, but not release the details. I'm not blaming their actions for the guy's death, but the people who lost servers and data have every right to be angry. It would have been far easier for them to announce that an exploit exists so customers could get out of a bad position instead of releasing the code which guarantees the end result we see here (For the customer, not the owner of LxLabs)
but I gotta respect this guy's dedication to the job. If we could get American CEO's to take this level of responsibility when their companies completely faceplant, the world would be a better place.
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
Why don't you round them up, put identifying badges on them, and then try killing them yourse-
Oh wait.
Godwin's law, dammit.
is not appreciated by those who think they are immortal
ie, teenaged idiots
that the world is full of teenaged idiots (most of whom are not chronologically actual teenagers) should not surprise you or disappoint you
just a simple ugliness of life you need to learn to accept, like people who throw their garbage on the ground or talk loudly at movies, its another example of the tragedy of the commons
sure you could declare a high holy moral crusade against boorish insensitivity, but its like trying to stop the sun from rising and setting: a lot of people are ignorant assholes, status permanent, and even those you might actually be able to educate are quickly replaced by more morons
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Don't use crappy libraries you pulled off some web forum then. Always be suspicious of third party libraries and only use the highest-quality ones.
sorry buddy, that crappy db connection class was made by some former developer who, right now is some kind of phb, and always insist you use his "wonderful" db connection class, of course i could search and use something better, but that time constraint we always have just don't let me do it, i wish i could, but working even weekends just doesn't let me improve the things the way they are
If you can't do either of these things, well, you have no business being a programmer.
again, time constraint, and the single fact i'm the only developer here(you see why i have to work weekends?), plus some IT support i also had to do, so you see, is not lazyness, there's simply no time to do better or improve the actual things
Slashdot ya no es que lo era!
Well, not exactly. There is a raging debate over whether this is an appropriate tactic, and this incident will go down in the security text books as an example of why the debate exists. Opposite your opinion is something like, "That's what publicity seeking sociopathic nerds, masquerading as [security folk] do."
There is a fundamental tension between wanting to know if a system you own is vulnerable to some defect, and wanting to keep the exploit code out of the hands of The Bad Guys(TM). In this case, however, it seems pretty clear that simply knowing the name of the product (not even the version) was enough, exploit code wasn't required (as it sometimes is when scanning large numbers of systems that might be at indeterminate patch levels, for example).
There are quite a few actions one could take between "notify the vendor" and "release exploit code" which appear to have been skipped. That's irresponsible, not, "what security folks do".
Frankly, I don't understand how organizations or consultants who do this kind of thing manage to stay in business. If you were a big company with a bunch of interlocking IT systems and limited resources, would you hire someone who had a track record of publishing exploit code before patches were available? Suppose this consultant found some issues, which your organization couldn't respond to as quickly as you would like? Does that consultant become a risk to you now, simply because you didn't fix something in a manner timely enough to suit them? How do you know they wouldn't publish details of your vulnerabilities, because some snot nose punk with an inflated sense of self-righteousness thought you were ignoring him?
I don't operate that way, and neither do any of the fine security consultants who work for me or with me. I work discretely with my clients until they get their problems fixed. That sometimes means doing a lot more work than *should* be required to get the attention of a vendor. However, it has never yet meant publishing exploit code prior to patch availability.
If you mod me down, I shall become more powerful than you could possibly imagine.
If I'm reading this right, the point of the web application is to manage the VMs. If it didn't have privilege to manage (or destroy in this case) the VMs, it would be pretty useless.
very sad story, very sorry to hear about your brother.
But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there?
You're assuming the bolded part is true. Reading through the information on Milw0rm's own site, it appears they had an email exchange with someone at LXLabs for two weeks, then decided on their own to release the information. Two weeks is not nearly enough time to even decide if something like this is worth looking at, let alone find a fix, develop it, test it, implement it, and push it to all clients. I hope the guys at Milw0rm get sued into oblivion over this. Their actions were completely irresponsible and directly led to millions of dollars of damage, potentially billions of dollars of damage (over 100,000 accounts were destroyed, assuming those accounts spent on $10 per month on hosting that's millions of dollars in damage to the hosting provider alone). VAServ is based in the UK and LXLabs is based in India; I have no idea what the laws are like in those countries, but let's hope Milw0rm faces criminal charges there over this. Security research is an important field and requires a certain level of trust, accountability, and responsibility for it to function properly. By releasing this information publicly without sufficient notice, Milw0rm breached those traits and deserves to suffer the consequences for doing so.
God invented whiskey so the Irish would not rule the world.
I definitely won't be putting any business VAserv's way in the future...
Well, normally, this results in a high level of focus on the problem... So, in the future, they probably won't have problems like this. On the other hand, their competitors will be too busy signing up accounts to patch their systems and any public display of patching (like special extended maint time or a new way of using their product) will make them look just as bad so of course their competitors won't focus on security, leaving them more vulnerable than VAserv...
Except their dude, whom would have focused on security in the near future, is dead now. So maybe that doesn't work too well in this case. Hmm.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I use the word "honor" in public, and no one laughs at me, but I don't use it to describe acts like this one. This is just as screwed up a notion of honor as the Japanese have. Killing yourself does not absolve you of anything. It does not help anyone. It is at best a gesture, and at worst simple escapism.
The honorable thing to do would have been to fix the problem in the first place, or build a new version from scratch, or shut down the project and provide a migration path. The honorable thing to do after the disaster would have been to patch the biggest holes as fast as possible while providing a migration path to another product. The thing about responsibility for negligence or idiocy is that it requires messy things like restitution, even if no one is making you do it. Suicide is ridiculously self-serving by comparison.
I've known relations who have opted for suicide, or who have been hospitalized to prevent them. None as close as immediate family, so I can't begin to understand the pain, but in my own way I can dimly see.
One thing that makes this sort of thing doubly painful is that the sorts of minds that can consider suicide a real possibility are often very very close (and sometimes the same) as the minds that are brilliant.
We talk of genius and madness being a razor's edge away from each other, not because it is poetic but because it's true. But you don't have to be a genius to be that razor's edge away from self-destruction. You only have to have a similar biochemistry and/or neurology. There are dozens of conditions linked both to creative talent and self-harm.
Of course, not all suicides are for that reason. Utter despair (which I guess is still biochemical, but it's not a permanent condition) is another reason. There are doubtless many others.
I guess this sort of intellectualizing of suicide is my own way of dealing with the pain I have, for all that it's nothing compared to that of those close to such victims. So long as I intellectualize it, I can imagine that there will someday be solutions which help such people and prevent such tragedies happening.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Assuming milw0rm did contact the correct person/people at LXLabs
That's a huge assumption and not one I'm willing to make. However, I am willing to state, without reservation, that Milw0rm are a bunch of asshats who deserve to be sued into oblivion over their callous disregard for the safety of the customers using this software. That's really the worst part of all of this. Most of the people hurt by this had no control over the software getting fixed, had no idea there was a problem until it was too late to do anything about it, and were completely innocent of any mistakes. And yet Milw0rm doesn't care one fig about those people and just releases code that sends their lives and businesses into a tailspin. How do you defend that kind of behavior and call yourself a professional?
God invented whiskey so the Irish would not rule the world.
Oh, and I'm perfectly accepting of suicide when people are trying to escape pain, boredom, shame, or whatever. I just don't like seeing it confused with honor.
It's enough to make you wish we were real engineers. If an engineer is working on a bridge and his supervisor orders him to use a dangerously weak cable, the engineer has both a moral and legal duty to refuse. The same principle ought to apply to software developers, especially when life and property are at stake.
Maybe you're only interested in the technical, but many /.ers are interested in the personal and social aspects of this story. You can tell, because they are discussing it. If you don't want to comment on that, don't. If you don't want to read about it, don't. People mod you insightful, but what insight have you brought to the table? You've basically walked into a conversation that you aren't interested in, and told everyone to shut up, without adding anything relevant . You must be great at parties.