To blog or not to blog, that is the question

By Mark O’Neill
Contributing Writer, [GAS]

It dismays me sometimes when I see some bloggers and the stuff they write.   Only this morning, I was looking at someone’s blog and he was talking about a security hole that he had discovered in Gmail.   He had found a vulnerability where he could see everyone’s Gmail address, which is obviously a spammer’s wet dream.

Now in this case, the responsible course of action would be to not go into specific detail on his blog but to instead say “I’m going to contact Gmail now” and then do so.   He could contact Google, tell them what he has found, and help them plug the hole.   He would then earn serious brownie points with Google and maybe feel good about himself in the process.

But does he do this?   Of course not.   Instead, he gleefully details step by step what he has found and he details in process how you can find it too.   By doing so, he has put at risk every Gmail account out there and the only people who will be happy with this jerk today will be the spammers.   To add insult to injury, his blog is hosted on Google’s Blogspot!

This topic is especially timely today because a while back, I helped out AVG Anti-Virus.   I wrote a story about AVG 2008 on Make Use Of and they emailed me afterward to say thanks.   Shortly after that, the AVG program on my computer went a bit crazy and I emailed them to complain.   There were a few minor problems with their database and we worked together to get it fixed.   They were appreciative that I got in touch and everything was finally resolved to everyone’s satisfaction.

Now my point is it would have been very easy to get on my blog, on Make Use Of or here on Geeks Are Sexy, after AVG started malfunctioning and tell the whole world that AVG now sucked, that their program sucked, etc.   But instead I decided to help them.   I chose to let them know what the problem was and to help them fix a product that I love very much.   I recognized that AVG had a one-off unintentional problem which was probably easily fixable and that blogging about it was stupid and wasn’t going to achieve anything.

Just like this jerk should have done today.   If he loves Gmail as much as I do, he should have realized that blogging about the Gmail security hole was stupid and immature.  He should have contacted Gmail right away and said “I love Gmail as much as you do, let’s get this problem fixed ASAP before the spammers find it”.

AVG were so appreciative of my help that this morning, I received a gift from them.   The package included a USB mouse and a 2 GB USB stick.   So you see, good deeds do go rewarded.    Instead of bragging or complaining about problems or vulnerabilities, how about stepping up and helping the company concerned?

I often get the impression that bloggers are looked upon as the bad guys by companies.   Some companies have told me that some bloggers have hinted to them “give me some free stuff or I’ll write bad things about you on my blog”.    This kind of unethical behavior appalls me and if I can help just a little bit to make bloggers look good by occasionally helping out companies like AVG, then I can go to bed each night feeling like I’ve achieved something with my day.

Advertisement





29 Responses to To blog or not to blog, that is the question

  1. Like your AVG experience, I had an encounter a while back when using LinkBunch. http://linkbun.ch/

    There was a minor snafu using the service with IE, and I shot an email pointing that out. The LinkBunch people replied back the next day, thanking me for bringing it to their attention. This enabled them to quickly fix the glitch. In return, my "alert" was cited in their blog, and I even received a nice linkback to my site in the process.

    This kind of cooperation seems more in the spirit of open-source.

    Cheers.

  2. Like your AVG experience, I had an encounter a while back when using LinkBunch. http://linkbun.ch/

    There was a minor snafu using the service with IE, and I shot an email pointing that out. The LinkBunch people replied back the next day, thanking me for bringing it to their attention. This enabled them to quickly fix the glitch. In return, my "alert" was cited in their blog, and I even received a nice linkback to my site in the process.

    This kind of cooperation seems more in the spirit of open-source.

    Cheers.

    • Your most definitely right that he is unaware of what the right thing to do is. I think someone needs to let h im know what the right thing is to do instead of insulting him, I guarantee before Mark decided to help AVG he thought of doing the same, blogging about it until someone guided him in he right direction. So someone let the guy know. :)

    • Your most definitely right that he is unaware of what the right thing to do is. I think someone needs to let h im know what the right thing is to do instead of insulting him, I guarantee before Mark decided to help AVG he thought of doing the same, blogging about it until someone guided him in he right direction. So someone let the guy know. :)

  3. This is an issue of responsible disclosure. What he did was not responsible disclosure, and is considered unethical in the computer security industry. It is only acceptable to go public after the company in charge has been notified, has had a chance to fix it, and has still ignored it.

  4. This is an issue of responsible disclosure. What he did was not responsible disclosure, and is considered unethical in the computer security industry. It is only acceptable to go public after the company in charge has been notified, has had a chance to fix it, and has still ignored it.

  5. Have you contacted him to ask him when he discovered this and has he contacted Google? If not then it is pretty irresponsible of you to blast him on your blog without knowing all of the facts.

    I may be wrong but if this is the post that I'm thinking of and I remember correctly who wrote it, it has been removed from his blog. Of course my memory may fail me.

    • I have emailed him and he hasn't answered.

      I don't think it is irresponsible of me to criticise someone who publicises to the whole world how to find a security hole in Gmail which lets you see everyone's email address. I've just checked and the page is still up and running.

  6. Have you contacted him to ask him when he discovered this and has he contacted Google? If not then it is pretty irresponsible of you to blast him on your blog without knowing all of the facts.
    I may be wrong but if this is the post that I’m thinking of and I remember correctly who wrote it, it has been removed from his blog. Of course my memory may fail me.

    • I have emailed him and he hasn’t answered.

      I don’t think it is irresponsible of me to criticise someone who publicises to the whole world how to find a security hole in Gmail which lets you see everyone’s email address. I’ve just checked and the page is still up and running.

  7. I wasn't accusing you. I've just seen people blast others w/o knowing all the facts. If he won't respond to your emails then he may well deserve whatever he gets. :)

  8. I wasn’t accusing you. I’ve just seen people blast others w/o knowing all the facts. If he won’t respond to your emails then he may well deserve whatever he gets. :)

  9. Eeek.

    Now that is a very irresponsible thing to do. I hope enough people gently point this out to the person in question so he can buy a clue for the future.

    Data points, Barbara

  10. Full Disclosure all the way. You keep a hole a secret and only inform the responsible company, then the company sees it as a PR issue and just covers it up, meanwhile crackers learn about the hole, users get compromised, and 3rd parties don't get around to fixing the hole till later. A hole is still a hole if its kept a secret.

    With full disclosure, people are informed and can make plans to mitigate against risk, the company has more incentive to fix the problem rather than cover it up, and third parties have the information to need to provide fixes in case the responsible parties don't respond quick enough.

    The dude did the right thing.

    • right….so when a spammer from Eastern Europe has your Gmail login details and they're having a good time with them, I'll check back with you and see if you think "the dude" still did the right thing.

      • well if you are so intently trying to email this said person about the issue at hand and he has not answered you… then why are you waisting your time blasting about what he did or what he did not do and not just go directly to Google Gmail about the loop hole… I mean your here running up and down and how he is a bad person here and he is going to do harm there… well Mr. O' Neill why not be a good citizen for all of the gmail users, and just like the story you recanted of how you assisted AVG, then for God sakes go ahead and speak to Google directly, take them to this person blog, and point them in the direction of the issue so that they may fix it… I dont know about you, but blasting the poor sucker here is not going to help Google fix the issue any sooner…. and who knows that may be some more brownie points for you, no?

  11. Full Disclosure all the way. You keep a hole a secret and only inform the responsible company, then the company sees it as a PR issue and just covers it up, meanwhile crackers learn about the hole, users get compromised, and 3rd parties don’t get around to fixing the hole till later. A hole is still a hole if its kept a secret.

    With full disclosure, people are informed and can make plans to mitigate against risk, the company has more incentive to fix the problem rather than cover it up, and third parties have the information to need to provide fixes in case the responsible parties don’t respond quick enough.

    The dude did the right thing.

    • right….so when a spammer from Eastern Europe has your Gmail login details and they’re having a good time with them, I’ll check back with you and see if you think “the dude” still did the right thing.

      • well if you are so intently trying to email this said person about the issue at hand and he has not answered you… then why are you waisting your time blasting about what he did or what he did not do and not just go directly to Google Gmail about the loop hole… I mean your here running up and down and how he is a bad person here and he is going to do harm there… well Mr. O’ Neill why not be a good citizen for all of the gmail users, and just like the story you recanted of how you assisted AVG, then for God sakes go ahead and speak to Google directly, take them to this person blog, and point them in the direction of the issue so that they may fix it… I dont know about you, but blasting the poor sucker here is not going to help Google fix the issue any sooner…. and who knows that may be some more brownie points for you, no?

  12. Mr. Anonymous, It appears that you are also guilty. Just as I asked earlier to ensure that Mr. O'Neill had done his homework you need to do yours also. Have you asked if Mr. O'Neill has gone to Google about this or are you just blasting him b/c you want to blast someone? Also, if you are going to blast someone at least have the balls to post your name.

  13. Mr. Anonymous, It appears that you are also guilty. Just as I asked earlier to ensure that Mr. O’Neill had done his homework you need to do yours also. Have you asked if Mr. O’Neill has gone to Google about this or are you just blasting him b/c you want to blast someone? Also, if you are going to blast someone at least have the balls to post your name.

  14. I wanna see that blog!!

    Telling google about the security breach would be pointless because big companies don't listen to little people's complaints. They can't read every single piece of mail they get from their millions of users.

  15. I wanna see that blog!!

    Telling google about the security breach would be pointless because big companies don’t listen to little people’s complaints. They can’t read every single piece of mail they get from their millions of users.