zlacker

[return to "‘BlueLeaks’ Exposes Files from Hundreds of Police Departments"]
1. voiper+83[view] [source] 2020-06-22 12:04:25
>>itcrow+(OP)
>“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

So they are spinning it as a user's fault? Not the fault of Netsential for allowing malicious content to be a problem...

◧◩
2. joekri+H5[view] [source] 2020-06-22 12:29:47
>>voiper+83
That's the first thing I thought, too - sounds like they are trying to spin it as some malicious user "broke in". If a "customer user account" is able to upload a malicious payload and exfiltrate huge amounts of other customers' data, there's a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.
◧◩◪
3. Cthulh+sr[view] [source] 2020-06-22 14:46:45
>>joekri+H5
Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.

So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.

◧◩◪◨
4. syshum+vD1[view] [source] 2020-06-22 19:46:51
>>Cthulh+sr
>>Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

I dont think anyone is saying it was not illegal are they? but just because it is illegal does not resolve the security issue at the service provider

If I leave my home unlocked it is still illegal for you to steal my TV but you can bet my insurance company is going to give me crap (if not deny my claim out right) due to my negligence for not securing my property

>>That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit.

It can, but not always, and in the case of true whistleblowing there are laws in place that would provide an affirmative defense to otherwise illegal acts (like breaking an NDA). This is akin to self defense. Murder is always illegal but self defense is an affirmative legal defense one can use to justify their action making them "not guilty" of the law under those special circumstances. Whistle blowing as a few of these affirmative defenses as well

[go to top]