So they are spinning it as a user's fault? Not the fault of Netsential for allowing malicious content to be a problem...
That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.
So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.
That said, I do think PHP software should be distributed in such a way that the files are both locked for editing by the PHP process itself, and verified regularly. I've been using XenForo on my website for a while and it's giving me e-mail warnings that a file has changed (I did a customization), so it does exist.
But yeah, that particular category of error can be mitigated via config; disallow PHP execution in an upload folder, disallow PHP to add or edit files in the application folder, etc.
No attack is accidental. If a vendor fails to follow appropriate operational security, it is certainly the illegal actors fault. But it is also the fault of the vendor's negligence, and might also be the fault of whoever failed to properly vet the vendor. All three are potentially culpable.
Moreover, I took the parent comment to be referring more to customer flight rather than some judiciary judgement. 'I got mugged' is not what you want to hear from the person entrusted with your data security.
Netsential clearly had a massive security vulnerability in their system that allowed one user to access the data of all other users. That's very much on them.
Consider a company that provides physical storage units and advertises that they are secure and can only be accessed by their owner. Then it turns out that there was a back alleyway running behind all the units that allowed any owner who had access to one unit the ability to access any other unit, without a key. I don't think anyone would suggest that would be anything other than a massive security oversight by the storage company. Yes, what the thief did was illegal and should be dealt with. But you'd have a hard time convincing me that the company itself wasn't primarily at fault for such a huge oversight in the first place. And I certainly would never use them again.
You can also run a ClamAV scan to catch very obvious threats.
The problem is all the legacy applications which are a mess of random PHP files and rely on the web server itself to dispatch requests based on the path of the file - in this case any PHP file can get executed if it happens to be in a location served by the web server. Rather than disallowing PHP execution in select folders, how about allowing PHP execution only for specific paths - those that you expect incoming requests to hit? That way no malicious code can run unless it manages to overwrite an existing file.
I dont think anyone is saying it was not illegal are they? but just because it is illegal does not resolve the security issue at the service provider
If I leave my home unlocked it is still illegal for you to steal my TV but you can bet my insurance company is going to give me crap (if not deny my claim out right) due to my negligence for not securing my property
>>That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit.
It can, but not always, and in the case of true whistleblowing there are laws in place that would provide an affirmative defense to otherwise illegal acts (like breaking an NDA). This is akin to self defense. Murder is always illegal but self defense is an affirmative legal defense one can use to justify their action making them "not guilty" of the law under those special circumstances. Whistle blowing as a few of these affirmative defenses as well