Comments on: MozillaZine fixes information leak

By: b

Wed, 30 Nov -0001 00:00:00 +0000

It’s good that the hole has been fixed. MozillaZine rarely gets information in advance (they only knew of the name because Kerz came up with it), but it could be damaging if any info they did have got out early.

That said, if Jesus_X knew about this hole so long ago, why didn’t he inform anyone? So he could spy on MozillaZine, I guess.

By: Jesse Ruderman

Jesse Ruderman — Wed, 30 Nov -0001 00:00:00 +0000

I don’t think jesus_X knew about the title leak until I told him about it.

By: alanjstr

alanjstr — Wed, 30 Nov -0001 00:00:00 +0000

I’m sure they were notified in advance enough to change the forum names, just like djst was notified so he could update his website before it was slashdotted.

By: Alex Bishop

Alex Bishop — Wed, 30 Nov -0001 00:00:00 +0000

Question: You’ve found a security hole in a website. What do you do?

A. Tell the maintainers of the site.
B. Tell their nearest competitor, allowing them to steal news.

I knew that reading the headlines of unpublished articles was possible under certain circumstances but thought that no-one else knew about it. In any case, most of the future article headlines are hardly top secret. I did take precautions with some sensitive articles though. I thought Kerz knew about the hole. Seems he didn’t.

This is the first I’ve ever heard of full articles being visible before publication.

We were told in advance about the name change, as well as the release dates and times. Similar to when we were told about the new end user services launch or last year’s major Roadmap update. Completely dissimilar to when we weren’t told about the creation of the Mozilla Foundation. They’re quite good about supplying prerelease news now.

By: jesus X

jesus X — Wed, 30 Nov -0001 00:00:00 +0000

To “b”: As Jesse said in a reply, I didn’t know about the headline-in-titlebar hole until he told me, as I don’t have the same security-hole detection abilities as Jesse does. He finds them everywhere, with amazing speed. It’s one his his many talents. As for not notifying anyone, as Jesse said, this was LONG ago that there was a hole I knew of, and it had long since been fixed. I have no such interest in spying on MoZine, flat out. Please keep those kinds of guesses to yourself.

To Alex: I don’t need to “steal” your news, nor did I. If you have problems with me, take it up with me, not in someone else’s blog comments. Jesse just happened to ask if I knew anything about the name change. He didn’t run to tell me of the bug. You only make yourself look bad when you try to insult myself and Jesse. You owe Jesse an apology.

By: Alex Bishop

Alex Bishop — Wed, 30 Nov -0001 00:00:00 +0000

jesus_X: I wasn’t trying to insult anyone, just expressing my surprise that a member of the Mozilla security group’s first thought on finding a bug in a popular Mozilla news site was not to tell the site’s maintainers but to discuss the issue with a maintainer of a rival site.

Maybe you don’t need to steal news. However, the fact remains that the Mozilla Foundation decided not to tell you about the name change for whatever reason, yet you still had an article ready in time for the midnight launch.