Comments on: Major Security Hole at Tumblr

By: Privacy Disaster At Twitter: Direct Messages Exposed (Update: GroupTweet Is Likely Culprit) | crown.MONKEY

Thu, 24 Apr 2008 09:20:45 +0000

[...] seeing an increasing trend of privacy issues pop up around new web applications and all this distributed [...]

By: TechCrunch Japanese アーカイブ » Twitterで非公開メッセージ暴露さる（GroupTweetの仕業？）

TechCrunch Japanese アーカイブ » Twitterで非公開メッセージ暴露さる（GroupTweetの仕業？） — Wed, 23 Apr 2008 19:45:09 +0000

[...] 新たなウェブアプリやデータ配信がウェブで次々誕生するにつれ、こういったプライバシー問題も最近は増加傾向にある。 [...]

By: Privacy Disaster At Twitter: Direct Messages Exposed

Privacy Disaster At Twitter: Direct Messages Exposed — Wed, 23 Apr 2008 11:14:39 +0000

[...] depending on the number of users affected, possibly a more embarrassing security slipup than Tumblr saw last week). Forget downtime, this causes direct and substantial harm to anyone affected. And if it happened [...]

By: mike

mike — Thu, 17 Apr 2008 14:49:30 +0000

@Watts and Cameron ;at the time of my post the breach had already been fixed. i suppose when i take a second look i have to agree with the statement we do not need to know about the breach at the moment it happens. I was responding more to the protection of free speech and press. Note that i am not a journalist either, so i do not know a lot about standard journalistic practice. Also with further insight into my own statements, i decided i was being contradictory in that i was defending tech crunch in their right to publish without regard to the rights of the readers to repost. This i think is a fantastic system where the journalist is held very much accountable not only to the public, but to each and every readers individual assessment of their journalistic integrity. good job for keeping not only tech crunch in check, but me too.

By: ArringtonMuchosSuckas

ArringtonMuchosSuckas — Thu, 17 Apr 2008 04:53:24 +0000

You suck for laughing at others fault.

By: Tabish

Tabish — Thu, 17 Apr 2008 00:32:20 +0000

Ah, I meant that for Arrington.

By: Tabish

Tabish — Thu, 17 Apr 2008 00:31:44 +0000

Just because I couldn’t resist responding to your juvenile behavior, and partly because it turns me on so much, here’s a rub: Tumblr, not iTumblr.

By: Fabricio Zuardi

Fabricio Zuardi — Wed, 16 Apr 2008 16:54:25 +0000

What kind of asshole posts a security breach on a high traffic website before contacting the site owners… disgusting.

By: Watts

Watts — Wed, 16 Apr 2008 06:55:14 +0000

Um, no, “good journalism” does not require the article to go up before Tumblr has a chance to respond. Standard journalistic practice, which is what I believe you’re really referring to, involves at least trying to get a statement from all the interested parties. Or have you never noticed the “So-and-so did not respond to our requests for comments” in newspaper articles before?

Good security reporting practices, on the other hand, pretty much DO require giving the affected party a chance to not only respond but repair before widely disseminating a breach. Cameron is absolutely correct in his response above.

This is an issue that others have noted with TechCrunch, although it’s absolutely not unique to them: a desire to be the first big-name outlet with “the scoop” means that you’re throwing standard journalistic practices out the window whenever they threaten to slow you down. You may publish clarifications and expansions throughout the day, but that’s not the same as taking the time to get it as close to right as possible to start with. (Of course, when someone corrects you, you may dismiss them entirely for sending negative energy your way. We all have our own ideas of what “editorial standards” mean.)

By: Cameron

Cameron — Wed, 16 Apr 2008 05:44:48 +0000

Mike, so by your logic, if Tumblr is dependable to share security breaches with their users, why did you post this? And even if you say this was a test of their dependable nature, you could have at least called them or made sure they fixed it before posting.

The users don’t need to know the absolute second of a security breach. It’s not like the users can do anything to stop someone with admin privileges, it’s true they needed to know, but you could have emailed Tumblr or contacted them and told them you were going to post at the end of the day.

Jesus. Give them some time.

By: Nate

Nate — Wed, 16 Apr 2008 04:30:08 +0000

It’s a php app folks. For the ruby/rails hater above.

By: blowmii

blowmii — Wed, 16 Apr 2008 03:20:45 +0000

Go F#$k Yourself.

Show some class. What goes around comes around.

By: Blowski

Blowski — Wed, 16 Apr 2008 02:51:44 +0000

Oh, BTW, I like cock and balls.

By: Blowski

Blowski — Wed, 16 Apr 2008 02:32:41 +0000

Just wanted to say - I post comments on here a fair bit and the Blowski doing a spot of FUD above (#22,#25) is not me. Just for the record.

By: mike

mike — Wed, 16 Apr 2008 01:12:01 +0000

i find it strange there are so many people mad that this mistake was published. GOOD journalism dictates that everyone be notified as soon as something happened, and a good journalist has good sources. If the report was incorrect then we look at the journalist. In this case it was not. kudos for fixing it so fast, but we have to take into account the fact that if it can be fixed faster than it is reported, we may never know our information was compromised. Luckily we could depend on tumblr to tell everyone, but not every site is so ethically well adjusted.

By: Sean Kelly

Sean Kelly — Wed, 16 Apr 2008 01:03:57 +0000

That’s great that they got a handle on things. It is problems like this that cause me to be wary of storing personal information on the internet.

By: Craig

Craig — Wed, 16 Apr 2008 00:39:05 +0000

We all know what to do when it is discovered TechCrunch has a security hole

By: Nat

Nat — Wed, 16 Apr 2008 00:00:09 +0000

a week ago another website i frequently visit Killerstartups.com have a problem and you can see the whole index of the website including the admin logging and within minutes or so, everything is fixed.

Nat
http://www.workersinc.com

By: EH

EH — Tue, 15 Apr 2008 23:58:40 +0000

Love all the “security through obscurity” arguments against publicizing this crack. Must be a lot of aspiring CEOs who are practicing their authoritarian management techniques so they don’t ever have to account for their mistakes.

Sorry all you paper MBAs, but it helps the USERS to know that theres a problem on the site so they can figure out what they want to do. If this means not using your service/site anymore then you should think about talking to your development director or other programming managment about quality control and accepted practices. Making sure an admin is actually an admin is ultra-basic.

By: Richard Head

Richard Head — Tue, 15 Apr 2008 23:43:43 +0000

I see you have no ethical problems reporting a publicizing a security hole before it is fixed. Any decent journalist would fact check a story before running with it, so why not pause before publishing here too?

It really is accepted practice to notify people about security holes and only going public to force the company’s hand if they refuse to fix it. Doing anything other than this shows you up as a publicity hungry, ethically naive hack.

By: TechCrunch Japanese アーカイブ » Tumblrに重大な脆弱性

TechCrunch Japanese アーカイブ » Tumblrに重大な脆弱性 — Tue, 15 Apr 2008 23:31:32 +0000

[...] [原文へ] [...]

By: Kyle

Kyle — Tue, 15 Apr 2008 23:19:35 +0000

Posting this before Tumblr could adequately respond and deal with the issue is an insult to David and Marco, as well as every legitimate Tumblr user out there, aside from this not even being real news. You guys are no better than the people who ended up mucking around with things during the breach.

By: jonathan

jonathan — Tue, 15 Apr 2008 23:12:36 +0000

why does techcrunch publish this stuff before the hole is fixed.. sending hurds of script kiddies to mess with the exploit is not cool.. and it certainly is not news.. arghh..

By: Afraid of the dark

Afraid of the dark — Tue, 15 Apr 2008 22:49:13 +0000

seriously, why would you post this as soon as you found out about it. I know this is a blog, but have some decency

By: Ryan Allen

Ryan Allen — Tue, 15 Apr 2008 22:44:09 +0000

Gee TechCrunch, you guys are awesome. Bet you’ll think it’s awesome when someone announces an open security hole in your site before it’s fixed.

What goes around comes around. I hope you get back what you deserve for this selfish post.

Are you going to start posting about celebrities on drug rehab stints or is this kind of reporting only temporary?