people who shouldn't do crypto, doing crypto
16 May 2009 22:12:15 EST

Does this disqualify me from no more free bugs? I found a pretty horrific security vulnerability in a website not to be named, and reported it. It was silly-easy to exploit, there was no particular cleverness on my end. I've put up a new code adventure about it. Suffice to say I could have done an awful lot of incredibly dangerous (and lucrative!) theft, and if I did it wrong I would have gone to jail for a longish time. When I found it, and successfully exploited it, I sat back, and remembered something Richard Feynman said in one of his books.

I went on and checked some things, which fit, and new things fit, new things fit, and I was very excited. It was the first time, and the only time, in my career that I knew a law of nature that nobody else knew. The other things I had done before were to take somebody else's theory and improve the method of calculating

So this was the first time (so far) that I knew some incredible zero-day that no one else knew. And I rushed out to explain it to my roommate and I was excited. So read about it, and then you'll think we'll that's obvious and of course it is. But out of the thousands and thousands who could have found it and exploited it - I did it.

Add a comment...
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"