Comments on: On Security Vulnerabilities

By: j3h

j3h — Mon, 27 Nov 2006 21:37:38 +0000

We have just made a release that changes the behavior so that it rejects sign-ups even if the entered credentials match an existing account. This should make the sign-up process less confusing if people are testing it.

By: kveton

kveton — Mon, 27 Nov 2006 15:44:11 +0000

For the very reason that you have not given me any cause to do so. From previous experience, I’m not convinced you could do a thorough analysis.

I’m sorry we didn’t get back to you as quickly as we normally respond to such events. However, the timing of these events were correct, we simply failed to notify you in a timely fashion.

You continue to question my integrity at every opportunity and yet you have not shown one bit of proof of a security vulnerability.

By: Dmitry Shechtman

Dmitry Shechtman — Mon, 27 Nov 2006 10:57:46 +0000

Full disclosure is open source to me. Why didn't you agree to open your code repository, not even under NDA? And what's wrong with your clock?

By: kveton

kveton — Sun, 26 Nov 2006 21:41:55 +0000

That wasn’t the only place you made that public claim:

http://startrekguide.com/forum/viewtopic.php?p=12128

We take security seriously here so we respond to any and all questions about the quality of the services we provide. Test site or otherwise, people might happen upon that site via Google and not know its a test site. I’d rather err on the side of full-disclosure and discussion than not.

Thanks for the post Dmitry!

By: Dmitry Shechtman

Dmitry Shechtman — Sun, 26 Nov 2006 21:36:10 +0000

As I repeatedly noted in our conversation, a test board hardly counts as an arena for public claims. But since we have gone public with this now, here are a few backlinks:

http://test.phpbb.cc/viewtopic.php?t=37
http://test.phpbb.cc/viewtopic.php?t=38

Vulnerability or not, coverup or not — you are invited to draw your conclusion.