Pingsta Blog

Pingsta Mailserver Malicious Attack – Update

Posted in mailserver,malicious attack,Pingsta,software vulnerability by pingstapr on January 2, 2008

Our investigation has revealed that the cause of yesterday’s mailblast incident was a malicious attack on our mailserver sourced (or spoofed) from 202.71.201.178 which resolves to en201178.uac63.hknet.com. Our engineers are currently taking all necessary steps to ensure that this never happens again.

Once again, we apologize profusely to all those that were impacted by this incident and we are most grateful for the relentless support we’ve received from our members and ecosystem.

We’ve learnt a few lessons from this incident that will no doubt make us stronger and improve the Pingsta experience for all.

Sincerely,
Peter and the Pingsta team.

PS. What a way to start the new year! :-)

Leave a Comment

Weekly Weigh-In #3: Software vulnerability auctions vs. ethical disclosures

Posted in bugs,ethical disclosure,Pingsta,software vulnerability,WSL by pingstapr on July 12, 2007


A week ago, a Swiss company by the name of Wabi Sabi Labi (gotta love the name) launched an Ebay-style marketplace for software vulnerabilities. They allow anyone with a verified security flaw to auction it off on their site. Wow!

While I find this very discomforting because of the potential for exploitation of such defects by unscrupulous ‘buyers’, I believe researchers should be compensated adequately by software manufacturers for “ethical disclosures” that end up improving software quality.

Fact: 99% of all bugs are customer-found.

Software is imperfect because we are imperfect, thus, defects are here to stay. Therefore, anyone that helps to “dev test” a software to the point of identifying a flaw should be compensated (and possibly offered a job) for their hard work.

Although I do not condone the WSL marketplace, I do understand why it came about. It is a logical reaction to the lack of fair recognition that is currently given to members of the public that point out software flaws to manufacturers.

The fair thing to do would be for WSL to offer software OEMs the chance to “buy” vulnerabilities offline before resorting to publicly offerings. On the flip side of this, I guess researchers can now add WSL to their list of leverage points when negotiating software OEMs.

Thoughts?
/Peter

2 Comments
Follow

Get every new post delivered to your Inbox.