Comments on: Blogger Discovered LHDN e-Filing Security Vulnerability http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/ About Computers, Blogging, Making Money Online, Marketing and Interesting Stuff Fri, 03 Feb 2012 09:22:46 +0000 hourly 1 By: LHDN e-Filing Security Problem Fixed « Sabahan.com http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24399 LHDN e-Filing Security Problem Fixed « Sabahan.com Tue, 17 Apr 2007 05:05:04 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24399 [...] posted earlier about a discovery made by a blogger about the data leak he was experiencing why filling his tax [...] [...] posted earlier about a discovery made by a blogger about the data leak he was experiencing why filling his tax [...]

]]> By: WATTAHACK? http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24373 WATTAHACK? Mon, 16 Apr 2007 14:55:38 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24373 Please post update on this matter so others know its resolved. http://wattahack.blogspot.com/2007/04/resolved-lhdn-e-filing-leaking-data.html Please post update on this matter so others know its resolved.

http://wattahack.blogspot.com/2007/04/resolved-lhdn-e-filing-leaking-data.html

]]> By: Gaman http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24341 Gaman Sun, 15 Apr 2007 10:43:30 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24341 The guy is just a blogger to start with and he is not bound by any procedure or law to report any vulnerabilities overlooked by any organization - at least for now (as far as I am aware) What he did is a common practice among bloggers in developed countries like in the US. It's even worst there where they sometimes publish all the juicy details at will. Does this do more harm then good? It could be harmful but in a way this forces the organization to shorten their response time further. They take security even more seriously instead of delegating beta testing to the unwilling general public. I agree with you though that ideally the guy should had reported it first. Sadly the reality is less than ideal. The guy is just a blogger to start with and he is not bound by any procedure or law to report any vulnerabilities overlooked by any organization – at least for now (as far as I am aware)

What he did is a common practice among bloggers in developed countries like in the US. It’s even worst there where they sometimes publish all the juicy details at will.

Does this do more harm then good?

It could be harmful but in a way this forces the organization to shorten their response time further. They take security even more seriously instead of delegating beta testing to the unwilling general public.

I agree with you though that ideally the guy should had reported it first. Sadly the reality is less than ideal.

]]> By: bengodomon http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24339 bengodomon Sun, 15 Apr 2007 09:57:15 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24339 With the right escalation system, it should be very quick for the details to reach the correct person. In all probability, system development and maintenance is done by a 3rd party (private company), as is the case with most federal app development projects. If the private company is good, they would get to work right away. Informing firstly the PIC of the organisation in charge of the application is standard ICT security procedure. I think informing the general public of the vulnerability, even if not the whole juicy details, does more harm than good. Once the relevant authorities does something about it, then only would I consider going public about it. With the right escalation system, it should be very quick for the details to reach the correct person. In all probability, system development and maintenance is done by a 3rd party (private company), as is the case with most federal app development projects. If the private company is good, they would get to work right away.

Informing firstly the PIC of the organisation in charge of the application is standard ICT security procedure. I think informing the general public of the vulnerability, even if not the whole juicy details, does more harm than good.

Once the relevant authorities does something about it, then only would I consider going public about it.

]]> By: Gaman http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24337 Gaman Sun, 15 Apr 2007 07:29:49 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24337 Unfortunately not everyone is motivated enough to do that. Unlike a smaller company, it would probably take forever to escalate the issue to the right person in LHDN - all this at the expense of the general public because of the bureaucracies in the system. If I discover a vulnerability in a system, I would blog about it but leave out the details about the exploit itself. At the same time I'll contact the relevant authorities - and it's up to them to act. Unfortunately not everyone is motivated enough to do that.

Unlike a smaller company, it would probably take forever to escalate the issue to the right person in LHDN – all this at the expense of the general public because of the bureaucracies in the system.

If I discover a vulnerability in a system, I would blog about it but leave out the details about the exploit itself. At the same time I’ll contact the relevant authorities – and it’s up to them to act.

]]> By: bengodomon http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24335 bengodomon Sun, 15 Apr 2007 06:54:14 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24335 What he should've done is report the problem straight to LHDN first, and not post to his blog. With his action, he could've caused more harm than good. In the past, have also discovered several vulnerabilities, including one that was developed by a MSC-status company, but I always contacted the PIC first. What he should’ve done is report the problem straight to LHDN first, and not post to his blog. With his action, he could’ve caused more harm than good.

In the past, have also discovered several vulnerabilities, including one that was developed by a MSC-status company, but I always contacted the PIC first.

]]> By: toxicle http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/comment-page-1/#comment-24301 toxicle Fri, 13 Apr 2007 05:24:27 +0000 http://www.sabahan.com/2007/04/11/blogger-discovered-lhdn-e-filing-security-vulnerability/#comment-24301 Just when I'm about to use it I get this news. Hrmm ... I hope they fix it before the end month dateline. Just when I’m about to use it I get this news. Hrmm … I hope they fix it before the end month dateline.

]]>