this post was submitted on 03 May 2025
104 points (99.1% liked)

Casual Conversation

3204 readers
450 users here now

Share a story, ask a question, or start a conversation about (almost) anything you desire. Maybe you'll make some friends in the process.

RULES (updated 01/22/25)

  1. Be respectful: no harassment, hate speech, bigotry, and/or trolling. To be concise, disrespect is defined by escalation.
  2. Encourage conversation in your OP. This means including heavily implicative subject matter when you can and also engaging in your thread when possible. You won't be punished for trying.
  3. Avoid controversial topics (politics or societal debates come to mind, though we are not saying not to talk about anything that resembles these). There's a guide in the protocol book offered as a mod model that can be used for that; it's vague until you realize it was made for things like the rule in question. At least four purple answers must apply to a "controversial" message for it to be allowed.
  4. Keep it clean and SFW: No illegal content or anything gross and inappropriate. A rule of thumb is if a recording of a conversation put on another platform would get someone a COPPA violation response, that exact exchange should be avoided when possible.
  5. No solicitation such as ads, promotional content, spam, surveys etc. The chart redirected to above applies to spam material as well, which is one of the reasons its wording is vague, as it applies to a few things. Again, a "spammy" message must be applicable to four purple answers before it's allowed.
  6. Respect privacy as well as truth: Don’t ask for or share any personal information or slander anyone. A rule of thumb is if something is enough info to go by that it "would be a copyright violation if the info was art" as another group put it, or that it alone can be used to narrow someone down to 150 physical humans (Dunbar's Number) or less, it's considered an excess breach of privacy. Slander is defined by intentional utilitarian misguidance at the expense (positive or negative) of a sentient entity. This often links back to or mixes with rule one, which implies, for example, that even something that is true can still amount to what slander is trying to achieve, and that will be looked down upon.

Casual conversation communities:

Related discussion-focused communities

founded 2 years ago
MODERATORS
orangeNgreen@lemmy.world
neidu2@feddit.nl
BoozeOrWater@lemm.ee
104
Someone from my university took down my website (lemmy.world)
submitted 20 hours ago by droning_in_my_ears@lemmy.world to c/casualconversation@lemm.ee
42 comments fedilink hide all child comments
 

So I have a small web app I made. I didn't really advertise much because there's a lot of things I wanna fix in it and I don't have the time. But I did tell a few classmates about it.

Last few days I noticed it had been running slowly. Until one day it just stopped working. I checked the server logs and there was a background worker trying and failing to insert some data into the db on loop because of a bug I didn't notice. The data it was trying to insert was spam so I knew this was an intentional thing. I took the server down and in the process accidentally deleted all the logs. Oops.

So I go and check the database and the user who inserted the spam data used their actual email. I google it, find their GitHub, their twitter, and their fiverr which has their actual name and picture. I search their name in my university system and find them. It's someone I don't know. Someone who heard from a classmate I told about it.

Fixed the bug now, banned the account, removed the spam. I guess you could say they did me a favor catching the bug but they could've just told me about it lol.

The only question left is: should I contact them? Send them a subtle 'I know what you did" message on the uni portal?

all 44 comments
sorted by: hot top controversial new old
[–] Flax_vert@feddit.uk 10 points 11 hours ago

This is what annoys me. I had a Minecraft server and people asked if it was okay if they did a bit of glitch hunting. I said it was fine as long as they told me about it, especially if they accidentally caused damage. They did not, and caused critical systems in the server to break.

[–] dumbass@leminal.space 105 points 20 hours ago (1 children)

Sign them up for spam emails.

Fight fire with fire.

[–] steal_your_face@lemmy.ml 2 points 9 hours ago

Sign them up for an email bomb

[–] recursive_recursion@lemmy.ca 76 points 19 hours ago (3 children)

I'd personally suggest sending an email to one of your profs about noticing potentially malicious network activity that originated from a fellow uni student with your attached proof.

In that same email you could ask them what's the proper procedure for the circumstance you're in.

[–] Draegur@lemm.ee 44 points 19 hours ago

I feel like this is the best option.

OP shouldn't even TRY to take matters into their own hands.

Document rigorously and then send all documentation to the designated people.

Then document who you sent it to and hold onto backups
~~so that if they try to turn it around on you, you can dump all their dirty laundry out into the open~~

[–] PennyRoyal@sh.itjust.works 17 points 19 hours ago

What are you doing here with your thoughtful and well-reasoned replies? This is the internet, we’ll have none of that kind of thing around here! Just because this is absolutely the right course of action doesn’t mean you can be promoting this kind of calm and unsensational behaviour!

[–] TWeaK@lemm.ee 3 points 18 hours ago (1 children)

The logs were deleted, sounds like there isn't any proof left.

[–] droning_in_my_ears@lemmy.world 2 points 18 hours ago (1 children)

There is. The db entries are still there, linked to their username and email. I'm not gonna report it obviously. That'd be silly

[–] tauren@lemm.ee 9 points 14 hours ago (1 children)

The db entries are still there, linked to their username and email.

But can you prove those db entries were created by that user?

I’m not gonna report it obviously. That’d be silly

Why would it be silly? Someone attacked your website. Even penetration testers with benign intentions can't do that without an explicit consent from the owner.

[–] droning_in_my_ears@lemmy.world 2 points 13 hours ago* (last edited 13 hours ago) (2 children)

But can you prove those db entries were created by that user?

Good point. The db entries are linked to the user, but I guess one could argue that was changed after the fact. The db logs are still around but that might not be enough.

Why would it be silly?

I don't know. I just feel like it would be an overreaction. Especially since they technically exploited a bug in my own code.

[–] MrTolkinghoen@lemmy.zip 10 points 13 hours ago

This person was being an asshole. Let's be clear. They didn't inform you of a bug they found. Instead they just wanted to destroy what you made for the fun of it. Let them face some reprecussions for once. At least it'll teach them to cover their tracks better.

[–] thepreciousboar@lemm.ee 3 points 12 hours ago

Especially since they technically exploited a bug in my own code.

Yeah that's called an intrusion, hackers do that and it's illegal. If you accidentaly leave you house door unlocked is it your fault if someone trashes your house?

Report them, no damage was done and it's a relatively minor thing so I wouldn't expect grave consequences, but maybe this person will be more more responsible in the future.

[–] Maiq@lemy.lol 55 points 20 hours ago (2 children)

Bring your evidence to the CS Professor. See what they think.

[–] SnotFlickerman@lemmy.blahaj.zone 34 points 19 hours ago (1 children)

Yeah generally it's in bad form to mess with other people's projects without their permission at university. CS Professor probably won't be impressed.

[–] TWeaK@lemm.ee 5 points 19 hours ago (1 children)

a) The logs were deleted, so there isn't much evidence left. b) We don't even know if this is a university project and not just a side project.

[–] droning_in_my_ears@lemmy.world 10 points 18 hours ago (3 children)

It's not a university project. I'm obviously not gonna report it to anyone.

The logs were deleted but the database entries remain, tied to their username and confirmed email.

[–] Maiq@lemy.lol 1 points 10 hours ago* (last edited 10 hours ago)

Might be able to recover the logs with testdisk. The email and other info might be enough. If you do get your logs back might impress the CS Prof. Shows willingness to figure shit out when things go wrong.

To me, what they did shows intent to commit a crime if not the crime itself. Possibly legal offences likely wont be taken lightly.

If your gonna hack shit it better be your own in a lab or have consent from the party involved

[–] Lemjukes@lemm.ee 8 points 17 hours ago

Even if the project wasn’t for university, it’s still yours. And the other student probably broke your schools code of conduct by doing what they did. You should still inform if not the dean of the program, then at least your professor. What’s to say this person isn’t also going around and fucking with other people’s projects?

[–] thesystemisdown@lemmy.world 2 points 14 hours ago (1 children)

How can you determine that someone didn't use their info as subterfuge? It sounds like most people could find that information and use it. You'll need a little more evidence.

Personally, I'd ask them if they want to pen test my next application and see how they respond.

[–] droning_in_my_ears@lemmy.world 1 points 13 hours ago (1 children)

What do you mean? If their email is confirmed, then I assume only they have access to it. Is there something I'm missing?

[–] thesystemisdown@lemmy.world 1 points 13 hours ago* (last edited 13 hours ago) (1 children)

Perhaps it's something that I'm missing. What do you mean when you say their email is confirmed?

Usually when this happens, it's a result of someone taking advantage of an application vulnerability, e.g. sql injection. Sometimes it's more serious, like a script uploaded and a privilege escalation to execute it. The email value written to your database could be anything.

Not to condescend, but this is a good learning experience. If they were able to write to your db, they could likely also read from it, dump the whole thing and harvest the data.

[–] droning_in_my_ears@lemmy.world 1 points 12 hours ago (1 children)

They did not gain access to the db. They just inserted some garbage data that due to a bug in my code caused a background worker to try to insert some invalid data to the db and fail on loop, hogging network resources until eventually the main server couldn't serve anymore.

When I say their email is confirmed, I mean the email they used to sign up is presumably one they have access to because they clicked on the confirmation link with a token sent to their email. The data they inserted is tied to that account with a foreign key.

No SQL injection or anything like that was done. It was more them triggering a bug more than anything. But it's still clearly intentional because the data they inserted is spam about forex trading with no spaces (which is what caused the error, long story). My code is open source so presumably they knew that would happen.

[–] thesystemisdown@lemmy.world 1 points 10 hours ago

Gotcha. Then maybe it is time for them to have a conversation with the friendly network administrator. You might have lost your logs, but university network appliances usually log alot.

[–] fartsparkles@lemmy.world 18 points 18 hours ago

Agreed. Mostly because there’s a risk that individual will continue down the offensive security route without guidance and end up a blackhat.

[–] Worx@lemmynsfw.com 16 points 20 hours ago (2 children)

Don't escalate unless you want to deal with more of this

[–] Lemjukes@lemm.ee 6 points 16 hours ago (1 children)

“Don’t deal with this unless you want to deal with it” my sibling in Christ, that’s what dealing with it means.

[–] Worx@lemmynsfw.com 4 points 15 hours ago (1 children)

That's not what I said - I said don't escalate. The problem has already been dealt with by fixing the bug. There's a chance that's the mystery dickhead will never be seen again if you make it a non-event. If you reach out and taunt them, you're just asking for more trouble

[–] tauren@lemm.ee 6 points 14 hours ago

If you reach out and taunt them, you’re just asking for more trouble

Which is why you don't "reach out and taunt them", but report them to the university.

[–] alaphic@lemmy.world -1 points 19 hours ago* (last edited 19 hours ago) (2 children)

This has some real strong "well if she didn't want to get raped she shouldn't have been dressing like that" energy

[–] chicken@lemmy.dbzer0.com 10 points 18 hours ago

Nothing happened here except a small project website temporarily lagging. Nobody has been assaulted here, which makes this an extremely different situation than that.

[–] rayquetzalcoatl@lemmy.world 11 points 19 hours ago

It absolutely doesn't. The comment doesn't assign blame to OP at all, it's a recommendation that continuing to engage with this person will just cause more problems - a pretty normal thing to acknowledge when it comes to dealing with petty, weird people who just want to mess with strangers.

[–] Sibbo@sopuli.xyz 3 points 19 hours ago (2 children)

Anyone could have used that email to insert spam. Unless you use confirmation emails?

Well, if you don't, you have nothing. If you do use confirmations, then just tell the police.

[–] sunzu2@thebrainbin.org 2 points 13 hours ago

If you do use confirmations, then just tell the police.

What is the police going to do?

[–] rirus@feddit.org 2 points 18 hours ago

Just ask him why he did it and how he found out about it and that he should just notify you instead of exploiting the bug.

[–] Aarrodri@lemmy.world 2 points 19 hours ago (2 children)

Do You have the usual friend that loves punching people? You know.. Great friend but drinks and is always getting into bar fights?

[–] Bezier@suppo.fi 7 points 18 hours ago

the usual friend that loves punching people

Very fucking usual

[–] rayquetzalcoatl@lemmy.world 7 points 19 hours ago (1 children)

Do you have friends like that?