Moderation of this subreddit does not follow the rules or submission guidelines set out in this sub

This is a followup to my post from yesterday about the inconsitant application of moderation on this sub when security issues are reported

In response to that post, the moderators have made comments on why the stories used as examples were moderated the way they were in a somewhat inconstant way.

Here is a snapshot of the responses:

  1. I've verified the Servnet compromise. I've known they were insecure for months, even previously made a comment about their outdated resources which I assumed was a temporary slipup.
  2. Alphabay leaks were verified, and yes proof was required.
  3. Omega hack, again proof was required before it was posted.
  4. Do you set the requirements? (a moderators response when asked who sets the requirements for verifying security issues)
  5. services that are not listed on the superlist that hosting service [do not need to be verified]
  6. claims that got verified. e.g. the omega hack got verified before he posted about it
  7. claims that were not verified but also not added to the superlist. so they are unverified claims which did not make it to the superlist due to lack of proof.

The big issue here is that we still have no insight or oversight on what "verification" means - and we already know now that it means different things to different mods and largely seems to be a process that can vary from no verification through to having to provide comprehensively documented data

If you read those responses, you would be forgiven for thinking that the mods are citing rules that are well understood and documented.

But the submission guidelines and rules for the subreddit make no mention of any of this

Here is what the submission guidelines say:

When possible, vendor complaints and scam warnings should be accompanied by proof

Obviously this isn't always feasible, but it greatly helps the community to evaluate the validity of your claims. For example, if a brand new account makes a post stating that Agora's market is compromised and is being run be LE but provides no proof, that claim will be ridiculed and not taken seriously at all, even if the claim was true. Providing some form of proof solidifies your claim and gives us something to examine and evaluate, rather than simply being empty.

Complaints and scam warnings unaccompanied by proof are usually still approved by the mods, but we may tag the post with a "FUD" flair to reflect the absence of evidence.

Note that this is the totality of rules or guides set out for reporting issues and it bears absolutely no resemblance to how moderation has been taking place on this sub.

There is also not a single page or mention within the rules or submission guidelines as to how security issues should be submitted and what submitters should expect in terms of proof or approval.

Moderation on this sub is currently a black box where each individual reporter of issues must discover for themselves how their issue is going to be moderated and treated (from being deleted and you being banned through to having your post immediately stickied at the top of the sub)

I would like to suggest that the core issue on this subreddit as has been demonstrated in the past few days is that the scope of moderation has steadily expanded with almost no input from users or oversight to the point where moderation here is an ad hoc and opaque process that has been corrupted with the influence of individual moderators.

If the moderators of this subreddit conformed to what the rules and submission guidelines say much of what has taken place could have easily been avoided. I think this would be a good interim solution to resolving the issues here and dissolving much of the tension.


Comments


[17 Points] None:

Please stop writing coherent and detailed explanations of your thoughts that of which are not too keen on us. We need the money and referrals.

-Wombat2Combat


[4 Points] ___--__-_-__--___:

Forgive me if I'm missing something, but it seems like you're assuming a lot of false / misleading conclusions. This subreddit isn't the Place With All The Right Answers. It's not an infosec den. Its moderators aren't Omniscient Final Arbiters of Truth and they aren't our parents.

No one here pretends that any of those things are the case. No one wants them to be the case. We all like to think for ourselves, and everyone knows that some of us are stupider than others. That's okay.

Your representation of the submission guidelines and subreddit rules come across as if they are and should be some kind of rigidly adhered to set of ubertruthfindertools.

But this is Reddit. It's about discussion and bullshit and tits and whatever else comes up. The guidelines and rules are intentionally casual - "guidelines"(!) - and they strike what seems to be a reasonable balance between making this place a spam-fest free-for-all and a sub which says "Welcome. Check your brain at the door, our moderators will think for you." Everyone here is responsible for themselves. As they should be.

There is also not a single page or mention within the rules or submission guidelines as to how security issues should be submitted and what submitters should expect in terms of proof or approval.

You are right. The thing is, I really don't know that a sizeable group here wants that. I kind of doubt it. This isn't /r/DNMInfosec. It's not like if you started uncovering technical vulnerabilities in gardeining websites that /r/gardening would want their sub covered in posts about it. More relevant, I doubt /r/banking would want to hear bank vulnerabilities all day either.

That's not to say those people don't want security! Just that their primary interests lay elsewhere and they are glad that other people are passionate about security. (I want my bank to hire security consultants and they wouldn't be doing their job well if they didn't. Same with markets.)

There is a reason that groups of people nerd out together in their own corners of the internet: they like hearing about and discussing their own passions. A lot. And they recognize that other people, while they might enjoy hearing about how another nerd-group's cool discussions or findings are relevant to them, they don't want their corner of the internet to be all about it.

The tidal shift here - toward everything being infosec-focused - happened, like, two days ago. I appreciate it, but I would be lying if I said that I wanted it to be a dominant theme on this sub. The markets are the people who should want to hear about it hard and who should be receptive to it. One market wasn't, and that was a big story. But it seems like that story is kind of over, and that this is going someplace it really shouldn't.

Open to hearing your thoughts.


[1 Points] travis-:

hey wombat. fuck you.


[4 Points] None:

O for gods sake stop bitching its getting old.


[2 Points] cheapcab:

Number 4 is actually a longer discussion trying to figure out which direction users/mods/testers/bug finders/security experts think the process should be.

It's time to be wary of everyone on this debate as all parties involved in this seem to be manipulating the dialog to suit their needs. Many users are bandwaggoning one side or the other. It's getting so convoluted that it's nearly impossible to follow the discussion logically.