Comment Re:Good. (Score 1) 104
Not to worry, he'd be saved by Mr. Canoe Head.
Not to worry, he'd be saved by Mr. Canoe Head.
To prevent double-use like this, a company should say that you don't get paid until they've fixed the bug and issued a patch for it in their software, all without the exploit ever being spotted in the wild.
One problem with this is that there's already a documented history of companies rejecting bug reports and not paying the bounty, and then some time later include a fix for it in their periodic updates. It's basically the same process that causes a company's "app store" to reject a submitted tool to do a particular job, and then a few months later releasing their own app that does the same thing.
I know a good number of people who've been bitten by the latter, from both MS and Apple. In the case of a bug, it's a lot harder to document that this has happened, but various software guys I know express a strong suspicion that it has been done to them.
It's widely believed that corporations don't have ethics at all, only costs and income, which would easily explain this sort of fraudulent "offers" of rewards with no intent to pay. We've heard here often from lots of people who think that this is right and proper, and that corporations should only be motivated by the bottom line.
When combined with the growing penchant for treating someone who reports a security bug as a criminal "security hacker" and prosecuting people who report bugs in software products, this should reasonably make a sensible developer reluctant to take rewards programs seriously. Given an offer which could get you thanks and some money, or could land you in jail for your efforts, and no way to know beforehand which the company will do, why would you even consider letting them know your name?
(Actually, my name has appeared in numerous companies' lists of honored contributors thanks to my bug reports and patches. But I haven't sent in security-related bug reports to many companies, only to the ones I have reasons to believe I can trust.)
I was going to suggest going North Korean on his ass. Death by mortar fire, death by flame thrower or death by hungry dogs? It's just so damned hard to choose.
The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today that Apache OpenOffice has been downloaded 100 million times.
Over 100 million downloads, over 750 extensions, over 2,800 templates. But what does the community at Apache need to do to get the next 100 million?
then why the recent decision
Because it'a a SUPREME COURT decision. We have three branches of government and only two are elected.
The supremes are appointed, for life (subject only to impeachment for high crimes, like the president). They have no re-election issues and can vote their mind without affecting their own tenure.
The court has repeatedly struck down campaign spending restrictions, because they're limits, not just on free speech, but on the POLITICAL speech that is the reason it is an enumerated right in the first place.
But it takes a while for a law to produce enough damage to give someone standing to challenge it, and to bring it to the supremes, and then they rule narrowly. Then, once a piece is struck down, Congress just turns around and does another version of it to evade the details of that decision, and the cycle starts over.
There are under 700 people that hit the max last time around, do you seriously think that decision will benefit the grass roots? Sounds to me like it's aimed squarely at giving the oligarchs more influence.
Of course it's the rich are the first who are bit and who have the resources to bring the suit. That's part of why the limits end up off the rich (like Soros) first, while they're still hobbling everybody else.
It isn't just the limits themselves that are an issue. There's all the reporting requirements, publication requirements, time limits, and maze of details that make compliance hard.
It's hard for candidates: They need a substantial political machine right off the bat. Getting dinged for campaign finance violations is costly, may involve jail time, DOES involve court time, and produces publicity that tarnishes the candidate's image and hurts his chances in future elections. This gives the professional politicians, especially incumbents with the machine in place, a massive advantage over any grass-roots upstarts trying to replace them.
And it can bring on reprisals against donors - including carreer-killing or physical retaliation. Who contributed to what political campaigns is public record and searchable online. This is an invitation to people with opposing views to exert social pressure or take revenge. (Within the last couple weeks we saw the CEO of Netscape forced to resign by just such pressure, as a result of the McCain-Feingold reporting of a past political contribution to a "politically-incorrect" campaign.)
It's the exact opposite of a secret ballot, which is secret to prevent such reprisals so the vote can be cast in safety. Why should financial support be any different? Why would publishing the amount and beneficiary of each contributor's political contributions be any less of a bias on the political system than publishing the way each voter voted?
Further, risking a job is far more of a hardship for a little guy living hand-to-mouth than a rich executive with millions in the bank and a golden parachute. So it's another force to suppress grass-roots opinion in favor of those who are independently wealthy or well-off.
Always draw your curves, then plot your reading.