Forgot your password?
typodupeerror

Comment: Underlying assumptions are false (Score 1) 228

by jd (#46793425) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Ok, the envelope game. You can rework it to say the second envelope contains the next vulnerability in the queue of vulnerabilities. An empty queue is just as valid as a non-empty one, so if there are no further flaws then the envelope is empty. That way, all states are handled identically. What you REALLY want to do though is add a third envelope, also next item inquire, from QA. You do NOT know which envelope contains the most valuable prize but unless two bugs are found simultaneously (in which case you have bigger problems than game theory), you absolutely know two of the envelopes contain nothing remotely as valuable as the third. If no bugs are known at the time, or no more exist - essentially the same thing as you can't prove completeness and correctness at the same time, then the thousand dollars is the valuable one.

Monty Hall knows what is in two of the envelopes, but not what is in the third. Assuming simultaneous bug finds can be ignored, he can guess. Whichever envelope you choose, he will pick the least valuable envelope and show you that it is empty. Should you stick with your original choice or switch envelopes?

Clearly, this outcome will differ from the scenario in the original field manual. Unless you understand why it is different in outcome, you cannot evaluate a bounty program.

Now, onto the example of the car automotive software. Let us say that locating bugs is in constant time for the same effort. Sending the software architect on a one-way trip to Siberia is definitely step one. Proper encapsulation and modularization is utterly fundamental. Constant time means the First Law of Coding has been broken, a worse misdeed than breaking the First Law of Time and the First Law of Robotics on a first date. You simply can't produce enough similar bugs any other way.

It also means the architect broke the Second Law of Coding - ringfence vulnerable code and validate all inputs to it. By specifically isolating dangerous code in this way, a method widely used, you make misbehaviour essentially impossible. The dodgy code may be there but it can't get data outside the range for which it is safe.

Finally, it means the programmers failed to read the CERT Secure Coding guidelines, failed to test (unit and integrated!) correctly, likely didn't bother with static checkers, failed to enable compiler warning flags and basically failed to think. Thoughtlessness qualifies them for the Pitcairn Islands. One way.

With the Pitcairns now overrun by unemployed automotive software engineers, society there will collapse and Thunderdome v1.0a will be built! With a patchset to be released, fixing bugs in harnesses and weapons, in coming months.

Comment: Re:Useful Idiot (Score 1) 387

Snowden has been careful to release only the things he feels violated the oath he and others took to the U.S. Constitution

Please point out the part of the US Constitution that says the Federal Government can't spy on foreign countries, then justify Snowden's leaking of intelligence methods and sources that had nothing whatsoever to do with American domestic civil liberties.

Comment: Re:Useful Idiot (Score 0) 387

What the fuck do you milquetoast standard-bearers of pusillanimity expect him to do?

Put his actions before a jury of his peers, like the numerous whistle-blowers who came before him, none of whom fled to hostile countries? Restrict his leaks to pertinent information, rather than dumping EVERYTHING? Attempt to work within the system before trying to blow it up? Leak the information without outing yourself, remaining anonymous like Deep Throat did?

Anyway, I'm all for the balance of power. The best antidote to an abusive US empire is an abusive Sov^WRussian empire.

You'd probably have a different perspective on that if you lived in the Baltic States, Ukraine, Romania, Moldova, Finland, Georgia, or any of the Central Asian Republics.

Comment: Re:Useful Idiot (Score 0) 387

Yep -- if the US wanted to not give Putin a propaganda tool, they could have welcomed him back home with a guarantee of safety.

It'd make more sense to play the realpolitik game: "Put Mr. Snowden on a flight to New York and we'll quietly acquiesce to your annexation of Crimea."

Unfortunately realpolitik is not something the current administration is very good at. They're very good at making promises they can't keep, and threats they won't follow up on, but making cold calculations to further American interests in a dangerous world? Not so much.

Comment: Re:So other than those ten (Score 2) 33

by Shakrai (#46775791) Attached to: FBI Drone Deployment Timeline

How many times do they do it a week without all that official authorization stuff?

If they use them in criminal investigations the usage eventually becomes part of the public record when entered into evidence. Using them for search and rescue ought to be non-controversial enough. "National Security" is of course the grey area, though there's a fair amount of overlap between National Security and criminal prosecutions, for offenses like espionage or terrorism, so a lot of that use would eventually make it into the public record as well.

Comment: Re:Not even much money (Score 2) 415

by Shakrai (#46759595) Attached to: Intuit, Maker of Turbotax, Lobbies Against Simplified Tax Filings

If you are a die-hard, you can download [irs.gov] the forms and send them in for the price of a stamp or two (my state forms, seven pages of paper, cost $0.70 to mail.)

You don't even have to do that. There's Free Fillable Forms, which are exactly what the title suggests. Electronic copies of all the relevant paper forms that you fill out online and E-File. It doesn't have the logic of Turbotax but it performs basic math checks and saves you the hassle of printing and mailing the forms.

I can't understand why anyone would pay a third party to do their taxes. The logic flow isn't that complicated, even when you throw capital gains and itemized deductions into the mix. I've filed the long form 1040 by hand in years when I had to deal with capital gains and losses and was able to complete it in under two hours. Who are the people who pay Intuit or H&R Block to do their 1040ez filings?

Comment: Re:also (Score 1) 171

by Shakrai (#46756621) Attached to: First Phase of TrueCrypt Audit Turns Up No Backdoors

The metadata argument wears thin on me. If my phone number is two or three levels removed from a terrorist I really don't see why it's objectionable that the Government take a precursory look at my call logs. They'll quickly find that I'm a rather boring sort, whose connection with the terrorist was likely limited to ordering the same take out, and my privacy isn't significantly impacted by having someone review my call logs after obtaining a court order.

Traditional police investigative techniques would be at least as invasive, if not more so. Ever been interviewed by the police because you're one or two levels removed from a criminal suspect they're attempting to establish a case against?

Comment: Re:also (Score 5, Insightful) 171

by Shakrai (#46751971) Attached to: First Phase of TrueCrypt Audit Turns Up No Backdoors

Since Snowden's revelation about the NSA's clandestine $10 million contract with RSA,

If you're on NSA's radar you've got bigger problems than TrueCrypt's trustworthiness or lack thereof. The NSA doesn't have to have a back door into AES (or the other algorithms) when they have an arsenal of zero day exploits, side channel attacks, social engineering, and TEMPEST techniques at their disposal. The average user should be far more concerned about these attack vectors (from any source, not just NSA) than the security of the underlying encryption algorithm.

The Diceware FAQ sums up the problem rather succinctly: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day."

Comment: Re:To the point... (Score 1) 147

by Shakrai (#46730875) Attached to: 'weev' Conviction Vacated

No, he sent a query to the webserver, and the webserver did what it was designed to do and answered it.

You're overlooking the part about purposefully manipulating the query in such a fashion as to trick the webserver into thinking you're someone else.

AT&T was the one making the mistake by assuming that all trivially-correctly-formatted requests were from AT&T customers as opposed to actually checking whether the requester was - in fact - a customer (something they could've easily done!)

AT&T's mistakes do not excuse the actions of the accused.

It's about precedent, and "some queries shouldn't be sent to a webserver, but you don't know what those are until we nail your ass" is a pretty damn bad precedent.

There's no overly broad precedent here, unless you're trying to claim that prosecuting people for impersonation is a scary precedent.

"If value corrupts then absolute value corrupts absolutely."

Working...