Forgot your password?
typodupeerror

Comment: Re:Guys, 2020 is just sixe years from now (Score 1) 36

by Opportunist (#46793623) Attached to: Bookies Predict the Future of Tech

Why would people in the future abandon patents? Because they "learned their lesson"? Because they "got more socially intelligent"? Look back in history and show me one example where we learned from our lessons or where we became more socially intelligent.

Man is a greedy asshole. And the greediest assholes are also the ones that have the power to build something big. Something like, say, some time travel device.

So if anyone ever came up with something like that, what he would bring along is the blueprints of everything that had been invented between now and then and they'd make a beeline for the patent office.

Comment: Re:Are you kidding (Score 1) 795

by Opportunist (#46793597) Attached to: Study Finds US Is an Oligarchy, Not a Democracy

The Greens putting up the Chancellor isn't even necessary. Hell, it's not even necessary for them to be in government to have an influence. That's the beauty (and in some other cases the shame) of it: The threat that people could move from your party to $party because they have $topic on their agenda already does a lot.

In the 80s, the Greens did not really play a role in European parliaments. At least not in a way that you could see them reach any kind of government position any time soon. Yet still, their positions (i.e. ecology and sustainability) were embraced by the established parties quite quickly when they saw that people left them and voted Green instead just because of those positions. The Greens still didn't have a governmental role in the 90s, but their positions and demands were already being usurped by those that are in power, because they feared more voters would move away from them if they didn't.

It's a common misconception that your party needs to rule or be at least part of the government so you can realize your ideas. All it really takes is that those that are in government fear the loss of votes if they don't pick up your ideas.

Comment: Re:I think you're working from a few false assumpt (Score 1) 220

by Opportunist (#46793511) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Of course there is the threat that changes in a system will introduce new bugs, but these bugs are not under your control. And whether or not your underlying system changes is not entirely dependent on the system's maker, it also matters whether or not you deploy the new version.

Also, it is very, very rare that changes in an underlying system rip open a critical security hole, at least one that you didn't notice due to the change log info. Looking back I can't really remember an instance where such a thing happened to us. We had quite a few compatibility issues, which of course, due to the necessity of code change, bore the potential to introduce new security holes, but I don't remember any security issues with existing code due to version changes.

Comment: Re:So ... (Score 3, Interesting) 74

by Opportunist (#46788943) Attached to: Samsung's Position On Tizen May Hurt Developer Recruitment

"Wearable" isn't something bad by definition. It's just that the approach they take to it could not be worse.

Everything that runs towards "wearable" today is basically a reskinned, retooled and reshaped smartphone. That's not really what wearable computing can or even should be. A wristwatch that is essentially a smartphone has nothing to do with wearable. It's a smartphone in a different format. Where is the "wearable" benefit?

If you want to create a wearable, create something where we actually benefit from "wearing" it rather than sticking it in a pocket. The least I'd expect from a wearable is having my hands free and either a HMD or a output interface that doesn't require me to take my eyes off whatever I'm busy with. Else there is exactly zero need to "wear" the gadget, I can as well take it into a hand.

Comment: Re:False sense of security (Score 2) 155

by Opportunist (#46788503) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

What I really don't like about the whole statement behind it is the implied assumption that closed source offered any kind of better protection.

You know what's the main difference between an OSS and a CSS audit? That I can't go "hey, psst, take a look at $code. Maybe you see something interesting..." to you when I find something in CSS software and someone in a badly fitting suit tells me to shut up about it.

Comment: I think you're working from a few false assumption (Score 4, Insightful) 220

by Opportunist (#46788345) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

First, bugs in a given program are not infinite in number. By definition. Because the code itself is finite. Finite code cannot have infinite bugs. Also, due to the nature of code and how it is created, patching one bug usually also takes care of many others. If you have a buffer overflow problem in your input routine, you need only patch it once, in the routine. Not everywhere that routine is being called.

I have spent a few years (closer to decades now) in IT security with a strong focus on code security. In my experience, the effort necessary to find bugs is not linear. Unless the code changes, bug hunting becomes increasingly time consuming. It would be interesting to actually do an analysis of it in depth, but from a gut feeling I would say it's closer to a logarithmic curve. You find a lot of security issues early in development (you have a lot of quick wins easily), issues that can easily even be found in a static analysis (like the mentioned overflow bugs, like unsanitized SQL input and the like), whereas it takes increasingly more time to hunt down elusive security bugs that rely on timing issues or race conditions, especially when interacting with specific other software.

Following this I cannot agree that you cannot "buy away" your bug problems. A sensible approach (ok, I call it sensible 'cause it's mine) is to get the static/easy bugs done in house (good devs can and will actually avoid them altogether), then hire a security analyst or two and THEN offer bug hunting rewards. You will usually only get a few to deal with before it gets quiet.

Exploiting bugs follow the same rules that the rest of the market follows: Finding the bug and developing an exploit for it has to be cheaper than what you hope to reap from exploiting it. If you now offer a reward that's level with the expected gain (adjusted by considerations like the legality of reporting vs. using it and the fact that you needn't actually develop the exploit), you will find someone to squeal. Because there's one more thing working in your favor: Only the first one to squeal gets the money, and unless you know about a bug that I don't know about, chances are that I have a patch done and rolled out before you got your exploit deployed. Your interest to tell me is proportional to how quickly I react to knowing about it. Because the smaller I can make the window in which you can use the bug, the smaller your window gets to make money with the exploit, and the more interesting my offer to pay you to report the bug gets.

Those who can, do; those who can't, simulate.

Working...