Forgot your password?

Comment: Re:Metaphor (Score 1) 212

by arth1 (#46793043) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

While you are technically correct, the reality is that the most serious security vulnerabilities are almost all directly related to buffer overruns (on read or write), allowing an attacker to read or write arbitrary memory. Everything else is a second-class citizen by comparison;

In my fairly long experience, there are ten vulnerabilities introduced at the design stage for every vulnerability caused by bad coding. Buffer overflows might be one of the more common coding errors, but certainly not the main cause of vulnerabilities.

Comment: Re:When did slashdot become a blog for Bennett? (Score 1) 212

by arth1 (#46793027) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Okay, I'm obviously missing some important details not being a security expert. Clear a couple things up for me.
1. Do security researchers spend their efforts actively searching for one particular bug using one particular method, or do they try a lot of different things and expect to find a lot of different bugs of varying levels of importance?
2. Do companies looking at their own code for bugs only concern themselves with bugs that would be worth selling on the black market, or is every bug a concern for them?
3. Bit of an opinion question, how much would you consider spending to find a bug to sell for $100k considering the potential failure of the endeavor?
4. Do you think bug bounties are the primary motivation for white hats to research bugs, and if not what effect do they have?

I don't think Mr. Haselton is qualified to answer these.

1: A little of both. I can only speak for myself, but I tend to look at a particular piece of hardware or software, and poke it until I find something interesting. Now interesting doesn't have to be a vulnerability, but it engages the brain. Could there be an exploit in here? And if not, could there be an exploit in other products that use a fairly similar design for something?
I may start looking at product A, and find X interesting, but end up finding a defect Y in product B.

2: Both. You sell not only a product, but a perception that you care about your customers. Besides, most companies have people in decision who wouldn't be able to make an educated decision on what type it was, and underlings whose opinion is tainted because they have a real need to cover their own ass. And the companies certainly won't take the word of a hacker as to what the impact is, so they'll usually err on the side of caution, i.e. treat it seriously.
Note that treating it seriously might mean it will take quite a long time to fix, because taking code seriously also means extensive tests that fixes don't break anything else. A company that has a very fast turnover for security fixes is one that I wouldn't trust much - it's a prime candidate for looking for more problems.

3: You start with a premise that the hunt is to get a reward. I believe that's almost always a false premise.

4: No, I think the primary motivation is curiosity. Unless that;s your primary driver, you will likely not be good at it.
A bounty might make a hacker go to the company after they've discovered the bug, instead of just sitting on it.
Which I think is what mostly happens. You know about a security flaw, but don't want to go to the company given the high risk of being sued in best shoot the messenger style. And you don't want to turn blackhat either, neither for criminals nor governments. But, I repeat myself. And if you're not a kid looking for notoriety, chances are you won't tell anyone.
I am quite convinced there are thousands of unreported vulnerabilities. Bounties might help with that.

Comment: Re:Yeah? (Score 1) 329

by lgw (#46791633) Attached to: Mercedes Pooh-Poohs Tesla, Says It Has "Limited Potential"

I disagree: the Model S was the right car to do first. All electric cars before it were simply crap. Worthless, horrible rides that only a hippie would drive. Yech. The Tesla is fine for many uses, and the main thing is: it's overpriced in a market where it's normal to be overpriced; it's overweight in a market where it's fine to be overweight (the S class was 3 tons not that long ago). It's a nice car, nicer than a Camry, where instead of the refinement of a luxury car for the price difference, you get the novelty of an electric car. And at that price range, you probably also have a gas car (or if not, you can rent one as needed).

Electric car tech simply isn't ready yet for low-margin vehicles. High margin cars, where intangible value is a big part of price, they work fine. It makes perfect sense to me to start there, and gradually come downmarket as they get the hang of it.

Also, most US families have 2+ cars, so one short range car isn't a problem I don't, so I'm skipping the Model S for now, but I'd love a similar car with a 50 HP gas generator under the hood. It doesn't need to provide enough power to run on, just enough to recharge given a few hours in the parking lot. None of this fancy, sure-to-break, parallel hybrid nonsense, but the great "fixie" Tesla drivetrain with a purely separate generator so I can recharge using gasoline as needed.

Comment: Re:Metaphor (Score 1) 212

by lgw (#46791571) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Any language except C has classes that prevent buffer overruns. Heck, I did assembly programming for 5 years, and the natural way to move data around avoided buffer overruns (mainframe assembly). The tools are right there, people just don't pick them up.

It's not about the language, and it's certainly not about "don't screw up", it's about a coding style that's not amenable to the mistake, and that's practical is most any language except C, really.

(Really, C and Managed aren't the only choices out there.)

Comment: Re:But (Score 1) 73

by VortexCortex (#46791245) Attached to: Samsung's Position On Tizen May Hurt Developer Recruitment

I like to wear watches. Recently lost my watch, Frownie face. But I don't want to get a new one because I'm holding out for an iwatch later this year. In the meantime, my wrist feels naked! I just hope the iwatch is sub $400.

I hope in the Apple tradition it is $666, and when you lose it like you lost your other ultra-losable hardware you make a Frowine face so hard it freezes that way.

Comment: Osborne 1 (Score 1) 520

by VortexCortex (#46790095) Attached to: Ask Slashdot: What Tech Products Were Built To Last?

I still have a working Osborn 1 and use almost every day. That's over three decades of service. My CP/M 2.2 disks are toast, so I've replaced the OS with one of my own design for use in my hobby home automation projects. The 300 Baud modem died so I use its RS-232 (serial) port with an IR LED and resistor across DTR to do IO with my home theatre system. The IEEE-488 (parallel) port is used for multiple sensor IOs and a sanitized COM link to my Linux server network which can route IR messages around the rest of the home.

It's more of an "antique" retro conversation piece, but I'm a practical guy and find collectables such as this 1st widespread "portable" PC to be far more interesting when in use; Rather than collecting dust and only being the subject of tech war storries others can witness the power of its simplicity and appreciate the workhorse in action. When I press the button on my remote or smart-phone app visitors (esp. kids) heads are turned by the 5 1/4 inch drive access sounds as the proper code translation table is loaded into the 64KB RAM and colored debugging LEDs on its exposed bread boards blink while status messages flicker to life scrolling up the 54x24 character green monochrome display, then lights dim and a projector screen lowers, and various set-top boxes have their inputs configured. Kids will spend hours "watching TV" just changing the channels and active devices while actually paying attention to the old Osborne One doing its duty. I consider it sort of like an 80's version of steam-punk -- My take on "cyber-punk". Sometimes I'll show the older kids how to manually command systems by making and breaking circuits with a paperclip on the breadboard to do IO. The resulting stream of "how"s and "why"s is fully expected; This setup was socially engineered to lead hapless inquisitors away from the mind-numbing TV and out to tinker with the brain boosting electronics and robotics projects in the garage.

I have some replacement parts from its dead brothers and sisters, but it too will eventually bite the dust eventually and be replaced with other hardware. I really miss parallel ports. Even kids can do IO by hand on the old interface instead of running everything through a more complex serialization protocol; Building a USB interface just to get back bit-mapped parallel IO is just silly. Thus, old beige boxes and custom DOS programs are still my favourite for intro to software / hardware & robotics even more so than single board or embedded systems like Raspberry Pi or Arduino and its clunky expansion ports -- for want of a simple Parallel Interface... I mean, you can use a bit or byte pattern of a parallel interface as an "escape code" to signal a mode switch and with a few transistors you can have as many "expansion cards" to program as you want. When I'm teaching how stuff works, I don't want things like this abstracted away and hidden behind proprietary hardware and software interfaces.

Remember the Three R's: Reduce, Reuse and Recycle. Reusing old hardware should be attempted before recycling. Experiencing the magic blue smoke escaping from an old main board, ISA / PCI card, etc. is an important part of learning electronics projects. Having to redo their work teaches folks to be more careful even if the parts are otherwise "worthless junk". Making interesting and/or useful things out of a "Trash 80" is seen by youngsters more impressive than using purpose built devices designed to facilitate the project. If they make it past the Cyber-Junkyard Frankenstein stage Only Then do they move up to working on more expensive single board systems and full featured robotics systems, bypassing the Raspberry Pi and Arduino stage altogether (and foisting some of my old junk into other unsuspecting tinkerers' garages).

The Osborne 1 is great for operating your whole home AV gear. Bugfixing custom hardware and Z80 instructions exercises one's memory and maintains neuro-plasticity -- It can even cause kids to favor educational programming instead of that obnoxious crap on TV nowadays.

Comment: Re:Why do these people always have something to hi (Score 2, Insightful) 213

by lgw (#46790023) Attached to: VA Supreme Court: Michael Mann Needn't Turn Over All His Email

This is the problem at the heart of climate science. The key details for models are not published, and (despite being largely paid for by our money), not even available apparently under FOIA to "avoid competitive harm".

That sounds very much like commercial software development and very little like reproducible science, or even open source! WTF, guys? You wonder why so much of the public has a hard time taking climate science seriously? This shit is why.

Good science defeats skeptics through openness. "Look, here's the experiment, do it yourself if you don't trust me." Heck, even experiments on vastly expensive particle accelerators eventually become reproducible through cleverness or technological advance at other universities.

Openness, and beyond openness: the willingness to explain clearly, in detail, and in layman's terms led to the FAQ, which takes seriously and answers seriously every common popular question and dispute about evolution, and likely led to the shift from old-school creationism to ID (which at least is progress). This is severely lacking in climate science.

Comment: Re:Commodore Amiga 3000T (Score 1) 520

by lgw (#46789675) Attached to: Ask Slashdot: What Tech Products Were Built To Last?

Comment: Re:No Good Solution. (Score 1) 151

by lgw (#46789091) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

Therefore the best solution is to public release so everyone has the information at the same time. Let them compete for the patch; Awful software publisher will be the one caught with bugs. Good one will be patch and secure while everyone else suffer their bad choice.

Over time the best software will prevail and only idiots will still be using Microsoft products... that the theory. In practice there is corruption and bad software will linger for decades.

It's not about how fast you patch, it's about how fast you can get patches to your customers. And for the OpenSSL flaw, there were devices where the patch process is "throw it away and buy a new one".

Anyhow, Microsoft is far and away the worlds leading expert at distributing security patches - no one really has more experience or such a well-tuned corporate ecosystem. MS pushed a critical security patch out to WU, and every major corporation knows just what to do, and understand the urgency, and has a well-travelled path for it. The more modern players are good at patching consumer endpoints, but haven't really addressed corporate customers.

Comment: Re:Shareholders know less than nothing (Score 3, Insightful) 145

by lgw (#46789045) Attached to: Investors Value Yahoo's Core Business At Less Than $0

Yahoo's directors MUST (not "should") do whatever maximizes profit for shareholders. This isn't an opinion, nor what's socially correct, but those are the rules when you issue shares to the public on U.S. stock markets.

That's wrong in a couple of ways. What's legally required is that the board member put the shareholders interests above their own personal interests (fiduciary responsibility). But those interests are defined by the corporate charter, and to a large extent by the board itself. It's perfectly legal to create a publically traded corporation that sets social responsibility, or green blah blah blah, or some other such hippie nonsense above profit, and then that's what the board must pursue. You might struggle to get investors, or you might find a welcome market, but in any case it's allowed (and rarely happens).

More commonly, there's no requirement at all for the board to chase short term profit. That's where most the corporate infighting comes. Some corporations have firm 20 and 50 year growth plans, and sacrifice the short term for those plans, and sometimes those companies have a shareholder revolt because the owners lose patience and want everything monetized now. Sucks when that happens, but the downside of being a publically traded corporation is that you're ultimately controlled by your owners, and that can end up being anyone.

The more cordial the buyer's secretary, the greater the odds that the competition already has the order.