Forgot your password?
typodupeerror

Comment: communication skills (Score 2) 95

by OleMoudi (#44655979) Attached to: Security Community Raises $12k For Researcher Snubbed By Facebook

Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.

Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.

So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.

IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.

Comment: VRPs are the new sweatshops (Score 3, Interesting) 95

by OleMoudi (#44240733) Attached to: Study Finds Bug Bounty Programs Extremely Cost-Effective

This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.

Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.

On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.

Crime

+ - Is the Zombie Apocalypse Upon Us?

Submitted by theodp
theodp (442580) writes "Those who scoffed at the idea of CDC zombie apocalypse preparedness might reconsider their stance after reading this weekend's holy sh*t story out of Miami, where city police fatally shot a naked man found eating another man's face. The attacker not only failed to back away at the officer's request, but also continued to eat the victim after being initially shot. A witness said the attacker was pulling flesh from the victim's face and tossing it to the side. Police theorize the attacker might have been suffering from 'cocaine psychosis,' a drug-induced craze that bakes the body internally and often leads the affected to strip naked to try and cool off."

Comment: not only prevent, but also mitigate (Score 5, Insightful) 333

by OleMoudi (#38567714) Attached to: Ask Slashdot: Writing Hardened Web Applications?

While one can arguably say everything can be hacked (unless air-gapped), in certain scenarios you can at least mitigate the impact of a breach to make it almost irrelevant.

Easiest example is password storing. Some SQLi may get through and provide someone with a dump of your user passwords, but if you follow up to date recommended security practices, the data will be nearly useless.

Beind said that, just by reading the Web Application Hacker's Handbook and following all of its recommendations you will have a pretty secured app.

Google

+ - Google may harm your computer 3

Submitted by
dowlingw
dowlingw writes "It looks like for the moment at least, all Google results (for Australia at least) are failing the malware checks and being listed with a warning "This site may harm your computer", including all pages from Google themselves. Users trying to visit pages at search results will only be able to proceed via manual manipulation of the search result link to remove the google click-through (which is also broken). Until Google fixes this bug, it looks Google web search is useless."
Security

+ - Password management for common people

Submitted by
OleMoudi
OleMoudi writes "Rivers of ink have been written about this subject, yet I have trouble finding real practical examples for password policy and management. Among all usual best practices, few consider the possibility that Trudy already has some (even 1) of your set of passwords. Does that impact your password security? Can she deduce the mask of the rest of your passwords? How can you make your password deduction hard, and still retain memorable, flexible and unique passwords without going insane? Less secure passwords for non-critical accounts could be a solution but the threshold seems blurry. Is really your Facebook account expendable? Should we all give in and use KeePass/Passpack with random generated passwords?"
PC Games (Games)

Windows 7 Gaming Performance Tested 179

Posted by Soulskill
from the take-with-a-beta-grain-of-salt dept.
Timmus writes "Gamers holding onto Windows XP may not have to fear sluggish performance when Windows 7 debuts. While Windows Vista's gaming performance was pretty spotty at launch, the Windows 7 beta build seems to handle most games well. Firingsquad has tested the Windows 7 beta against Windows XP SP3 and Vista SP1 on midrange and high-end gaming PCs across 7 different games. While the beta stumbles in a couple of cases, overall it performs within a few percentage points of Windows XP, actually outrunning XP in multiple benchmarks."
Programming

+ - Linus, on why his kernel code is rarely rejected!->

Submitted by ruphus13
ruphus13 (890164) writes "At the recently held Australian Linux Conference, Torvalds discussed his 'secrets' behind avoid code rejection in the Kernel. In his 'tongue-in-cheek' manner, Torvalds revealed his 'secret'. From the article, "Torvalds also revealed why he rarely faces the situation of having his own code rejected from the kernel. Despite what you might think, it's not because of any sense of awe from the wider Linux community. "The thing that keeps me honest is I'm really, really, really lazy. The last thing I want is extra work When I want code written, instead of writing it myself I send out pseudo-code" — an approach which leaves both coding and testing to others. When Torvalds does write actual code, he's also remarkably laissez-faire about it. "Sometimes I write a patch but I don't want to test it myself — because testing is for wimps — so I send it to the subsystem maintainers." That can have one of two outcomes: "I never reject my own code if it gets sent back, but if it gets dropped on the floor I never notice.""
Link to Original Source
Data Storage

+ - SPAM: Developing New Methods Of Measuring SSD Lifespan

Submitted by
MojoKid
MojoKid writes "Inherent in NAND flash technology is the fact that there is a limitation in the number of write/erase cycles (endurance) that each NAND Flash cell is capable. Because of this finite nature of the NAND Flash cell, SSDs can be received as potentially unreliable for long-term usage. Aliso Viejo, California-based, SiliconSystems argues that if you can know how long an SSD will last and therefore "eliminate this guesswork," it will make SSDs more reliable, because you'll know how long each SSD should last for. So, SiliconSystems has created two tools, which it claims are "the first comprehensive methods to measure solid-state drive (SSD) useable life." SiliconSystems argues that knowing the theoretical life of an SSD, combined with having real-world endurance data, should give you a very good indication of what kind of lifespan to expect from an SSD."
Internet Explorer

+ - IE 7 CSS scorecard results are in. It stinks.

Submitted by
CodeShark
CodeShark writes "This may not be news to some high end web developoers, but it certainly was to me. After reading the Site point article reporting some near absolute failures by IE7 to correct known CSS implementation bugs, I wondered how well Microsoft's recent browsers rate in terms of over all compliance with published web standards. I figured the margin vs Firefox et al would be within a couple of percentage points either way with Internet Explorer winning a few, and the other guys winning a few.

Wrong. According to feature by feature survey, Firefox 2.X and Opera 9.X are within a couple points of each other with IE6 and IE7 are so far behind they might as well not be in the same race. Given this, my thought question is this: why don't the nearly 100% compliant browsers dominate the corporate intra-net workspace?"

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...