Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Full Disclosure is the only way... (Score 1) 94

Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.

Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what you are doing as well as the appearance of what you are doing. A comment from Greyfox below illustrates perfectly, "so why don't we take the dick-detection algorithm from Chat Roulette and then plug that into a batch Curl against this Artisan State, and then...". Obviously that was facetious, but you need to avoid certain lines of thinking... "well I know this thing, and I could tell everyone, but they wouldn't want that, and then they have lots of money...".

At the end of the day, you need to have clear intentions and don't inflate your ego by thinking they are more interested in fixing the problem than you are.

+ - Photo printing website Artisan State allows access to all user-uploaded photos->

Submitted by fulldecent
fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for wedding photos or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows other articles on Slashdot discussing security disclosure. How do you report vulnerabilities to vendors? And do you support publishing them if they are not fixed in a reasonable time?
Link to Original Source

Comment: Correct program (Score 1) 148

I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.

  > Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].

Any time I have deviated from this process even a little the results have been much worse.

Comment: Re:Trus but verify... not (Score 4, Informative) 67

Speaking with experience on the receiving side of DARPA contract negotiations.

DARPA projects are not like kickstarter (BYO vision and get money) or like NIH (have reputation and get money); rather they do require actual competency and demonstrated ability to win them. The projects are managed like real engineering projects, requiring lots of documentation up front, thorough project planning, and plenty of checkpoints. However, aside from this good accountability, they do not exert direction on the projects, prescribe technical solutions or gain direct contact to your engineers for day-to-day operations.

Comment: Wrong solution (Score 1) 678

by fulldecent (#49510573) Attached to: William Shatner Proposes $30 Billion Water Pipeline To California

Water scarcity in California is a political problem with a political solution.

To better understand why a pipeline is a non-starter...

From the perspective of the cashew farmer: would you rather buy cheap water from the local utility or expensive water from the Great Lakes?

From the perspective of the pipeline investor: would you invest in a project to send water to CA when the people most likely to buy it will have ever more restrictions on water use?

And now for the solution to this and many problems...

Simply remove use restrictions and let the market properly set the price of this scarce product.

Comment: Sand in the hand (Score 0) 407

Guess what, senators?

If you won't let me hire foreign workers and bring them here to work on mutually beneficial terms, then I will simply keep them offshore and pay them to work from there.

Americans are SO uncompetitive for certain types of labor. A few laws wont bridge the chasm.

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors