Forgot your password?

Comment: Re:yes, I've used a Professional Engineer. also a (Score 1) 135

by raymorris (#46796171) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

> Yeah, those CPAs auditing Enron did a bang-up job of it, didn't they?

The 100-year old firm that audited Enron was worth over nine BILLION dollars at the time. It's now worth a few thousand, because nobody will ever hire them. The market executed them.

Compare Sony and their root kit.

Comment: which cost Arthur Anderson $9B in market value (Score 1) 135

by raymorris (#46796159) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

Arthur Anderson was a 100-year old brand worth $9.3 billion. Because they violated the public trust, they are now worth about $0. The company still exists, but noone will buy from them.

Sony, on the other hand, is still selling electronics after rooting their customers' computers wholesale. Electronics company does something unethical - they have a PR problem for a few months. CPA does something unethical - the market executed them.

Comment: Licensed Software Engineer new in USA. Ethics old (Score 1) 135

by raymorris (#46796133) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

Many states in the US now license software engineers because the national organization now has criteria. A problem is that you need sign-off from an existing PE who knows your work, so there is a bootstrapping problem. A new software PE has to be approved by an existing PE, but there are virtually no existing software PEs to approve the first generation.

Of course, it's always been possible to work under the same ethical guidelines voluntarily. More than once I've told a client I won't do something because it would be akin to malpractice.

Comment: yes, I've used a Professional Engineer. also a CPA (Score 2) 135

by raymorris (#46794673) Attached to: The Design Flaw That Almost Wiped Out an NYC Skyscraper

Yes, it does, pretty well. I've used a PE (Professional Engineer) for exactly that reason - they "sell" trustworthiness, objectivity. The person I bought my house from and I paid the PE precisely because we know they sell the truth, rather than telling either of us what we want to hear.

That's the same thing CPAs sell - the market pays Price Waterhouse Coopers to find the truth, rather than skewing things.

Comment: you seem to be good at ignoring evidence (Score 1) 108

by raymorris (#46793351) Attached to: NASA Proposes "Water World" Theory For Origin of Life

You obviously know what you're talking about, you are very good at ignoring evidence. For example, just recently in Egypt, archeologists discovered Egyptian documents several thousand years old. These ancient Egyptian records show pharoah's army chasing the Jews out of Egypt after the Jews' worship of a false god brought great suffering to Egypt - plagues and the like.

The scene by the Egyptians looks strikingly like another account of the Jews' exodus from Egypt, for the same reasons. The only difference is which side is described as the "bad guys". The same story told, described the same way by the opposing parties - you think that might be evidence that they're describing something that actually occurred?

If you've ever played the telephone game, or been alive on earth for more than five years, you know that anything that gets repeated from person to person to person gets distorted along the way. For you to then purposely distort it further in order to claim the event must not have occurred isn't a belief in evidence - it's a pitiful, transparent attempt to protect an obviously very wounded ego.

Comment: agreed, openssl should have been notified immediat (Score 1) 168

by raymorris (#46793299) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

> OpenSSL should have been near, if not at the top of, the list of groups contacted.

Absolutely. In the case I mentioned where I found the vulnerability, the FIRST contact I made was the development team.

As to the fact that people can't be protected on every site until the updated packages are out, how does that mean they should NOT be protected when possible? Are you sad that it's "unfair" that they are protected on some sites and not others? So you'd like to remedy that by exposing their data ALL the time? Is that more fair, to have all of their data vulnerable instead?

Comment: which is guaranteed to be wrong (Score 1) 232

by raymorris (#46793255) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

> My point is that there is probably some dollar value at which the cost to find the next vuln would never increase beyond that -- in other words, the Apache web server could never reach a state at which you could not find a new vuln for less than $10 million.

And that's GUARANTEED to be wrong. We know for certain that after all vulnerabilities are found, spending $100,000,000,000,000,000 still won't find another one. We can reason that the last vulnerability may well be either a) very hard to find (not worth it) or b) fairly to find (in which case $1000 bounty is perfect.). We can guarantee that at some point infinite resources would be wasted, because there are no more findable vulnerabilities severe enough to be worth finding.

Comment: I do it for the cred, for six figure salary. Jail (Score 2) 232

by raymorris (#46789693) Attached to: Bug Bounties Don't Help If Bugs Never Run Out

Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat".
When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.

On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.

The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.

Comment: Nothing can protect those tax returns, only endang (Score 1) 168

by raymorris (#46788823) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

There is no option that's going to protect those tax returns. Telling the bad guys about it will certainly endanger the tax return data, though.
Since many (most?) people use the same or similar password for Facebook as they use for their tax service, protecting Facebook traffic actually protects a few tax returns.

What clearly isn't an effective option would be to announce the vulnerability to hundreds of tax-preparer sites before a updated package is available, expecting them to manually (and correctly) patch the code, without leaking the vulnerability so that it becomes widely known to the bad guys.

If you're going to try to protect people in the time between discovery and the fix being widely distributed, you can only do that by keeping it relatively secret, by limiting details to a small number of trusted people. Once you tell a lot of people, you've told a lot of bad guys. There's no need to do that before the updates are available and people can protect their customers.

Comment: PS: how do you think it gets on the distro mirror? (Score 1) 168

by raymorris (#46788749) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

> Isn't that assumption where the whole argument for notifying selected parties in advance breaks down? ...
> it will often be applied when their distro's mirrors pick it up, but that was typically within a couple of hours for Heartbleed

How do you think those packages get on the mirrors? Do their servers magically patch the code, rebuild the packages, and set it as a high priority update? The fix gets on the mirrors as a result of "notifying selected parties in advance".

Comment: Wrong math. 2 years of vulnerability. (Score 3, Insightful) 168

by raymorris (#46788677) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

> they had a whole day to attack everyone who wasn't blessed with the early knowledge, instead of a couple of hours

Years, not hours. Assuming the bad guys knew about it, they had two YEARS to attack people. If we told people that there was an issue on Monday, that doesn't protect them - they just know that their vulnerable. They couldn't do anything about it until the update packages were available on Tuesday.

On the other hand, had we made it public on Monday, we would have GUARANTEED that lots of bad guys knew about it, during a period in which everyone was vulnerable.

I'm talking about what we did here. It appears to me that Google definitely screwed up by not telling the right people on the OpenSSL team much sooner. (Apparently they told _someone_ involved with OpenSSL right away, but not the right soemone.)

> you protect some large sites, but those large sites are run by large groups of people. For one thing, they probably have full time security staff who will get the notification as soon as it's published, understand its significance, and act on it immediately.

ROTFL. Yep, large corporate bureaucracies, they ALWAYS do exactly the right thing, in a matter of hours.

Comment: We protected 1 billion people by notifying trusted (Score 2) 168

by raymorris (#46787719) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

This was handled similarly to a flaw I discovered, and I think it makes sense. Facebook, for example, has about a billion users. If you have a colleague you trust at Facebook, informing that one colleague can protect Facebook's billion users.

The risk is of a leak before a fix is widely deployed is dependent on a) the number of people you inform and b) how trustworthy those people are to keep quiet for a couple of days. It's quite reasonable to minimize the risk of a leak by keeping it low profile for a few days, while minimizing the damage by protecting as many people as possible.

For CVE-2012-0206 , developers knew that wikimedia was the largest user. Wikipedia and related properties account for over half the the end-users that could be affected. So by letting just one person know about it ahead of time, we could protect millions of wikipedia users. That seems like a good trade, so we let wikipedia have the patch 24 hours before the main distros like Red Hat put the patch out publicly and the vulnerability became well known. Nobody was harmed by hearing about it on Tuesday rather than on Monday, and all of wikipedia's users were protected from being affected by keeping it secret for a day while wikipedia's servers were patched.

Comment: Why free and fun? I review FOSS for a living. (Score 3, Informative) 168

by raymorris (#46787519) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

> Indeed, who would review other people's code for free or for fun?

Some people do, of course. I have, specifically for security issues, because that's a major resume point in the security world - having actually found and fixed real-world security issues.

99% of the time, I'm being paid to review and improve open source code. All of those companies that use open source, including Google, have a vested interest in making sure that the code they use is good. Since it's open source, the Google techs can actually dig into the code and find issues like this, then fix it, just like they did in this case. They didn't do it for free and for fun, they did it because Google relies on OpenSSL.

My employer also relies on OSS. My job is to administer, maintain, and improve the OSS software we use. I've found and fixed security issues. Not for free and for fun, but because we want our systems to be secure, and having the source allows me to do that.

When I craft an improvement, at LEAST three people have to look at it before it's committed upstream. Typically, five or six people will comment on it and suggest improvements or state their approval before it's finalized.

Comment: How so? What creates that constraint? (Score 1) 108

by raymorris (#46787287) Attached to: NASA Proposes "Water World" Theory For Origin of Life

> Although evolution isn't an explanation of how life began, it does introduce some constrictions on what that explanation can include.
> For instance, all life on earth today is descended from a single common ancestor. Plants, animals and humans were not created apart from each other, one at a time.

We know that the iPhone "evolved" from early cell phones via natural selection aka market selection.
We know that the latest cars similarly "evolved" via a process analogous to biological evolution.
We also know that cars and phones don't share a common ancestor - they evolved separately.
We know that one type of bird evolves into another, while on the other side of the planet one type of rodent evolves into another, separately.

How does biological evolution introduce the constraint that there must be a single common ancestor?
I see you have the belief that there may have been a single common ancestor, but I don't see how that's required for evolution to occur.

> Humans are descended from Apes. Without explaining how that process began,
> the evolutionary evidence about this constraint is emphatic and undeniable.
> This flies in the face of one obvious prominent creation myth.

One very narrow interpretation, perhaps, one that few people hold. Most people, I think, realize that the ancient wisdom in Genesis says things happened in this order:

0. There was nothing - the universe was without form.
1. Space (the stars and the heavens)
2. Earth.
3. Oceans and land masses
4. Sea life
5. Animals of the land and air
6. Lastly, humans

For hundreds of years, scientists said that was wrong. Today, we know that Genesis has the sequence correct, and has been correct for thousands of years. Yeah, if you assume that the "yom" between land animals and humans was 24 hours, that's not consistent with evolution. That's not the only meaning of yom, though.

You can tell how far we have to go, when FORTRAN is the language of supercomputers. -- Steven Feiner