Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Not much luck over a two-year period (Score 1) 58

Luck is involved in the parts of finding things that others have not yet found and that hence give you a high payout. In particular, this gets progressively harder and the harder it gets, the lower the payouts. So while this person made $600'000 over 2 years, a repeat performance over the next 10 years, or so is exceptionally unlikely.

An actually professional code security review does not depend on luck. It also does not try to maximize "bugs found". It looks at architecture, design, input validation, critical data-paths, etc. and more than half of the result will not be description of bugs found, but analysis of severity and conclusions to be drawn and even things that are not directly bugs, like critical data-paths that rely on one protection mechanism, configuration options that are hard to get right and breaks security (or remove one layer of protection) when done wrong, code structure that is misleading, security functionality in surprising places, etc.

The whole focus on "finding bugs" is misplaced. You will never find them all and due to the randomization aspect of this, a different attacker may just find ones you did not find, regardless of how hard you looked. In fact, it is basically always cheaper and has a better result to re-implement with highly skilled and trusted people that thoroughly understand software security. Doing background-checks on these people and making sure they are satisfied with their jobs is actually much more important than to look at the code they produce. As so often in IT security, skewed and outright wrong ideas from bad movies are prevalent in the area of code security as well.

Comment Re:minwage $11.40-$9.90 (Score 2) 494

It basically has no impact on employment. Industries that claim they now want to replace people with automation have planned to do this before anyways. They just found a pretext in minimal wages. The fact of the matter is that wherever people can be replaced with automation, they were not the main cost-factor anyways, with very few exceptions. Hence the effects of minimal wage are just to make sure people have more spending money and that is universally good for the economy. After all, what point is there in producing things, if people cannot buy them? Of course, this only works were people have jobs, and that is where the UBI comes in. Because in the medium-term future, a large part of the demographic will not have a job anymore due to automation. If they do not have reasonable spending money, the economy collapses due to market collapse and social unrest with become an extremely expensive problem.

I do however think that many of the opponents to an UBI are those that define their worth by their jobs and these people are scared extremely by the idea that they are actually not that special. The whole argument about it "being too expensive" is bogus.

Comment Good (Score 1) 80

Now also explain and make available effective contraception, or each person saved will spawn a few more to die from hunger and war two decades down the road. Messing with natural population control mechanisms is dangerous and tricky. Not saying it should not be done, but it needs to be done right or catastrophes will ensue.

Comment Re:Germany will increase (Score 1) 77

Funny. There are not that many refugees. This is an artificially generated panic which serves to promote right-wing populists. Fortunately, in Germany they (AfD) are currently imploding, but other countries are not so lucky and the population anywhere always has a large faction that fall for the these people.

Comment Re:Ten years too late... (Score 1) 58

white box = you have all documentation, accounts, technical authorizations, and access to people
gray box = you have some of the above, often in limited form
black box = you know how to reach the target systems

Black box pen-testing makes no sense, since it wastes a lot of time. The only reason to do it is that with a limited budget, it may not find things, i.e. create a false sense of security that management can then escalate as a great achievement.

Comment Re:Payouts are garbage, though (Score 1) 58

Indeed. This is completely bogus. People doing it will go for the low-hanging fruit and if they find something really juicy by accident, they can easily make one order of magnitude more money on it. Nothing more complicated will ever get reported to the company. This may also explain why the cost of this is 1/10 of other methods: It has far less than 1/10 of the results and is dangerous in addition.

Now, a really competent security review will be expensive, but it will look at things like code quality, design and architecture, competence of the implementers and maintainers, processes, roadmap, etc. It will, for example, find cases where only one safeguard is effective (and hence things cannot get hacked), but the risk is hight, because you usually want two independent safeguards. It will find things were technology is not quite there yet to attack them. It will find conditions that were unknown, but must be met in order for a system to remain secure.

Of course, if done by one of the big IT consulting agencies, it will only pretend to do all these things, but as compensation it will be even more expensive. The amount and quality of fail I have seen in reports of IT evaluations from big names is staggering.

In short, this is the moronic version of IT security, which is not worth the money saved on it, even if it would cost 1/100 of a real security review. It may have some short-term benefits for the bonuses of those having made this utterly stupid decision, but that is it. Long-term, it is disastrous.

Slashdot Top Deals

Remember: use logout to logout.