Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Payouts are garbage, though (Score 1) 58

This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it to a service like HackerOne, and the market for that vuln is over. Although asymmetry is usually in the favor of the criminal actor, in this case it is in the favor of ethical behavior. One ethical hacker can put an end to the sale of a 0day on the black market.

Comment Re:Snake oil salesman (Score 1) 49

Ha ha. That's a common joke about the security industry. There is some truth to it.

What's great with bug bounty programs is that customers pay for results. You pay for valid and useful vulnerability reports. You don't pay for reports that are not useful. For hackers to make money (and the best ones make a lot of money), they must produce useful and relevant vulnerability reports.

That's a HUGE difference compared to traditional security products and services and it explains why bug bounty programs are becoming so popular. They are much more effective than any other method of finding vulns in live software.

Comment Re:70,000 white hat hackers? (Score 1) 49

Yep, 70,000 is a lot! The number keeps growing, and we hope to get to a million. To serve all companies and government organizations worldwide who will be needing bug bounty programs, we need a lot of excellent hackers.

It should also be noted that it takes a lot of hacking to find even a simple vulnerability. Of the 70,000 hacker accounts we have, about 1 in 6 have filed an actual vulnerability report. To help them get going, we have an ebook on hacking that we give to new hackers. Once new hackers get the hang of bug hunting they can advance fast, earning more and more reputation points. When you sign up at HackerOne, you start at 100 points. Our most prolific hackers have reached 10,000 points. You can do it, too!

Comment Re:Second coming of teams of ethical hackers (Score 1) 49

Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.

To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asymptotically move towards that goal, the more you reduce your cybersecurity risk.

Comment Re:Second coming of teams of ethical hackers (Score 2) 49

It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclosure programs.

- Marten (HackerOne CEO)

Comment Re:What's the angle? (Score 1) 35

Great question. We are seeing a lot of interest among enterprises to have AWS-like functionality in their own datacenters. And we also know that they are eager to use OpenStack. So at Eucalyptus we decided to do something about it. Here is my blog about the topic: https://www.eucalyptus.com/blog/2014/08/11/why-eucalyptus-keynoting-openstack-conference

Comment Re:the importance of dominant designs (Score 1) 27

You bring up an interesting and relevant point about how various APIs are used by the applications. But when I think about how the world of software is evolving, it seems that those management APIs are becoming more important, because a software application of today must know not just how to run, but also how to be deployed.

Comment the importance of dominant designs (Score 2) 27

I believe it is both difficult and important to align with dominant designs. 30 years ago it was a good bet to develop software for the new x86 architecture, 15 years ago it was a good idea to bet on the new world-wide web, 10 years ago on the new LAMP stack. Today, the API layer is where different pieces of software come together and where brilliant software developers congregate. It's about AWS, but it's even more about the new design paradigm that the AWS APIs represent. Of course there will not be just one set of APIs. We know that in addition to AWS, we have OpenStack, Microsoft, VMware and Google are all building theirs. One of them will be dominant. Randy Bias brings forward an important point.

Comment Re:Open to you or Open to Everyone Else? (Score 2) 70

I'd say that forking is an order of magnitude (or perhaps 2) easier than creating the product in the first place. Forking is hard work. But creating a product from scratch is enormously harder.

The creators and owners have the right to decide on the roadmap of their creation. Closed source software can't deal with disagreements, but open source software can. If you don't like the roadmap, you can create your own branch or your own fork. You don't have to make use of that freedom, but it is a freedom nevertheless, available to all.

Comment Re:Open to you or Open to Everyone Else? (Score 2) 70

Thx for the comment. I'd say the right to fork prevents the bad things from happening. If you are ever displeased with what the steward of an open source project is doing with it (be it Eucalyptus or something else), you can take the source code and fork it. Happens all the time (OpenOffice, MySQL, Android, etc.).

Slashdot Top Deals

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...