|
vaderjm wrote: You really think MS or Adobe are hurt by having millions of people's privacy and
security breached. Heck no
I disagree. If they didn't think that there wasn't some impact then they wouldn't issue fixes at all.
vaderjm wrote: Yes, MS et. al. need to be held responsible, but be realistic about what you are
advocating.
I didn't see that in what you responded to. Rather it pointed out that there is no guarantee and rather some evidence to the contrary that a private disclousure will result in a timely fix, one that would protect the user, and there is the possibility that a private disclosure could lead to a negative impact for the person that attempts to tell the offending party. That does in fact happen. A public disclosure insures that the offending party can do nothing but take action (or do nothing) rather than attempting to silence the source.
|
|
|
|
|
jschell wrote: A public disclosure insures that the offending party can do nothing but take action (or do nothing) rather than attempting to silence the source.
I appreciate your response, and in reading what you wrote, I don't think you quite understand what I was trying to say.
I completely agree that the vulnerabilities themselves need to be made public so that the offending party is forced to take action, and that a negative impact can and does happen to persons making private disclosures. Your post is indeed correct to that point.
Perhaps when I responded initially I should have clarified that I was not speaking of the vulnerability itself but the data being stolen through the breach. What good would come to the "users" in having personal data sold to the highest bidder?
Quoting your other post:
jschell wrote: And note that they did not in fact use the vent.
We're on the same page.
modified 6-Nov-12 16:20pm.
|
|
|
|
|
Thanks for your thought vaderjm,
No, the security breach in and of itself doesn't really hurt the large corporations (it embarrasses them perhaps, but does not cause blood-loss). What does hurt however, is declining sales due to people's lack of confidence in their products.
Agree - it is the people whose information is actually stolen in the end-game that are truly hurt by the process.
I would argue that the process has a rough analogue in the arms manufacturing industry. You have powder manufacturers, bullet manufacturers, gun manufacturers. It is only through a chain of events that the products of each of the three are brought together, before somebody is shot. It appears naive to place them blame on any of the three companies - it is through the application of their products that harm may be caused - or in the case of LE officers or armies, that a reduction in harm may be effected. But that harm is caused or prevented by the last entity in the chain - the one with the gun.
I simply advocate that if they release buggy products and refuse to either or both (a) fix them (b) pay someone else for the time taken to check their work for flaws, that they deserve to be beaten with a stick.
Once that stick has been used, I would then apply it 10-fold to anybody that stole my information.
Releasing information about the flaws in a product? +10
Using information to steal personal info, then releasing it? -10
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
|
|
ts;db  (too ess aitch one tee, didn't bother)
Thanks for your contribution.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
But how much do you want them to spend? You are making the assumption that Microsoft does not care and actively ignores security vulnerabilities? Maybe they have in the past, but do you have any recent examples? Microsoft has stepped up it's security game in recent years and news I received from this website, indicates Microsoft software, despite its ubiquity does not have any vulnerabilities in the top ten exploited vulnerabilities?
A better analogy, perhaps would be if you have a broken lock in your house and I sold knowledge of the lock to a local cat burglar - closer to being an accessory to the crime.
Idaho Edokpayi
|
|
|
|
|
The issue of an exact (or ballpark) figure for the sum paid is not something I have examined or considered. It's the willingness to approach and offer to pay something that I'm looking for..
Not quite sure what of my words has led you to conclude that I assume Microsoft to be either/both dissinterested/actively ignoring known vulnerabilities.
In fact, I read just yesterday a request by one of their staff that adequate time to enact a fix be allowed between revealing the vulnerability to them and the general public. (I'll look for a link when I'm done here)
Presumably, they are in the position of asking (rather than dictating) as a direct consequence of failing to enter into a commercial agreement with the holders of said vulnerabilities. My employer pays me, and before doing so has me sign an NDA. Simple.
Paypal have a 'find-the-flaw' system, whereby they OFFER to pay for information related to security flaws in their products. Bad idea, or clever and practical?
I like your analogy - did you approach the lock's maker first, offering you the information you learned to them for a sum, in the interests of them improving their product? Or was this not a consideration, with you instead choosing to go straight to the thieves?
In fact, something somewhat similar happened recently - the maker of electronic door-locks for hotel rooms has had their sloppy work exposed. (I understand that the lock manufacturer was not made aware of this earlier than others.   )
Surely this situation is to the benefit of all except those that had formerly been taking advantage of the hack?
http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/[^]
Thanks for your thoughts, I appreciate them. 
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
MehGerbil wrote: An old lady pulls into her driveway and slowly unloads groceries.
In the
process, she accidentally leaves her purse on the hood of her car.
It's now
dark and there sits the purse - just brimming with cash.
Your analogy is flawed. It also ignores that the person wandering by need not do anything at all (neither steal nor tell her.)
A much better analogy...
An old lady runs a profitable, very profitable, dress shop.
And she drives other thriving shops out of business either by buying them out or by reproducing wares and undercutting the price.
Someone walks by every day, every hour, for a year and spends time looking for an open vent.
And then they ask to be paid, by anyone, for the work that had done (every day for a year.)
And note that they did not in fact use the vent.
|
|
|
|
|
Perhaps the best analogy of the thread. +5
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
enhzflep wrote: Do you wonder how the writers of these virii, or the finders of the exploits
that facilitated their activities live with themselves?
I realize that most everyone that does hacking, viruses, spyware, etc... is in it for the money. And I realize that money is a powerful motivator.
However, I don't think I could live with myself if I knew was endangering other people (or their electronic lives). It's just not something I can fathom doing.
|
|
|
|
|
It's because I agree with your 2nd line, that I think the Stuxnet and Flame virii were the lesser of a number of evils. In planting the virii, the time taken to successfully enrich uranium in Iran was increased. Thus, providing more time to analyze the threat (perceived or real) posed by a rogue state controlling nuclear materials.
A quite possible alternative would have involved bombing the place into oblivion in the dead-of-night, much to the detriment of any staff in the facility at the time. Israel has certainly done that kind of thing before.
But, that's all a small facet of the problem at hand - it would be a shame to inflate it's importance (I hope I haven't been seen to do so)
Thank-you for your thoughts, GeekForChrist. I appreciate them. 
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
enhzflep wrote: Thank-you for your thoughts, GeekForChrist. I appreciate them.
Thank you. 
|
|
|
|
|
System AND browser? Maybe just browser? If so, which one of the 2 IEs?
|
|
|
|
|
eh depends on the vulnerability, and it's not a security firm cause they just lost access to MS detail information. Microsoft gives real / honest security firms added details / access to some of their underlying items, to try and ward off some of this stuff to begin with. When you bite the hand that feeds you, it stops feeding you. Not to mention exploits for sale have to be super deeply rooted or they rarely go anywhere, problem is exploits only work if the developer has no idea they are there. Once made publically aware you end the value of the exploit. Not to mention add so much risk one of Microsofts investigation teams which I hear are better than the CIA and FBI combined, will end up tracking you down, and sending you off to jail for long time. So... while it is probably a legit exploit that could of been a problem by taking the direction they did, it instantly lost all its possible value.
|
|
|
|
|
Color is great in an application, but it’s only meaningful if it stands out from what’s normal in your application. Here are some simple examples of color used to subtle-but-useful effect in an application.
|
|
|
|
|
Unfortunately he forgot just about every design rule in there. The colour schemes seem arbitrary and don't seem to have a valid reason behind them. The changing colours in the text areas actually made the differently coloured toggle disappear.
|
|
|
|
|
An issue tracker is a valuable asset for any serious software development. Beside serving as a bug database, the tracker can be easily leveraged for technical discussion. GitHub, a popular code hosting service, provides a basic issue tracking system. How does it compare against another established player, Google Code Project Hosting? Do you like your issue tracker? Which features help you the most?
|
|
|
|
|
I use FogBugz
And just like it is all.
|
|
|
|
|
I often hear people say something like “if you need it once, build it. If you need it twice, abstract it.” People often say then in the context of the “DRY” – or Don’t Repeat Yourself – principle. In theory this sounds great because you’re removing duplication in your code. This falls apart pretty quickly in a lot of circumstances, though. The idea of DRY needs to be tempered with YAGNI – “You Aint Gonna Need It“. With that, we end up with The Rule Of Three, and it clearly says that code can be copied once but the third time you need it, you should abstract it. Once, twice, three times... a pattern.
|
|
|
|
|
The developer world is divided into two camps. Language mavens wax rhapsodic about the power of higher-level programming — first-class functions, staged programming, AOP, MOPs, and reflection. Tool mavens are skilled at the use of integrated build and debug tools, integrated documentation, code completion, refactoring, and code comprehension. Language mavens tend to use a text editor such as emacs or vim — these editors are more likely to work for new languages. Tool mavens tend to use IDEs such as Visual Studio, Eclipse, or IntelliJ, that integrate a variety of development tools. From the archives: a look at tool-versus-language approaches to development.
|
|
|
|
|
The TouchDevelop web app, which requires Internet Explorer 10, enables developers to publish their scripts so they can be shared with others using TouchDevelop. As with the Windows Phone version, a touchdevelop.com cloud service enables scripts to be published and queried, and when you log in with the same credentials, all of your scripts are synchronized between all your platforms and devices. Program your Windows Phone on your Windows Phone.
modified 1-Nov-12 18:26pm.
|
|
|
|
|
Terrence Dorsey wrote: Apollo Flight Controller 101: Every console explained
Copy-paste gremlin.
/ravi
|
|
|
|
|
Thank you.
Director of Content Development, The Code Project
|
|
|
|
|
Apollo Flight Controller 101: Every console explained
Mission Operations Control Room 2 was used for almost every Gemini and Apollo flight, and in the late 1990s was restored to its Apollo-era appearance. You can visit it if you're in Houston, but you won't get any closer than the glassed-in visitor gallery in the back, and that's just not close enough. Strap yourselves in and prepare for an up-close look at the MOCR consoles, Ars style. Your handy reference to each station in the Apollo Mission Control room.
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
