How Bug Bounties Are Like Rat Farming

← Back to Stories (view on slashdot.org)

How Bug Bounties Are Like Rat Farming

Posted by timothy on Tuesday September 20, 2011 @03:00AM from the first-we-hypothesize-a-problem dept.

Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."

140 comments

Min score:

Reason:

Sort:

What the hell by Anrego · 2011-09-20 03:01 · Score: 5, Insightful

Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

But it turns out that he knows more about security than one would think. Maybe even more than he might think.
Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).
The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
1. Re:What the hell by Anonymous Coward · 2011-09-20 03:05 · Score: 1
  
  I don't know but the article's last sentence is the only one that asserts that bugs are manufactured. It's argument is "Yes, yes they are!" Solid, totally solid, line of reasoning I'll use the next time I need to conjure a phantom.
2. Re:What the hell by Jmc23 · 2011-09-20 03:05 · Score: 1
  
  Well, it was posted by timothy. What did you expect?
  
  --
  Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
3. Re:What the hell by David+Gerard · 2011-09-20 03:07 · Score: 1
  
  No, the analogy makes no sense at all. It would only make sense if the developers were adding bugs to the code to collect the bounties. This is not what's being described.
  The article is there to fill space and get ad clicks. Like most of the IT press.
  
  --
  http://rocknerd.co.uk
4. Re:What the hell by The+Mighty+Buzzard · 2011-09-20 03:07 · Score: 2
  
  Yep, bloody stupid article by a bloody stupid journalist. No two ways about it.
  
  --
  Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
5. Re:What the hell by Anonymous Coward · 2011-09-20 03:07 · Score: 0
  
  Glad I'm not the only one that found this "article" completely stupid.
6. Re:What the hell by Aladrin · 2011-09-20 03:08 · Score: 1
  
  My thoughts exactly on bugs vs rats.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
7. Re:What the hell by Anonymous Coward · 2011-09-20 03:09 · Score: 1
  
  Yea, WTF happened here? The last line of TFS sounded like a pretty interesting last line to the first paragraph of an article. Except it turned out to be the last line of the article, where it made even less fucking sense than it did in TFS. I honestly don't understand how this got published, much less why the fuck someone read it, thought "this is interesting" and then submitted it to slashdot. I do however, fully understand how it made the front page, since it's quite obvious that no editor bothered to click the link, and thus they thought exactly the same thing I thought when reading the summary.
8. Re:What the hell by slim · 2011-09-20 03:21 · Score: 1
  
  Stephen Dubner is a smart guy, and I'm sure he had a solid point to make.
  I can only imagine that this reporter has failed to relay it correctly.
  What confuses me most is the "and that's a good thing" at the end. Mystifying.
9. Re:What the hell by swanzilla · 2011-09-20 03:28 · Score: 1
  
  I heard the devs are finding the bugs on iPhone killers and the bounties are paid in Bitcoins...
  
  --
  0 = 1 + e^(Alt something)
10. Re:What the hell by Anonymous Coward · 2011-09-20 03:29 · Score: 1
  
  Unless I missed something in the article, the analogy here makes absolutely no sense.
  Maybe they meant something like:
  1) researchers find bugs in lab
  2) they breed/multiply them, i.e. cut them into pieces and submit each sub-bug/symptom separately instead of the root cause that's responsible for all those sub-bugs
  3) profit by way of quasi-redundant bug reports
  4) ??? (read: I'm just guessing how you could maximise your profit in a way similarily malicious to the rat-breeding issue)
11. Re:What the hell by StikyPad · 2011-09-20 03:31 · Score: 2
  
  this whole article is mostly pointless (besides the interesting story about rat farming).
  Which itself seems to be a fabrication (unless this is the one story unavailable anywhere else on the internet). Johannesburg certainly has a rat problem, but there's no reports of the city paying bounties.
  http://www.news24.com/SouthAfrica/News/Johannesburg-waging-war-against-rats-20110801
  http://www.news24.com/SouthAfrica/News/Anti-rat-campaign-moves-to-Soweto-20110812
  
  --
  https://www.eff.org/https-everywhere
12. Re:What the hell by Stellian · 2011-09-20 03:43 · Score: 1
  
  The analogy is rock solid - let me rephrase it cars. Suppose you are a car manufacturer who wants to sell more cars. Well, you could do that by offering a free lifetime supply of gas for every purchased car. Pretty soon people will queue up to buy your cars. And it's a good thing !
13. Re:What the hell by Daniel_Staal · 2011-09-20 03:43 · Score: 1
  
  Impressively, the Slashdot summary manages to be more informative than the article itself, while only quoting the article!
  
  --
  'Sensible' is a curse word.
14. Re:What the hell by gilleain · 2011-09-20 03:43 · Score: 1
  
  Unless I missed something in the article, the analogy here makes absolutely no sense.
  Maybe they meant something like: 1) researchers find bugs in lab 2) they breed/multiply them, i.e. cut them into pieces and submit each sub-bug/symptom separately instead of the root cause that's responsible for all those sub-bugs 3) profit by way of quasi-redundant bug reports 4) ??? (read: I'm just guessing how you could maximise your profit in a way similarily malicious to the rat-breeding issue)
  Ahhh. Well done : this at least makes some sense. I realise this is all speculation at this point, but the theory is that bug bounties make for bug reports that are too 'fine grained' because that's more profitable. Like, instead of "Bug : Language translation is broken in latest build" you get : "Bug : French translation broken..", "Bug : German Translation broken...", etc?
15. Re:What the hell by Anonymous Coward · 2011-09-20 03:44 · Score: 0
  
  Researchers don't manufacture bugs themselves, but they do manufacture exploits of existing bugs. If you substitute exploits for about half the references to bugs themselves, then the analogy almost works.
  But where it breaks down is, every time you turn in a rat, the farm where you grew it gets destroyed (i.e. the exploit's bug is fixed).
16. Re:What the hell by Anonymous Coward · 2011-09-20 03:59 · Score: 0
  
  Like, instead of "Bug : Language translation is broken in latest build" you get : "Bug : French translation broken..", "Bug : German Translation broken...", etc?
  I guess that could be an example.
  I thought more along the lines of:
  There's a buffer overflow (or whatever) bug in a library X. X is used by modules A, B and C. Instead of submitting the bug in X, you find where the bug manifests (i.e. in A, B and C) and only submit these symptoms. Of course you'd have to obfuscate your findings enough so the bug-fixer doesn't actually find the bug in X too early. Thus you end up with 3 bug-reports (4 once you've fully exploited the real bug) instead of just the 1.
17. Re:What the hell by Anonymous Coward · 2011-09-20 04:04 · Score: 0
  
  Or maybe he is saying that exploit code for a bug is the rat in the analogy.
  If a report of a bug is accompanied with a demonstration exploit then it will earn a bigger reward than if the bug has no security implications or only speculative ones. That would motivate people to spend their time writing exploits for bugs. Which may indeed be a good thing.
18. Re:What the hell by rwa2 · 2011-09-20 04:08 · Score: 1
  
  Where is BadAnalogyGuy when you need him?
  I think the point is that with the bug bounties, researchers are busy creating new classes of bugs and 'sploits, and turning them in for the bounty. Instead of being lazy and not creating new types of 'sploits, or worse, stumbling across bugs and selling them to the botnets instead.
  The point is, it's better that the security researchers are finding and disclosing more new types of attacks thanks to the bug bounties. If they weren't finding new 'sploits, it doesn't mean they're not there.
  The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something. Unless they have some sort of awesome recipe for rats. But that wasn't the intent of the rat bounty.
19. Re:What the hell by Red+Flayer · 2011-09-20 04:09 · Score: 1
  
  Writing bugs into code, even if on purpose, is *nothing* like rat farming.
  
  If you want to farm rats (which I strongly advise against, as it's a waste of turns -- better to farm wolves or spiders at a higher level), first you need to make sure you're on a level with minimal corruption. Then you need to get a wererat onto the level somehow (making it follow you from an adjacent level is usually the best way). Put yourself in a corner (or along a wall), and hack away at the summoned rats. This should be sufficient for some good shield and weapon training. Make sure you don't accidentally kill off the wererat!
  
  But at any rate, writing bugs into code usually doesn't involve any of that.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
20. Re:What the hell by meerling · 2011-09-20 04:13 · Score: 1
  
  Exactly! The bug bounties are doing exactly what they are supposed to, give people other than the devs an incentive to find and report bugs. Something that previously usually only happened if it actually inconvenienced the user. Just because they are finding more bugs and glitches than expected in no way means they are somehow generating them for profit. That's why the analogy usually used it regarding bounty hunting. You are finding the unwanted elements and turning them in for profit, as opposed to the rat farming scam (or snake farming scam in the USA) where you are actually creating/supplying the unwanted element so you can turn them in for profit. There is a big difference between finding and creating, too bad the patent examiners that handle gene patents can't seem to understand that.
21. Re:What the hell by dzfoo · 2011-09-20 04:16 · Score: 1
  
  I saw Bugs vs. Rats, it was pretty cool. I'm still waiting for the sequel, Rock, Paper, Scissors vs. The World, with Nicholas Cage as Spock. That one's going to r0xx0rz!
  -dZ.
  
  --
  Carol vs. Ghost
  ...Can you save Christmas?
22. Re:What the hell by Anrego · 2011-09-20 04:24 · Score: 1
  
  Kind of a stretch from what was actually said in the article, but I can see that point.
23. Re:What the hell by Toze · 2011-09-20 04:24 · Score: 1
  
  I was going to say we had them in the Canadian prairies, but I find that there's no mention of it in the official history. My father and grandfather did mention hunting rats in rural Saskatchewan, though, and they have mentioned knowing or hearing about neighbors farming rats. However, this is 3rd-hand knowledge at best.
  
  --
  No OS on the planet can protect itself from a user with the admin password. - Yvan256
24. Re:What the hell by vlm · 2011-09-20 04:32 · Score: 1
  
  The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something.
  This whole situation always reminds me of the UniSys RATS game on the BTOS operating system, on big green minicomputers in the late 80s early 90s, where the "easiest" way to get the high score was to camp on the rat generating colony deep within the maze, rather than sniping individual rats while running the corridors.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
25. Re:What the hell by waives · 2011-09-20 04:44 · Score: 1
  
  Behold the power of the ancient magic known as 'editing'.
26. Re:What the hell by rs1n · 2011-09-20 04:48 · Score: 1
  
  Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).
  
  But it turns out that he knows more about security than one would think. Maybe even more than he might think.
  Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).
  The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
  You did miss something. The researchers are not injecting bugs. Instead, they are "farming for bugs" in the sense that they (presumably) put the software through a battery of tests (the "breeding" process). His point was that the bounty system was originally to motivate USERS to submit reports (like in S.A. where the point was to encourage citizens turn in rat bodies). Instead, you've now got security researchers who may have absolutely no interest in using the software itself but have a monetary incentive to report bugs. Similarly, the rat farmers have no interest in getting rid of the infestation problem, they're just there to cash in on the rewards. The difference, however, is that the rat farmers breed the rats, whereas the analysts merely look for bugs (more akin to someone from another geographical region relocating to S.A. so they too can catch rats and turn them in).
27. Re:What the hell by rs1n · 2011-09-20 04:52 · Score: 1
  
  I didn't read the article, but from the quote in the summary, you're mixing up developers with external security analysts (citizens vs entrepreneurs from another place trying to score a buck). But, to get to your point -- you're right, the analysts aren't injecting bugs into the software. However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.
28. Re:What the hell by ThatsMyNick · 2011-09-20 05:02 · Score: 1
  
  X is used by modules A, B and C. Instead of submitting the bug in X, you find where the bug manifests (i.e. in A, B and C) and only submit these symptoms. Of course you'd have to obfuscate your findings enough so the bug-fixer doesn't actually find the bug in X too early. Thus you end up with 3 bug-reports (4 once you've fully exploited the real bug) instead of just the 1.
  This is more likely to happen if X, A, B & C are managed by different independent bounty programs. If managed by a single company, I doubt the submitters would be successful.
29. Re:What the hell by slim · 2011-09-20 05:05 · Score: 1
  
  However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.
  But that part isn't notable or interesting.
  The whole point of the rat bounty is to coax people into hunting wild rats, who wouldn't be doing it without the monetary incentive. Just like an external security analyst, the legitimate vermin killer is only doing it for the money.
  What makes the rat farming anecdote notable, is that people would exploit the scheme by claiming the money while actually making the problem worse. But the bug bounty story has no parallel for that interesting part -- unless someone actually is deliberately injecting bugs, so they can claim credit for fixing them later.
  As an aside, I've worked in a couple of places were you get a lot of visibility and credit for fixing serious production issues, and little recognition for maintaining a code base that never goes wrong. We often joke that it's an incentive to put time bombs in the code, but as far as I know, nobody's ever gone through with it.
30. Re:What the hell by Anonymous Coward · 2011-09-20 05:05 · Score: 0
  
  My brothers used to hunt gophers and moles for bounty in Alberta. This was probably in the 1960's and 1970's. $.05 for a gopher and either $.10 or $.25 for a mole. There weren't any rats in Alberta at the time. There still are very few rats (next to none?).
31. Re:What the hell by ceoyoyo · 2011-09-20 05:10 · Score: 1
  
  I love the article. It starts with a snarky paragraph about outsiders who don't know anything about security drawing (presumably) flawed analogies to things in their own area of expertise, says Dubner is different, then goes on to credulously relate a flawed analogy Dubner made between computer security and rat farming (which is presumably in his area of expertise).
  The irony is strong with this one. Unless he was serious....
  Another example of an economist talking without a complete understanding of a subject and a journalist with an incomplete understanding of everything.
32. Re:What the hell by sgt+scrub · 2011-09-20 05:10 · Score: 1
  
  The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. And, here is the line in TFA that states that out right. It is called headline sensationalism, pure and simple.
  
  --
  Having to work for a living is the root of all evil.
33. Re:What the hell by bgat · 2011-09-20 05:12 · Score: 1
  
  The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.
  No, that's EXACTLY the point he is making. He even says in the article that researchers aren't creating bugs, they are merely looking closely at the software with the purpose of finding those bugs. His analogy with rat farming isn't a very good one, but the main thrust of the article is that bug bounties ARE working--- and that commercial companies are recognizing that.
  The rat farming analogy works if you think about the tools researchers create purely for detecting bugs in the target code. Programs that send bogus ping packets or attempt buffer overflows, for example.
  
  --
  b.g.
34. Re:What the hell by ceoyoyo · 2011-09-20 05:14 · Score: 1
  
  Let me rephrase it in the context of Star Wars. This is Chewbacca. He's a Wookie....
35. Re:What the hell by Anonymous Coward · 2011-09-20 05:20 · Score: 0
  
  Well, I thing the implication is that there's no such thing as perfect software (no matter what claims you'd like to make about mathematical proofs etc, etc, etc).
  Given that these systems are GOING to be imperfect, and that any given product is bound to be EVENTUALLY exploitable in some capacity, would this not provide all the makings for a bottomless money-pit?
  The alternative being miserable life of uncertainty filled with malicious hackers inflicting users with massive zero day ambushes, and intimidating them with coercive scareware phishing and "ad campaign" spam.
  I think the real question being posed is:
  "Are bug bounties really a facade for what is really a protection racket?"
36. Re:What the hell by ceoyoyo · 2011-09-20 05:20 · Score: 1
  
  Are you sure they were rats? The Canadian prairies don't have a lot of rats (Alberta has none). They DO have prairie dogs and Richardson's ground squirrels though, and there have been various bounties at various times on those. Apparently in Saskatchewan once the bounty only required turning in the tail so you'd catch the little guy, whirl him around by the tail until it tore off, and let him go.
37. Re:What the hell by Riceballsan · 2011-09-20 05:32 · Score: 1
  
  Indeed, and it still fails to show how that isn't the intention and the exact point of bug bounties? I thought the idea was to find spots vulnerable to attack, before they are attacked. They are creating exploits that take advantage of existing holes, so that the holes can be patched. Is everyone else hitting a sony mindset "It's not our fault that we left the front door open, it's the problem of these hackers being so good nothing would stop them.
38. Re:What the hell by dkleinsc · 2011-09-20 05:33 · Score: 1
  
  The amusing piece of flawed logic appears to be the idea (very very common in the popular and business press) of thinking that a bug that nobody knows about is a bug that doesn't exist. It's the logical equivalent of assuming that if you can't see it, it can't see you.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
39. Re:What the hell by Anonymous Coward · 2011-09-20 05:38 · Score: 0
  
  Wait we got editors now? I mean ones that edit?
40. Re:What the hell by icebike · 2011-09-20 06:41 · Score: 1
  
  The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something. Unless they have some sort of awesome recipe for rats. But that wasn't the intent of the rat bounty.
  The rat analogy breaks down well before that.
  Anyone can breed a rat. But only the developers can create or leave a bug in their own software.
  Remember this is about "software vendors offering bug bounties", presumably for bugs in their own packages.
  That's a far cry from Google offering a bounty on a bug in Joe Budding Programmer's CS 101 project.
  
  --
  Sig Battery depleted. Reverting to safe mode.
41. Re:What the hell by ldcroberts · 2011-09-20 06:46 · Score: 1
  
  His point is that by outsourcing the testing the developers know they don't have to do it themselves so bugs naturally accumulate.
42. Re:What the hell by nedlohs · 2011-09-20 07:23 · Score: 1
  
  Those last two paragraphs were added later, without any indication of them being an after original publication edit.
43. Re:What the hell by mjwalshe · 2011-09-20 07:42 · Score: 1
  
  well the op was familiar with the works of the great Sir pterry viz
  
  “Shortly before the Patrician came to power there was a terrible plague of rats. The city council countered it by offering twenty pence for every rat tail. This did, for a week or two, reduce the number of rats—and then people were suddenly queueing up with tails, the city treasury was being drained, and no one seemed to be doing much work. And there still seemed to be a lot of rats around. Lord Vetinari had listened carefully while the problem was explained, and had solved the thing with one memorable phrase which said a lot about him, about the folly of bounty offers, and about the natural instinct of Ankh-Morporkians in any situation involving money: “Tax the rat farms.”
44. Re:What the hell by Toze · 2011-09-20 08:01 · Score: 1
  
  Could have been gopher bounties and gopher farming, I guess, yeah. The tails were the things they specifically mentioned turning in, so it seems likely.
  See, this is why history is a pain in the ass to study; anything but a first-hand account is pretty much garbage.
  
  --
  No OS on the planet can protect itself from a user with the admin password. - Yvan256
45. Re:What the hell by shutdown+-p+now · 2011-09-20 08:40 · Score: 1
  
  But at any rate, writing bugs into code usually doesn't involve any of that.
  What do you mean, it doesn't? It's compiling!
46. Re:What the hell by pinkushun · 2011-09-20 08:46 · Score: 1
  
  That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, not even to mention breading them for said imaginative payment on delivery of dead rodent. It's completely ludicrous and utter drivel.
  Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.
47. Re:What the hell by Anonymous Coward · 2011-09-20 12:56 · Score: 0
  
  It's from Terry Pratchett - I can't recall exactly which book, but it is mentioned once or twice as a scam that was around. The Amazing Maurice and his Educated Rodents is along similar lines, but I can't recall if that is the one where that specific scam was mentioned.
  Basically, the story goes that Ankh Morpork had a massive rat problem and began giving bounties for dead rats. This was extremely successful - so successful that quickly the city began to run out of money paying the bounties. The Patrician was asked what to do, and replied 'Tax the rat farms'
48. Re:What the hell by jc42 · 2011-09-20 12:56 · Score: 1
  
  That's all humbug. I live in South Africa, and there is no way me, my friends or any of my family will hand in dead rats for money, ... Rather skewer them over an open fire, it really brings out the flavor. But care must be taken with those who are carrying young, the veal is especially priceless.
  Great answer! I've read similar comments from Chinese sources about various pest problems there. Their similar replies are especially effective, because the rest of the world has a stereotype of Chinese that they'll eat any sort of strange animals. The fact that this is semi-true just adds to the effectiveness of the humor. I once had a Chinese friend who liked to tell people that his relatives back home trapped and ate second children. He really enjoyed the responses to this claim.
  Of course, if a bounty were offered, there's probably some price at which people would turn in the critters rather than eat them. Thus, if the bounty on a rat is greater than the local market price of a pigeon or other animal about the same size, you'd expect that people would collect the bounty and use it to buy a squab (a cleaned and dressed pigeon, available in food stores in a lot of the world).
  But in general, saying "We'd never turn the critters in, because we like to eat them" is a good answer to tweak the prejudices of people in other parts of the world. And in some cases, the critters are good to eat.
  (Here in the Boston area, we have a lot of problems with squirrels. My wife and I like to mention our Appalachian families, and claim that we catch the cute critters to make squirrel pie. Yum! Just like grandma made.)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
49. Re:What the hell by Anonymous Coward · 2011-09-20 15:04 · Score: 0
  
  i think that the analogy that he was trying to draw is that by offering a monetary reward, people do things that they wouldn't normally do. hence for rats people actively search for them and some even breed them.
  now in software it's kind of impossible to "breed" bugs, especially in closed source packaged software. but in a sense there are more people actively searching for bugs then there otherwise would be, and people are certainly putting the software into unique situations that probably wouldn't normally occur. that's the link that i think that the author was trying to make...
50. Re:What the hell by DarwinSurvivor · 2011-09-20 20:27 · Score: 1
  
  Alberta has NONE (rats). That bounty system you mentioned was used earlier to eliminate every last rat from Alberta. The government paid a pretty penny to do so, but they saved a TON in the long run with the crops not being devastated every year.
51. Re:What the hell by SnowZero · 2011-09-20 20:52 · Score: 1
  
  Anyone can breed a rat. But only the developers can create or leave a bug in their own software.
  I love this quote. I think it gets better without context.
Dumb article. by tomhudson · 2011-09-20 03:06 · Score: 3, Informative

The conclusion is false:

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.
1. Re:Dumb article. by gameboyhippo · 2011-09-20 03:28 · Score: 1
  
  FOADIAF
  Fly on a dinosaur in a forest?
2. Re:Dumb article. by HopefulIntern · 2011-09-20 03:40 · Score: 1
  
  F off and die in a fire (is what that acronyms means, a combination of the more common FOAD and DIAF)
3. Re:Dumb article. by Anonymous Coward · 2011-09-20 03:43 · Score: 0
  
  FOADIAF
  Obviously it means "Found On A Desk In A Forest". Yours just sounds stupid. Pfft.
4. Re:Dumb article. by rs1n · 2011-09-20 04:55 · Score: 1
  
  People writing the software and researchers aren't necessarily the same group. In fact, I think they're more likely to be two sets with no intersection.
5. Re:Dumb article. by gameboyhippo · 2011-09-20 07:27 · Score: 1
  
  I suppose if I don't fly off, I would die in a fire. But wouldn't it be more grammatically correct to say "OR die in a fire"? And if I'm not flying on a dinosaur, then what will I fly on?
6. Re:Dumb article. by stephanruby · 2011-09-20 09:34 · Score: 1
  
  My question is. Who made this idiotic remark?
  Stephen Dubner? or the journalist who's claiming to paraphrase what Stephen Dubner said during his speech?
  I'm crossing my fingers that's it's not the Freakonomics co-author, otherwise I'll never dare quoting anything again from that book.
7. Re:Dumb article. by Anonymous Coward · 2011-09-20 11:05 · Score: 0
  
  Nice try, rat farmer.
8. Re:Dumb article. by Demonoid-Penguin · 2011-09-20 15:01 · Score: 1
  
  The conclusion is false:
  
  But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.
  There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.
  Agreed - with a couple of points. The bounties are only for exploitable bugs, there's no mention of developers deliberately introducing bugs (let alone evidence), so researchers can "find" them and profit.
  I like the quoted authors economics work - but this has zero to do with economics. Having done triage for bug reports I know single bugs can have multiple reports, and there are no shortage of fake bugs - but it has no bearing on bounties. (sigh) just another bullshit "hype my security conference that hypes security 'experts'".
Don't RTFA by MarkvW · 2011-09-20 03:07 · Score: 1

It doesn't say anything more than the Slashdot topic.
1. Re:Don't RTFA by jc42 · 2011-09-20 13:06 · Score: 1
  
  It doesn't say anything more than the Slashdot topic.
  It does now. A few sentences have been added that attempt to counteract the idiocy of the original claim implying that the bug "researchers" are introducing bugs into someone else's software to collect the bounty.
  It's still a rather crappy analogy. Methinks it's more of an attempt to disparage the bug hunters. This is quite common in the software biz, of course, but this author found an original way to discredit people's attempts to improve software quality.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
ObDilbert by DCheesi · 2011-09-20 03:07 · Score: 3, Funny

"I'm gonna write me a new minivan this afternoon!"
http://search.dilbert.com/comic/10%20Dollars%20Bug%20Fix
Half an article? by Anonymous Coward · 2011-09-20 03:09 · Score: 0

So we have 2 paragraphs of self advertisement, two on rat farming and then they mention bugs and the article ends. Okay, people are 'farming' bugs for cash. How, why and who cares?
1. Re:Half an article? by Anthony+Mouse · 2011-09-20 03:33 · Score: 1
  
  The only farming going on is for ad impressions. That's why it says "and it's a good thing" at the end -- a good thing from his perspective that the story's author is getting paid, because he certainly hasn't done any work.
you can not breed the same bug again by Gunstick · 2011-09-20 03:09 · Score: 1

you can breed rats, and they are rats. If you would get paid for a grey rat only once and not for every one, then you need to turn in brown, striped, checkered, white, blue, greeN, yellow rats. that would make the farming task way more complicated. Especially as there are other rat farmers out there doing the same.
And once all colors of rats have been done, it's over. no more rats...

--
Atari rules... ermm... ruled.
stupid analogy by Anonymous Coward · 2011-09-20 03:09 · Score: 0

how exactly the researchers create bug in their lab? they maybe find them but only the developpers can create a bug no?
That's the worst analogy I've ever seen by nedlohs · 2011-09-20 03:10 · Score: 3, Insightful

And that includes slashdot car and pizza analogies.
Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).
But he isn't. So the anology is complete and utter garbage.
1. Re:That's the worst analogy I've ever seen by Ambiguous+Coward · 2011-09-20 03:35 · Score: 1
  
  Maybe I can explain it a little better...
  Okay, picture a car.
  Does the analogy make any more sense now?
  
  --
  Their may be a grammatical error, misspeling, or evn a typo in this post.
2. Re:That's the worst analogy I've ever seen by Anonymous Coward · 2011-09-20 03:39 · Score: 0
  
  And that includes slashdot car and pizza analogies.
  To anyone confused over that statement, let me explain: The analogy given here is like a busted fourth- or fifth-hand Chevy stationwagon. Nobody really wants it and it doesn't really work, but it does fill space AND it benefits the person who owns it just barely more than not having any car would.
3. Re:That's the worst analogy I've ever seen by gilleain · 2011-09-20 03:46 · Score: 1
  
  And that includes slashdot car and pizza analogies.
  Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).
  But he isn't. So the anology is complete and utter garbage.
  Where's BadAnalogyGuy when you need him? Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
4. Re:That's the worst analogy I've ever seen by gilleain · 2011-09-20 03:50 · Score: 1
  
  And that includes slashdot car and pizza analogies.
  To anyone confused over that statement, let me explain: The analogy given here is like a busted fourth- or fifth-hand Chevy stationwagon. Nobody really wants it and it doesn't really work, but it does fill space AND it benefits the person who owns it just barely more than not having any car would.
  No meta-analogies!
5. Re:That's the worst analogy I've ever seen by slim · 2011-09-20 03:58 · Score: 1
  
  Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
  They're a lot like stone soup analogies.
6. Re:That's the worst analogy I've ever seen by Anonymous Coward · 2011-09-20 04:09 · Score: 0
  
  http://slashdot.org/~pizzaanalogyguy
7. Re:That's the worst analogy I've ever seen by Anonymous Coward · 2011-09-20 04:12 · Score: 0
  
  Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
  They are like a pizza.
8. Re:That's the worst analogy I've ever seen by tepples · 2011-09-20 05:23 · Score: 1
  
  Check PizzaAnalogyGuy's posting history.
9. Re:That's the worst analogy I've ever seen by Anonymous Coward · 2011-09-20 08:09 · Score: 0
  
  Bug bounties are like rat farming in the sense that the author knows jack squat about them. It's a simile, though, not an analogy.
10. Re:That's the worst analogy I've ever seen by lennier · 2011-09-20 10:48 · Score: 1
  
  Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
  They're a lot like stone soup analogies.
  So, one poster says "This computer security situation is like stone soup. But what would make it more relevant would be if it were also like a pizza with a stone soup topping."
  And then another poster says "That is a good analogy, but it would be even better if it were also like a car made entirely of pizza with a stone soup topping..."
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
11. Re:That's the worst analogy I've ever seen by AshtangiMan · 2011-09-20 10:54 · Score: 1
  
  Pizza is a strange thing, it's like when you really love something you eat it a lot, but then your friend finds a roach under a piece of pepperoni. Kind of like finding a bug in your favorite software, you probably won't eat it again, but maybe you get paid. So that's pretty cool.
12. Re:That's the worst analogy I've ever seen by jc42 · 2011-09-20 13:18 · Score: 1
  
  Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?
  They're a lot like stone soup analogies.
  Actually, the pizza analogy works pretty well with the rat-farming story. That one says that if you offer money for dead rats, you encourage people to produce rats that they sell to you. Similarly, if you buy pizzas from pizza makers, that just encourages them to make more pizzas, which they then sell to people like you.
  But I don't think either of these works too well as analogies to software bugs. The explanation probably has to do with the fact that nobody actually buys the bugs themselves; they pay for reports describing the bugs' nature and location. Saying "I saw a brown rat at this place and time" isn't enough to get you the bounty, though, so the analogy sorta fails.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
"Tax the rat farms." - Vetinari by Verteiron · 2011-09-20 03:11 · Score: 4, Informative

Okay, so who came up with this idea first? South Africa? Or Terry Pratchett?

--
End of lesson. You may press the button.
1. Re:"Tax the rat farms." - Vetinari by Anonymous Coward · 2011-09-20 03:36 · Score: 0
  
  I was hoping someone was going to post this, I thought at first the article was misplaced from April Fools Day!
2. Re:"Tax the rat farms." - Vetinari by Anonymous Coward · 2011-09-20 04:01 · Score: 0
  
  The rat farming is much like the original fire service in Ankh-Morpork (Although it is only mentioned never actually seen).
  They are paid for each fire they put out, and.... you can see where it goes from there.
Rat farming by tinkerton · 2011-09-20 03:13 · Score: 1

I heard about the rat farming story as a kid - and that is many years ago. The idea of relocating the story from 19th century US to South Africa strikes me as odd. But who knows, maybe the SA story has been verified.
the analogy by Anonymous Coward · 2011-09-20 03:18 · Score: 1

The analogy isn't completely bogus. Think of it a slightly different way, a rat != a bug, a wild rat == a bug that would affect a user.
The farmed rats are then equivalent to the "could only really happen in a controlled lab environment" bug. They are still bugs, its good to get rid of them, but they aren't really (or at least shouldn't be) the primary concern.
1. Re:the analogy by Anonymous Coward · 2011-09-20 03:36 · Score: 0
  
  It still ignores the fact that the researchers are finding existing bugs and not creating the bugs themselves. It also assumes that all of the bugs the researchers are finding could not survive in the wild, which seems unlikely.
2. Re:the analogy by Anonymous Coward · 2011-09-20 03:47 · Score: 0
  
  Kind of makes sense. Still, wouldn't that be more akin to hunting moles to turn them in for a rat bounty?
  Either way, I think the original analogy should never have seen the light of day.
Bad analogy, bad article by athe!st · 2011-09-20 03:19 · Score: 2

Unless people are putting bugs in open source software, then claiming the bounties for finding them, the analogy is just plain wrong.
1. Re:Bad analogy, bad article by tinkerton · 2011-09-20 03:55 · Score: 1
  
  That's a very inflexible interpretation. Here's how to coax the analogy into making sense. The general theme is how rewards can be counterproductive by shifting the aim of those being rewarded. I'll take an old story about chimpansees, art and bananas. The chimpansees were given paint and paper to play with, and they had a lot of fun, making nice things. Then rewards were introduced: make a painting, get a banana. This changed the character of the game for the chimpansees. Paintings became just a means for getting the banana and the paintings weren't interesting anymore - not interesting to make and not interesting to look at.
  This is a well known problem in organisations. I recall a big manager( 3M Germany) who was acutely aware of this problem, and who illustrated how powerful it was with another story. There was an old man in his street who was always being harassed by a group of youngsters. The manager decided to give the group of youngsters a reward of some euros for harassing the old man - which they readily accepted. He gave them this reward again and again, but he soon started to decrease the reward, and he decreased it more and more. Very soon the youngsters lost all motivation for harassing the old man and that solved the problem.
  Now apply this model to finding bugs and it will make sense. Not necessarily the crude case of creating bugs, but for example, lots of minor bugs will be reported that cause a lot of overhead , ergo, they're counterproductive.
2. Re:Bad analogy, bad article by slim · 2011-09-20 04:08 · Score: 1
  
  I think what you're saying is, it's not a direct analogy.
  "Here's an example of an incentive scheme that has an unexpected and undesirable outcome".
  "Bug bounties can also have unexpected outcomes" -- but with a quite different mechanism.
  I don't think Dubner would have done that. Freakonomics (the book) contains loads of examples of unexpected outcomes due to skewed incentives. He could have found one that fitted better.
  No, I'm pretty sure this is just a reporter failing to convey what was actually said.
  (Favourite Freakonomics story: the city that decided to pay its rubbish collectors bonuses based on the weight of what they brought in. Rubbish brought in increases, by weight: success! But their incinerator's efficiency measurements fall dramatically. What's going on? Much of the rubbish is now soaking wet. )
3. Re:Bad analogy, bad article by tinkerton · 2011-09-20 06:43 · Score: 1
  
  He could have come up with a better example(he could have taken your example), but it's not bad and I explained why. If you imagine a kind of tree structure(or a directional web) with edges indicating a relationship "is kind of a .. story", then the rat farming story is a story where incentives act counterproductively because they shift the motivation away from the original intent .
  This is a good node, the analogy is good.
  There is also a more detailed node "incentives leading to a situation where people actually create more undesirable items in order to get more rewards for removing them". This node is not a good match. It fits the rat farmer but has a weak fit with the bug reporting story. This is what people react to ( often motivated by a desire to criticize).
  "Incentive scheme with unexpected outcome" is a much more general node. The fit is good but the node is not much use because it's too general..
  If Dubner's book is about "unexpected outcomes due to skewed incentives" then I think that's a good theme. But it would be even better without the word "skewed".
4. Re:Bad analogy, bad article by tinkerton · 2011-09-20 06:46 · Score: 1
  
  Actually, there is a variable in the stories which is the amount of cheating. I think I'd prefer a story with a minimal sense of cheating.
My eyes are rolling at 7200rpm... by Alex+Belits · 2011-09-20 03:19 · Score: 1

...and I don't even have to explain why, because every commend before me did it already.

--
Contrary to the popular belief, there indeed is no God.
His point by Anonymous Coward · 2011-09-20 03:21 · Score: 1

I think he's trying to claim that a bug that's discovered by a security researcher before it can be (A) reported by a user or (B) exploited in a 0-day is an artificially created bug, not a "real" bug.
Which is, of course, idiotic; that's the whole point of paying researchers to find bugs.
1. Re:His point by slim · 2011-09-20 03:29 · Score: 3, Insightful
  It's correct to observe that an incentive scheme could, conceivably, tempt developers into deliberately inserting bugs.
  This would happen if you:
  offer incentives for discovering bugs
  offer incentives for closing off bugs
  *don't* offer incentives for clean code
  What the article doesn't do is point at real-world instances of this happening, or explain why "that's a good thing".
2. Re:His point by ceoyoyo · 2011-09-20 05:16 · Score: 1
  
  Presumably nobody is dumb enough to pay bounties to contributors who find bugs in their own code.
3. Re:His point by slim · 2011-09-20 05:29 · Score: 1
  
  1. I think you underestimate how dumb people can be
  2. It's trivial to work around that obstacle with a little collusion.
4. Re:His point by danlip · 2011-09-20 06:00 · Score: 1
  
  no, but it is trivial to setup an alias or work with a friend and split the profits
5. Re:His point by ceoyoyo · 2011-09-20 14:18 · Score: 1
  
  It's not trivial to get write access to most projects so you wouldn't want to be switching developer accounts too much. And bug bounties require information on who to pay, so you wouldn't be able to just make up names for that either. And your turnaround between introducing a bug and finding it would have to be fairly quick to avoid other people nabbing them on you. Which all adds up to some pretty suspicious patterns.
Reminds me of the article from thedailywtf by h5inz · 2011-09-20 03:22 · Score: 2

http://thedailywtf.com/Articles/The-Defect-Black-Market.aspx
1. Re:Reminds me of the article from thedailywtf by Gonzo+The+Gr8 · 2011-09-20 03:59 · Score: 1
  
  Ok, see, that's rat farming
2. Re:Reminds me of the article from thedailywtf by Anonymous Coward · 2011-09-20 08:34 · Score: 0
  
  Good memory, I read this before. The first commenter is on the money: "No WTF here; the CTO's plan was to fix all outstanding issues and, from what it sounds like, it was a success. "
  Actually, this could be done a few times per year this way and it would be a win/win situation. Must not be overdone for obvious reasons; but also, working trough lunch for an extended period will destroy the workforce eventually.
Horrible, crappy, Half an article by gurps_npc · 2011-09-20 03:28 · Score: 1

1. It talks a lot about the illegal rat farm business.
2. It just says it is similar to the bug hunting business - with NO explanation. No real discussion of the bug hunting business, no explanation why they are similar. It just assumes you will believe they are similar, with no reason. I don't see any connection.
3. It concludes with "and that's a good thing" with no explanation of why it is a good thing. Bull.
If I saw this in a blog, I would call it a bad blog. As an article, it is at best half of an article. It needs to to be doubled, if not tripled in size, to make any sense.
It also is not in any way convincing. I came away thinking the author may have an idea, but appears to be too clueless to express it to us.

--
excitingthingstodo.blogspot.com
1. Re:Horrible, crappy, Half an article by gurps_npc · 2011-09-20 03:31 · Score: 2
  
  Correction. The author did not have a good idea. He was reporting on a speech given by someone else (author of Freakonomics.).
  The author basically gave a review of that speech, and left out all the important stuff, just because he was obsessed with the stupid rat farming example.
  I will have to go looking for the real speech, it might actually be interesting
  
  --
  excitingthingstodo.blogspot.com
Dilbert did this in 1998 by Joe_Dragon · 2011-09-20 03:36 · Score: 1

http://www.klocwork.com/blog/2009/10/im-gonna-write-me-a-new-minivan-is-zero-software-bugs-the-right-goal/
isn't it ironic? by carpefishus · 2011-09-20 03:37 · Score: 1

If it is not a good analogy then isn't it ironic?

--
Facts take all of the premium out of arm waving - T. Reynolds
I'll just quote the first comment from TFA by arielCo · 2011-09-20 03:37 · Score: 1

WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus
Ditto

--
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
1. Re:I'll just quote the first comment from TFA by Anonymous Coward · 2011-09-20 04:41 · Score: 0
  
  Obviously you've never worked in Software QA. When I find bugs and report them, the Project manger treats me as if I intentionally added it to the code.
  Shoot the Messenger!
mysterious acronyms by Anonymous Coward · 2011-09-20 03:38 · Score: 0

http://www.urbandictionary.com/define.php?term=FOADIAF
Better analogy: imported rats, not farmed by ejtttje · 2011-09-20 03:39 · Score: 1

I think the point he's getting at is that a lot of the bugs are not the ones that would trouble users (i.e. they only appear "in the lab"). So although it's still good to fix them, they are low priority.
The farming analogy is bad because it implies people are creating these bugs just to turn them in, which as everyone is pointing out, doesn't make sense and would reflect poorly on the buggy developer, so it would be self-limiting. Instead, I propose he should have said "imported" rats instead of "farmed" rats: instead of killing the rats in the city (the "high priority" ones), people are going out into the country and killing rats that weren't really bothering anyone. Eventually they or their descendants might make it to the city and cause a problem, so we're certainly not sad to see them go (environmental concerns breaking the analogy here :)), but the point is those rats/bugs aren't really the ones we care about.
I could have sworn there was an article/blog post a little while back with statistics from a bug bounty program where most of the bugs were relatively trivial (found by automated methods, style consistency, etc.) or else quite obscure, with only a couple 'interesting' ones. But all I can find is this slashdot article, which I don't think is the one I'm thinking of. But I remember the author's summary was also that he still appreciated the peace-of-mind that others had looked through his code and that was all they had come up with, so still a net positive.
1. Re:Better analogy: imported rats, not farmed by ejtttje · 2011-09-20 03:45 · Score: 1
  
  Aha, found it:
  What does $1265 of bugs look like
  Looks like this wasn't a slashdot article, maybe it should be :)
2. Re:Better analogy: imported rats, not farmed by slim · 2011-09-20 05:26 · Score: 1
  
  As I've already said, Dubner's a clever bloke. If he was trying to make the point you've made, then he'd have found a suitable analogy. He has at least two bookfuls.
  No, this is a reporter getting the wrong end of the stick.
  But let's think about your observations.
  The rat farming thing is fairly interesting. You can imagine the rat bounty seeming like a good idea. People subverting it by farming rats would come as a surprise to a lot of people. Freakonomics is full of stories like that.
  Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?
3. Re:Better analogy: imported rats, not farmed by ejtttje · 2011-09-20 06:00 · Score: 1
  
  Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?
  Well, I could make some argument about whether it's generally worthwhile even for a few significant bugs... if they are significant, it's likely they would be found and reported in short order regardless of a bounty. And especially if there's a backlog of bugs, I'd say those should take priority over finding new bugs that haven't actually bothered anyone yet.
  The security aspect is different though, because those are bugs that have a motivation to go unreported. And there's the 'papercut' type, where small annoyances go unreported. I'd consider it an good question whether bounties are more effective than simply paying an expert (or several) the same amount up-front to comb through things. The old crowd-source vs. out-source argument I guess.
badanalogyguy writes security articles now? by ilsaloving · 2011-09-20 03:44 · Score: 1

How exactly do researches 'plant' bugs into code released by another party?
Researcher: "Look look! We found a bug!"
Company: "Why yes you did! Wait... this isn't even our code! GTFO and stop wasting our time."
1. Re:badanalogyguy writes security articles now? by slim · 2011-09-20 03:50 · Score: 1
  
  Business model!
  1. Note missing feature in Firefox
  2. Write missing functionality; include carefully obfuscated security bug
  3. Donate code to Mozilla
  4. "Find" and fix bug. Claim bounty.
  5. Collapse, cackling, into your bed of dollar bills.
2. Re:badanalogyguy writes security articles now? by lennier · 2011-09-20 11:38 · Score: 1
  
  Business model!
  1. Note missing feature in Firefox
  2. Write missing functionality; include carefully obfuscated security bug
  And that explains the new Firefox 5-week release cycle.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
A better analogy would be.. by Going_Digital · 2011-09-20 03:46 · Score: 1

It would be better to say that because the government is paying for dead rats that an industry has developed around it. Now rather than just taking in urban rats that are causing a nuisance rat catchers are breaking into peoples homes to steal pet rats and taking trips in to the country with dogs to flush or rats in the wild.
How Freakanomics is like the real world... by AlterEager · 2011-09-20 03:48 · Score: 1

... oh, that's right, it isn't.
So they've got another thing wrong. Big suprise.
(And not knowing the Ankh-Morpork precedent - that'll lose them fanboy cred).
"Bugs for cash" scams can work - except... by Captain+Sarcastic · 2011-09-20 03:55 · Score: 1
... when a company happens to track who is the person responsible for a bug.
If there's no accountability, then a coder could generate bugs for a confederate on the outside to cash in on. Mind you, you'd need to make sure:
- that the bugs weren't so easily found that the wrong person discovers them,
- that the "bug bounty" was high enough to justify this kind of skullduggery,
- and that there was nothing to track the bug back to the original developer, who would most likely become unemployed if enough bugs were laid at his/her feet.
But, hey - who said scamsmanship was easy?
--
Strike while the irony is hot! -- The Freethinker
The actual analogy... by Gonzo+The+Gr8 · 2011-09-20 03:58 · Score: 2

One of the commenters from TFA finally explained it, the problem is it's still a very bad analogy. Farmed rats !=manufactured bugs. The actual analogy is wild rats == significant bugs and farmed rats == insignificant bugs. He's not saying the "bug farmers" are manufacturing the bugs, just that they're finding new and creative ways to break the software that would in all likelihood never occur outside of a lab setting.

So, like I said, a very bad analogy.
1. Re:The actual analogy... by Riceballsan · 2011-09-20 05:46 · Score: 2
  
  That actually makes sense, in other words they are finding bugs, like say if a glitch happened where if you type the letters todadadklard into a search box, hold shift and backspace while having someone else click the submit button, the program exits. While technically a bug, it would be one that would never bother anyone or effected the end user, hypothetically though it could lead to an exploit that could do greater harm as a zero day vulnerability with the right method of hacker, hence why it is good to bring out even the stupid bugs into the open.
Any info on what Dubner actually said? by Anonymous Coward · 2011-09-20 04:09 · Score: 0

Boy, do we need some information on what Dubner actually said. Here's the only thing I've found from the conference organizers:
http://www.unitedsummit.org/speakers.jsp?speaker=stephen-dubner
There is a live stream of whatever talk is going on now, but I can't find any information about the content yesterday's talks.
Nothing like rat farming by AC-x · 2011-09-20 04:19 · Score: 1

The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances.
So it's actually nothing like rat farming.
No incomplete summary by jopsen · 2011-09-20 04:20 · Score: 1

If you read the article (I didn't at first either), it's says that researcher are finding bugs in a lab that would never have been found otherwise (not by hackers either), but concludes that this is a good thing. It's a happy story about how bug bounties are good for everybody, and leads to better software...
- It's not a dumb article, it's just a happy one :)
We're just confused because articles are always expected to be negative, this one isn't, now smile :)
1. Re:No incomplete summary by slim · 2011-09-20 05:07 · Score: 1
  
  No, we're confused because the rat farming analogy has no bearing on the good news you noticed.
  Rat farming: Incentive scheme leads to unintended, unexpected, undesirable outcome
  Bug bounty: Incentive scheme leads to intended, expected, desirable outcome
2. Re:No incomplete summary by nedlohs · 2011-09-20 07:26 · Score: 1
  
  That's because those paragaphs were added to the article after the fact (and after the summary was written - so the summary isn't incomplete it reflects the idiocitic article at the time).
3. Re:No incomplete summary by hrimhari · 2011-09-20 07:26 · Score: 1
  
  Hey! Maybe Dennis Fisher (or Stephen Dubner) is the alter ego of... BadAnalogyGuy!
  
  --
  http://dilbert.com/2010-12-13
Two paragraphs added to post by slim · 2011-09-20 04:26 · Score: 1

The (current) last two paragraphs of the article were added after many of the /. comments were posted.
Previous final sentences:

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.
Added paragraphs:

The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could.
The idea of people raising rats for the express purpose of killing them likely isn't what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors' bug bounty programs. As they've continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.
Seems like an attempt to rescue the article from terminal idiocy. But it's just digging a deeper hole.
It's just like rat farming! Except that nobody's manufacturing defects deliberately.
Rat farming had unintended consequences! Bug bounties have exactly the consequences that their designers were aiming for: lots of people detecting bugs.
I just hope Dubner is BadAnalogyGuy by Wannabe+Code+Monkey · 2011-09-20 04:42 · Score: 1

Okay, so in South Africa, bounties for dead rats had the unintended consequence of creating rat farmers which is 180 degrees counter to what the creators of the bounty wanted. It's a classic case of perverse incentives. On the other hand, the software bug bounties are resulting in more software bugs being found and fixed. Exactly what the creators of the software bug bounties wanted. And, no one, not even the bad-analogy-maker, is suggesting that the security researchers are introducing software bugs only to 'fix' them later. So these two situations are really pretty much exact opposites... This is probably the worst analogy I've ever encountered.
I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.

--
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
1. Re:I just hope Dubner is BadAnalogyGuy by slim · 2011-09-20 04:45 · Score: 1
  
  I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.
  Freakonomics is fine. This seems like a chinese whispers in the retelling.
A stronger citation for rat farming by tepples · 2011-09-20 04:44 · Score: 1

I used Google rat farming site:wikipedia.org to find a citation in the Wikipedia article about perverse incentives. I didn't read the original source because it appears to be paywalled and in French, and I am not affiliated with any of these subscribing institutions.
Oh that's funny by Anonymous Coward · 2011-09-20 04:45 · Score: 0

I actually thought once that having an unlimited open season on trapping rats in DC would be a good idea. That's not a joke--DC has a serious rate problem. I concluded that imported and/or bred rats would be an insurmountable problem. It's nice to know that I can still think ahead of the guys who run countries in Africa.
BTW, the best way we have so far to control rats is to STOP FEEDING THEM. If you enforce laws against unsecure garbage, then you don't have to enforce laws against breeding rats to get the bounty. In DC the city itself violates basic sanitation by having most sidewalk receptacles with open tops, and by not emptying them fast enough.
They poison rats, but when rats have leftover prime rib from the garbage they don't eat uniformly sized pellets of poison. Rats are smart, and street rats are smarter than lab rats. What happens is that the bait stations end up being used as shelters by the rats. That particular wrinkle of the problem led me to a "modest proposal":
Instead of trying to poison the rats and feed the homeless, DC should try it the other way around. In short order, poisoning centers for the homeless would be built but would not be stocked with sufficient poison or attended. They would provide excellent shelter.
Dilbert figured this out 15 years ago. by darkwing_bmf · 2011-09-20 04:52 · Score: 2

http://dilbert.com/strips/comic/1995-11-13/
A true story by Caerdwyn · 2011-09-20 05:55 · Score: 1

Nothing new to this.
Twenty years ago, I worked at a company (whose name you have all heard but I'd best not mention) which, among other things, produced development tools. A major release was coming up, and the word went out: company-wide cash bounty on bugs. The more severe, the bigger the bounty.
BUT... neither Development nor QA on the product team in question were entitled to participate.
An underground economy of bugs immediately arose. QA people would find bugs and tell their tech support buddies. Developers would drop in a bug and notify the documentation people. Folks in the localization team for installers for the company's consumer productivity apps suddenly became experts on memory management defects... somehow. The rewards would be split. Over 50,000 dollars in bounties were handed out before the company got wind of this and put a quick, angry end to it.
If there is a way to game the system, people will figure it out in a heartbeat. Call it... meta-testing.
disclaimer: I only heard about this after the fact. I was not at the company when the incident occurred; I was hired about two months afterward, and the stories were still circulating. Perhaps that's why the position I filled had become open...

--
Everybody gets what the majority deserves.
Security researchers don't create bugs, vendors do by Anonymous Coward · 2011-09-20 05:56 · Score: 0

If bug bounties are like rat farming, then vendors will start creating more software vulnerabilities so they can pay out security researchers more money? Security has enough crappy analogies without non-security people throwing in their two cents.
Stealth edit by Dennis Fisher by tomhudson · 2011-09-20 10:45 · Score: 1

He's added 2 more sentences to the article, trying to bury his assertion after all the negative reaction, but too many people saw the original and commented on it.
Hopefully Kaspersky Lab (the owners of threatpost.com) will be able to extract some sort of apology, or at least a clarification that edits done after the post should be clearly marked as such.
If you don't want to use the feedback form, you can email nicole.lawler, greg.sabey, or alejandro.arango, all at kaspersky dot com.
Roast away... by Anonymous Coward · 2011-09-20 12:52 · Score: 0

Dennis Fisher, the article's author, is getting royally roasted for such an obvious sham of a correlation. There is much backpedaling happening now, with a stealth article edit (at least one) having already occurred and replies to comments indicating Fisher will become his own worst enemy. They would be smart to remove the article, complete with its flubbed analogy, until he can bring sufficient reasoning to the table. As it sits, it's only going to degenerate further.
The MARKET is what was manufactured by minstrelmike · 2011-09-21 03:33 · Score: 1

What is being manufactured is the market itself. rat FARMING was created by the bounty, not rats. Get the correct terms in the analogy and it makes a whole lot of sense.

"The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could."
OK, Mystery solved by slim · 2011-09-21 23:50 · Score: 1

Another blog post, another site: http://www.leadershipblog.co.za/2010/08/11/stephen-dubner/
It quotes Dubner directly. Dubner says nothing about bug bounties in relation to rat farming.
He talks about the rat farming anecdote, then talks about unintended consequences in general, in the realm of government, not software development.
His main observation seems to be that politicians have no incentive to create schemes that are immune to unintended consequences, because the unintended consequences are usually long-term -- and the politicians only want their scheme to reflect well on them long enough to get re-elected, earn bonuses, etc. in the short term.
The nonsensical leap to bug bounties is an invention of Dennis Fisher's.