Slashdot Mirror
Facebook Invites Hackers To Attack Its Network
An anonymous reader writes "Nearly a year ago, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. Still, when the social network's security team received a tip from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network. Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. It should, therefore, come as no surprise that Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there's a million-dollar bug, they will pay it out."
Holy hellbore, editors! At least read through the summary before letting it out onto the page teeming with grammatical errors. It reads like it was written by a grade schooler.
Hyperbole: I use it liberally!
Annoying Facebook Games.
A PhD in English is certainly not required to ensure good communication. You've fallen victim to the Fallacy of Grey - "not a professional in English teaching" is not the same thing as "unable to communicate well". Strive for perfection in everything you do, as Sir Henry Royce tells us.
I'd say Facebook was doing a very good job annihilating itself with their $38 IPO now down 37% and the clunky Timeline UI. I'd be hard pressed to think of an external black-hat operation that could top those two self-inflicted wounds. Maybe porn site ad popups with loud audio of womenfolk enjoying themselves which you can't turn off, even when you are at Mass or in a very important interview. That might be a worthy hack.
Plain and simple.
OK, so I'm the Facebook corp. and I run a cost vs. risk analysis and come up with the numbers and resulting decision we see here today. Clearly they have the money, and the relative risk plus technical infrastructure so they figure this works out for them.
OK, let's say I'm a Blackhat criminal hacker, poking around the Facebook network doing nasty stuff all the time, as best as I can, because this is what I do. And one day I get caught by Facebook or someone else along those lines. I am so busted. But wait, I can explain I was really a white hat all along, just trying to feed my family the best I can. Whatever happens next can't be too bad, and I'll live to fight another day. So then I figure capitalism rocks. Also maybe I'll see what Facebook offers when I really find a big hole worth exploiting.
Win, win, and so captilism = security?
There must be something I am not seeing here. Could such pure capitalism do something about all those evil Chinese and Russian and Ukranian hackers too? That which laws and police cannot really do very well at this time?
To look at this another way, the US/Israeli State Resources behind Flame and Stuxnet (etc.) seem to have been fairly successful doing harm.
You can't be ahead of the curve, if you're stuck in a loop.
I peed a little when I read compromise the integrity or privacy of Facebook user data. If they think that would be the result from a hack, then having an account means you are a hacker.
If you subscribe and don't use your real name, you must be a 1337 Hax0r
Don't fight for your country, if your country does not fight for you.
"Nobody expects malicious attackers to have a change of heart and hand over information about a vulnerability for a few thousand dollars when they could sell the stole information for much more. "
I really don't think that all hackers are greedy. While there are hackers who are willing to take the risks of selling hacks to criminals, there are probably many hackers who would be interested in exploring vulnerabilities for a modest legal reward.
I don't read your sig. Why are you reading mine?
Just count each successful attack as another active user. I guess every bit helps when your stock value is on the line.
Trust the Computer. The Computer is your friend.
Wasn't the IPO a good thing for facebook?
Just think about it. They managed to trick people into putting much more money into the company then what it was worth. That money is still in the company now, even if the stock price crashed.
I tried going to Facebook today, didn't come up so decided to checkout Slashdod since I could see other sites, I find this story about Facebook inviting hackers on DefCON weekend. Well, seems my DNS doesn't resolve them, is this widespread? C:\Users\r>ping facebook.com Ping request could not find host facebook.com. Please check the name and try again.
I don't have a PhD in English, but I don't need one to tell you "broadened" is the wrong tense. The second sentence should read, in part,
instead of the way it is currently written.
This has nothing to do with language "evolving" or grammar police; they made a mistake that breaks one of the syntax rules of the language, and it should be corrected.
I don't care why you're posting AC
Although I can see the appeal of something like "bug bounties", I can't help but feel that it's basically testing on the cheap. As an IT professional, it feels a bit like devaluing a highly skilled career; or at best, making testers nothing but self-employed, pay-as-you-go workers rather than full employees or traditional contractors.
I mean, what Facebook are basically offering is "no win no fee" Penetration Testing. Rather than paying a team of certified, experienced Pen Testers to run a thorough and comprehensive report, they're saying "yeah, do a Pen Test, but we'll only pay you if you find anything wrong". Not only that, but "we'll only pay you properly if you find something really wrong". And if Facebook have actually managed to inadvertently make their system secure, they'll get to find that out via 100's of hours of free testing.
Bug bounties to encourage end-users to post proper bug reports is one thing, but this seems like a slightly grubby step too far to me.
The average Slashdot summary makes this very, very evident.
Can't you give me some information about the hosts file? You probably don't know about that, maybe a little too advanced for you.
If they care about paying the right price for the bugs, why not just buy the existing exploits from the black-hats? Hackers get paid what the bug is ACTUALLY worth (on the black market), you fix even more bugs, driving more folks to search for cracks, driving bug price down, everyone's happy?
I get that white hatters are beneficial, but I'd still be careful attaching my name to a "bug bounty". They can throw you in jail for white hat hacking at a whim -- It's still illegal by the retarding letter of the law.
a big problem with "its not a formal document so FOAD" is that not making the effort can transfer to YOUR CODE the folks that try to use more formal grammar are just not wanting to let that kind of language laziness pass.
Okay so we shouldn't be arguing between NYT and Yale commas but dumping a complete trainwreck of language in and then claiming Not Formal so I CAN HAZ EROARS is Bollocks.
(and yes i know that i was not perfect myself but i at least used the Builtin spellcheck and tried)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
I if i was going to try for the money then i would detail my efforts and then not give the info to FaceBook before i get issued a GOJF card (i would also have a Trusted Third Party monitor things so FB can't say "you used your hack to steal X from us beyond what was needed to prove the hack")
If FB won't play ball then the info goes up on "HackBay" on a 12 million dollar reserve
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Check the UIDs: bryonak registered long before I did, and for the record, I don't play dirty like trolls do: everything I do on this site is connected to this single account, be it a good or bad thing, and I responsibly take all replies and karma-deltas for what I do and say.
However, it's not hard to notice that the replies are all the same, word-for-word, and all are attacks directed against my person, not against my points. As such, they carry no weight, only noise.
Hyperbole: I use it liberally!
Says the Anonymous Coward, who's even afraid to show his handle. You don't know anything about people's usage habits and accounts, or if you're a site admin who does, prove it. You can do that by, say, publishing my IP address. You should be able to access the logs if you're an admin and know exactly who are my "sock puppet" accounts. So go on, prove it to everyone that I'm a dirty, cheating, sock puppet-using troll. I'm waiting.
Of course I'll be waiting a long time: if you do have access to those logs, and look up my IP, you'll see only one account uses it: this one.
As for being off topic with my initial comment, I accept that, never denied it either. However, I maintain my point that the summary, as it is now, should never have seen the light of the front page. At the very least, the editor posting it should have looked it over and corrected any mistakes to produce a summary befitting the site.
Hyperbole: I use it liberally!
Your meds. Take them. Now.
--
BMO
Would you rather be corrected by well-meaning grammar lawyers, or continue making and compounding mistakes until you're writing in a language that may be difficult to receive by the intended audience?
Consider what a failure to communicate may mean. In the case of the summary, a failure to receive the communication would be more detrimental to the reader than to the writer, but those roles can also be reversed when the author needs to be understood more than the recipient needs to understand. Also consider that some groups of recipients may reject communication attempts out of hand based on the style of the author, permanently excluding the author from interaction with those groups, which may have economic impact for the communicator.
Dialect differentiation is one of the pillars of the gentrification of society. It offers a way for the elite to segregate themselves from the plebs, limiting social mobility. Those with access to the "rules of grammar" and the the training in them can easily spot others of the like.
Do you still wish to avoid the pain of being corrected from time to time?
Can you be Even More Awesome?!
Let me guess... 24 hours later the workstation on Mark Zuckerberg's desk had its hostname changed to challengeaccepted.facebook.com?
My first program:
Hell Segmentation fault
If you're going to quote my words, please give full context (since you seem to be so much into context), and include the rest of that paragraph, in which I explain just why I commented what I commented.
Hyperbole: I use it liberally!
Now it's legal to hack their network. Which is a nice move for white hats, but it also gives black hats permission to fuck around with people's private data.
Why not provide a copy of the facebook software with mock up data to which you give permission to hack.
I was joking before. I'm not now.
Take your meds.
I would taunt you, but taunting the mentally disabled is considered bad form.
--
BMO
I am not a mother. Would that affect the chances of me getting paid, sir?
I think it's ironic that a company whose CEO has repeatedly made it clear from the start that user's data should not be kept private is claiming to improve security while they themselves have intentionally and willfully made users' private data public again and again by changing default settings and making it hard to change them back. Or has everyone already forgotten? I for one assume everything I post on Facebook is going to become completely public, including private messges. Have you ever read the permissions you grant on any application you use (I don't use FB apps because of this)?
Currently hooked on AMP
Note: never directly reply to someone you have positively identified as troll (aka feeding), especially if it's APK... there will be no reasonable discussion and he's wasting a shitload of time twisting words (everyone may spend their time as they see fit though).
I even will not be going to read all that text in reply to your posting, because I'm sure there isn't anything worthwhile in there.
The UID thing is trivial enough for everyone to see, assuming the average /.er still has a working intellect as they used to. Those actually interested usually skim through the account posting history to check if there's a rhetorical or topical connection between two accounts.
And the moderation system seems to work as expected, seeing how your initially downmodded comments are up again.
Along with some interesting revelations, the interview of James Whittaker about his book, How Google Tests Software, included some discussion about effective crowd sourcing of software. Part of his argument is that even the best test engineers are going to miss things that end users find easily, so one way to leverage this is to make it as easy as possible for end users to provide high quality bug reports. He also has a lot of interesting things to say about scaling the testing process.
Signatures are a waste of bandwi (buffering...)
Once more so it "sinks in" (drink this in and digest it): If you can't gather the meaning of words within the framework of the context they're used in, you're the problem. Incidentally, the topic here is not english grammar you know! Writing style is pure opinion, like who's resume is better or worse. As long as the audience gets the message that is what is most important.
Yes, the audience getting the message is the most important thing. Yes, people can get the message despite spelling and grammar. And yes (although you didn't say it) pedantry about grammar is often just snobbery about education, thinly disguised.
But none of the above dissuades me from prefering to a well-written sentence.