Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

← Back to Stories (view on slashdot.org)

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Posted by Unknown on Monday September 30, 2013 @07:54PM from the gimme-more-or-ill-hack-ur-serverz dept.

Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."

96 of 138 comments (clear)

Min score:

Reason:

Sort:

So . . . by Mitchell314 · 2013-09-30 19:55 · Score: 1

What's the problem? :P

--
I read TFA and all I got was this lousy cookie
1. Re:So . . . by kthreadd · 2013-09-30 20:20 · Score: 5, Funny
  
  Have you seen the new Yahoo logo?
2. Re:So . . . by mwvdlee · 2013-09-30 20:21 · Score: 5, Funny
  
  Surely they sell a T-shirt that reads "I saved Yahoo! public embarrasement, millions of dollars in damages and all I got was this lousy T-shirt".
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
3. Re:So . . . by Anonymous Coward · 2013-09-30 20:30 · Score: 3, Funny
  
  There weren't any in XXL.
4. Re: So . . . by sonamchauhan · 2013-09-30 23:25 · Score: 1
  
  "Have you seen the new Yahoo logo?
  That's smart... see the uninspired, shallow people jumping the ship soon."
  Seriously, its a silly logo and all that jazz, but wouldn't you leave a company because it no longer the right employer? *
  * Where right_employer = (pay && boss && peers && benefits && work_conditions && commute && ! good_self_employment_prospects)
  And not because the logo was terrible?
5. Re:So . . . by squiggleslash · 2013-09-30 23:32 · Score: 4, Funny
  
  I know, at least Yahoo! didn't insult them by offering them a job at Yahoo! or something...
  
  --
  You are not alone. This is not normal. None of this is normal.
6. Re:So . . . by buchner.johannes · 2013-10-01 00:59 · Score: 4, Insightful
  
  At least Yahoo! thanked them explicitly and didn't threaten to sue them.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
7. Re:So . . . by slashmydots · 2013-10-01 01:09 · Score: 1
  
  Considering how many Yahoo accounts I know that got hacked (probably double digit percentages of all that exist), they didn't necessarily "save" them from anything. They "bailed them out of a class 5 shitstorm" maybe.
8. Re:So . . . by hairyfeet · 2013-10-01 02:38 · Score: 4, Informative
  
  The problem is that Yahoo just sent out a message to every grey hat, letting them know "if you want anything other than a T-Shirt talk to the metasploit guys" and ya know what? they will. Its not just about the money, its about respect. A t-shirt is the kind of prize you get from some DJ standing on a street corner NOT what you get for saving a company endless bad press and possible millions in pissed off users.
  Of course the real bitch isn't just the XSS, its when you mix that with an insecure browser you get a real perfect shitstorm. See my journal for what I labeled the "Yahoo porn bug" a couple years back, if you take Yahoo and ONLY Yahoo, didn't see this with either Gmail nor Live mail, and Firefox which again ONLY FF, not any of the Chromium or Webkit browsers nor Opera nor IE, put them together and what do you get? you get the ability for spammers to be able to spam entire address books without having any real access at all. They do this by using the fact that FF runs at the same permission levels as the user (which is retarded but Moz refuses to fix, Chromium had the ability to run below user permission more than 6 years ago) and with a hidden iFrame and using the FF auto login (or even just a still valid cookie) they could have access to the entire address book without having to break into the account or even send a drop of data back to themselves.
  So as I've been saying for a few years now yahoo really needs to get their shit together, its entirely too easy to use Yahoo email addresses for spamming. The same can be said of Moz, I no longer include any gecko based browsers specifically because they refuse to add low rights mode. Bad security practices are bad practices and insulting those that find bugs by giving them a lousy $12.50 t-shirt? They have made sure the next bug found by a grey hat will only be found out by Yahoo when they are getting pwned.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:So . . . by idontgno · 2013-10-01 03:50 · Score: 1
  
  Depending on the T-shirt, the slogal might have to say "I saved Yahoo! public embarrasement and millions of dollars in damages, and all I got was a discount on this lousy T-shirt." to be perfectly accurate.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
10. Re:So . . . by davester666 · 2013-10-01 05:46 · Score: 1
  
  No, they didn't bail them out of anything. Yahoo is in the middle of their "hey, lets recycle old user email names that haven't been logged into recently. what could go wrong?" debacle.
  
  --
  Sleep your way to a whiter smile...date a dentist!
11. Re:So . . . by datavirtue · 2013-10-01 06:25 · Score: 1
  
  Yahoo with its new zipper logo strikes me as one of those parking pages that serves lame, untargeted ads.
  
  --
  I object to power without constructive purpose. --Spock
12. Re:So . . . by gr33n_lant3rn · 2013-10-01 06:43 · Score: 3, Interesting
  
  After lurking on slashdot for the last 10 years, this post finally got me to set up an account. Woo! It's my ... well, you know. The hypothesis here is that yahoo didn't pay for the exploits, so obviously grey hats will go to the black market. Further, it's ethically justified because of the slap in the face. I think if you tell a private company that they have a security problem, and they thank you, you can pat yourself on the back. If you're doing it specifically for money, then don't spend your time on yahoo. I don't think it's ethically justified to specifically look for and sell these exploits on the black market, just because you feel morally righteous about a t-shirt. Where are your hacker ethics? Even more, you've forgotten that you have a civic responsibility. Recently, I drove past a high tension line on route 1, and noticed that one of the towers was about to fall over. I could see it from the highway, and I'm a nerd, so I'm observant. I told dominion VA power about it, and within a day, they had a crew out to fix it. It potentially saved them millions. I asked for nothing in return and got nothing. By your logic, I should sell the location of the next messed up tower to terrorists so they can destroy a chunk of the power grid. Why on earth would I want to do that? Even if I don't use power from those lines, I almost certainly have friends and family that do. Same with yahoo. Even if I don't use them, someone I know almost certainly does. Why wouldn't I want to perform a civic duty to protect them? Again, if they won't pay me, I'm not going to walk the entire length of their lines and function as a free lineman for the power company. I'm also not going to be a dick about it. I'm just going to feel good about myself.
13. Re:So . . . by gr33n_lant3rn · 2013-10-01 06:50 · Score: 1
  
  Used to posting as AC, all my formatting was lost, hence the wall of text. internet n00b in 2013 FTW?
14. Re:So . . . by HiThere · 2013-10-01 07:20 · Score: 2
  
  Put it this way:
  If folks despise a company, some who would otherwise help them will decline to, and others who would otherwise ignore them will act to harm them. Perhaps you don't think people *should* act that way, but they *do*. And I'm not at all certain that this isn't reasonable. I tend to help my friends in preference to helping strangers, and I'd be quite reluctant to help someone who had spit in my face. That I wouldn't give him a faceful of knuckles says more about my being a rather passive person than about what I think is a reasonable reaction.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
15. Re:So . . . by MysteriousPreacher · 2013-10-01 08:08 · Score: 3, Funny
  
  Recycling email addresses is a great time saver. It saved me the hassle of getting myself on spam and porn lists. If not for Yahoo's decision my grandmother would never have discovered the delights of European bestiality. It also meant I didn't have to go making accounts on other services, as I just waiting for newsletters and other mailings to come through so I could use them to reset the passwords of the prior owner.
  Top notch idea! I wish Yahoo would make a computer. I know they'd add useful features, such as the "decrypt hard drive" button on the back for those awkward moments when someone has files I really need to see.
  
  --
  -- Using the preview button since 2005
16. Re:So . . . by MysteriousPreacher · 2013-10-01 08:27 · Score: 1
  
  Used to posting as AC, all my formatting was lost, hence the wall of text. internet n00b in 2013 FTW?
  Heh heh. You just arrived from AOL?
  I get your power-line story. I agree there shouldn't be a sense of self-entitlement for doing the right thing. To continue with that story, what Yahoo did would be comparable to the electrical company swinging by your place afterwards with a voucher entitling you to pay 5 dollars to come ride in the van on their way back to the depot. Where there's no budget for a decent reward, it's better to go with either a polite thanks. Yahoo provided a reward that requires the recipient, if they wish to collect, to pay money to buy a t-shirt that few people this side of 1998 would want.
  
  --
  -- Using the preview button since 2005
17. Re:So . . . by Sun · 2013-10-01 21:04 · Score: 3, Insightful
  
  If you contacted me and reported a bug in fakeroot-ng or rsyncrypto, I'd fix it. I'd do it for free. I'll say "thank you" for reporting it.
  If you contacted me with the precise same bug, and offered to pay me $1000 to fix it, I'd take your money and fix it as soon as I could, because I believe it is okay for FOSS developers to make money from their work.
  If you contacted me and offered to pay me $10, I'd probably be offended.* If you can't afford to pay me a reasonable fee for my time, then ask me nicely to volunteer it. Do not, however, presume to pay me an unreasonable fee for it. There are things I'd happily do for free that I will simply refuse to do for a reward that is demeaning.
  Shachar
  * - If you waited for me to fix it, and then contributed $10 to my pay pal account, I'd not only say "thank you", I'd even happily tell everyone I know that someone did it. $10 makes for a lousy paycheck, but it's a perfectly reasonable donation.
18. Re:So . . . by hairyfeet · 2013-10-02 18:00 · Score: 1
  
  Its not about the money dude, you completely missed the point...its about showing respect. Do you REALLY think that 1337 check is more than those at Metasploit would pay? of course not but it shows that Google DOES appreciate the effort, its their way of saying "great job guys, thanks" and THAT COUNTS for a fricking LOT in this world.
  When yahoo gives them a fucking COUPON for a shirt they STILL have to pay part of, along with shipping and handling? Its clear the message is "We don't give a fuck about you, wouldn't have said a thing to you but marketing says that is bad form so here is a coupon for a $20 shirt we paid $3 for in China, suck on it" and THAT is the problem friend, its not the money, its the attitude. Hell they could have sent them a Galaxy tab with the Yahoo app loaded, that is...what? $399? And it still wouldn't have been insulting, a fucking coupon is a backhanded slap in the face and if I was sitting on a Yahoo bug, or tripped over one? hell I'd post it to some forum and let it run amok before i gave it to yahoo, that is just bullshit.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
This is news? by Anonymous Coward · 2013-09-30 20:02 · Score: 4, Insightful

They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy.
They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.
1. Re:This is news? by Dexter+Herbivore · 2013-09-30 20:24 · Score: 5, Insightful
  
  They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy. They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.
  Which is exactly why Yahoo should have paid them more. Make the choice less obvious and save themselves a lot of grief further down the line.
2. Re:This is news? by rapiddescent · 2013-09-30 20:39 · Score: 3, Insightful
  
  at my local OWASP chapter meeting some months ago, we did a show of hands about how many people had reported via the pay-for-security-bug middlemen organisations rather than contacting the vendor/website directly. About 30% put their hands up. I was quite astounded although, having been threatened legally myself when I was called in a bug found on an eComm website then I would no longer go directly to the owner of the system unless I had a contract in place already. The money is apparently quite good; so long as you don't care who is using the bug...
3. Re:This is news? by Joining+Yet+Again · 2013-09-30 21:00 · Score: 3, Insightful
  
  Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."
  This is mafia reasoning, and it's shameful that geeks are increasingly engaging in this sort of argument.
  Guess what? I can also break into most people's houses and nick their stuff without getting caught. They have ground floor windows, old doors, &c. That doesn't mean they owe me anything for NOT doing that, nor for sending them unsolicited notices that it would be easy to take their stuff. Indeed, English law at least is comfortable with the idea that you never owe anything for unsolicited work, even if it's beneficial. No one was making these "hackers" do the work - they were either bored or wanted the notoriety.
4. Re:This is news? by Anonymous Coward · 2013-09-30 22:38 · Score: 1
  
  Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."
  Actually, companies SHOULD pay for proper security, be it their own staff, contractors or "independent" security researchers. Since nothing ever happens to these companies WHEN they expose customer information WHEN they get hacked I have no sympathy for them at all. If you act irresponsibly then you don't get to cry about the results.
5. Re:This is news? by Joining+Yet+Again · 2013-09-30 22:53 · Score: 2
  
  I'm not sure what cognitive fault causes people to blame the victim, but it seems like a common thought process.
  Yes, companies should take more care with data (or, more widely, people should stop putting their data in the hands of random private businesses).
  No, that doesn't mean it's their fault when someone malicious takes the data.
  No, protection money is never an acceptable demand.
6. Re:This is news? by Maxo-Texas · 2013-09-30 22:58 · Score: 1
  
  http://news.yahoo.com/yahoo-ceo-ranked-2nd-companys-2012-pay-scale-001129756.html
  Regulatory documents filed Tuesday revealed that Mayer received a pay package valued at $36.6 million last year. Most of the compensation consisted of stock awards that Mayer got in July when she ended a 13-year stint as a top Google executive to become Yahoo's CEO.
  Most of the components of Mayer's pay had been previously disclosed.
  It wasn't previously known that Mayer ranked second on Yahoo Inc.'s pay scale last year.
  Henrique de Castro, another former Google Inc. executive who became Yahoo's chief operating officer in November, eclipsed Mayer with a compensation package valued at $39.2 million.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
7. Re:This is news? by chaboud · 2013-09-30 23:04 · Score: 5, Insightful
  
  There is no cognitive fault, but instead, a conditioned, and, frankly, dangerous, view of software as protected by legal remedy. This idea has left us with shit software supported by careless organizations propagating paper-thin security already compromised by rafts of governments. A network is a dangerous place, and software and hardware should treat networks like the wild west when it comes to privacy/security.
  On your other point, regarding "protection money," the reasoning is rather simple. People respond to incentives. If hackers have little to no financial reason to disclose a vulnerability to Yahoo, some may be motivated to find other ways to monetize their efforts. Forget legality/morality for a second and just think about incentives. What Yahoo is doing is removing their incentive for responsible disclosure. By providing a T-Shirt voucher, they're probably incentivizing attack by otherwise disinterested parties, just for the middle-finger of it all.
8. Re:This is news? by AmiMoJo · 2013-09-30 23:40 · Score: 4, Insightful
  
  I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.
  The internet doesn't have cops, but it does have criminals. Fortunately there are good guys who are willing to report flaws when they see them. Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested. Bug bounties make it clear that the company sees reporting as a valuable service and intends to act swiftly on reported problems.
  Bug bounties also encourage people to look for issues from the outside, which is apparently quite valuable since the people on the inside seem to miss them quite often.
  Companies should pay bug bounties when the issue is security, not as a kind of protection money but as a way of saying they take security seriously and wish to reward those who help them with it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:This is news? by Joining+Yet+Again · 2013-10-01 00:00 · Score: 1, Insightful
  
  Forget legality/morality for a second
  No, that's an awful idea.
  
  and just think about incentives.
  My incentive is that I build a better society through responsible disclosure. Morality helps me reach that conclusion.
10. Re:This is news? by Joining+Yet+Again · 2013-10-01 00:06 · Score: 1
  
  The internet doesn't have cops
  Erm, yes it does. Law enforcement are as aware of the Internet as anything else. Perhaps they misallocate resources, and perhaps that's what you need to concentrate on fixing.
  
  Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested.
  
  Anonymous reporting is easy. If you attach your name to a public report then you're really using the threat of crime for personal profit. Try not to think about it from the PoV of the ego of the hacker.
  
  Companies should pay bug bounties when the issue is security
  They're welcome to offer them, although it's really more a PR thing "We're already so secure that we only expect to pay out a small amount from this fund." It's not really a significant method of fixing bugs in your product.
11. Re:This is news? by Sockatume · 2013-10-01 00:24 · Score: 5, Insightful
  
  Or paid them nothing. A small material reward is often more insulting than no reward but having done the right thing.
  
  --
  No kidding!!! What do you say at this point?
12. Re:This is news? by TheRealMindChild · 2013-10-01 00:28 · Score: 1
  
  Part of their job is to offer advice and even survey your home for ways that criminals might break in.
  
  No, sir. Their job is to collect evidence of a crime. Their job is not to protect and serve. Their job is to send the bad guys to jail
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
13. Re:This is news? by Lumpy · 2013-10-01 00:49 · Score: 2, Informative
  
  "I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service."
  What utopia is that that you live in? Because here in the USA they do not do this at all. The police advice to me is, "do not own a weapon, in the case of a home invasion hide under your bed and call the police. Do not fortify your doors and windows as that is a crime."
  Yes, Fortification of doors and windows in the USA is a CRIME. It makes it harder for cops to raid your home if they need to.
  
  --
  Do not look at laser with remaining good eye.
14. Re:This is news? by Wycliffe · 2013-10-01 01:05 · Score: 1
  
  >
  > In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.
  >
  Where are you located? I've never heard of public cops giving home inspections. I've had ADT,etc... give advice (i.e. try to sell me stuff)
  and I've even had landscapers give advice (again, try to sell me on work), but I've never heard of public cops giving home audits.
  The only home audits I've heard of in the USA are energy audits which are sometimes free to some people if they are low income or live
  in certain areas. The only advice I've even seen from cops, etc... are signs or announcements that state things like "lock your car doors,
  don't leave valuables in plain sight" Other than possibly getting off-the-cuff recommendations AFTER a break-in occurs where have you
  heard of cops doing surveys and giving advice on how to prevent breakins.
15. Re:This is news? by Capt.Albatross · 2013-10-01 01:12 · Score: 1
  
  Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."
  You must be a philosopher, because your analysis, and the course of action that you derive from it, is only valid in a possible world that we don't live in. In the real world, society incurs expenses all the time to protect itself from malicious parties. Last time I bought a car, they were still putting locks on them. If you want to get worked up over this, you should start with the defense budget of the nation you live in.
16. Re:This is news? by TrollheartBlue · 2013-10-01 02:20 · Score: 1
  
  My incentive is that I build a better society through responsible disclosure. Morality helps me reach that conclusion.
  That's you though with your morality. There are plenty of skilled people out there who don't care about building a better society or who have different moralities. There is no one "right" morality. I think your fallacy is believing that you hold a universal world view.
  
  --
  Hey, look at me! My opinion is valid because I found a website that says the same thing.
17. Re:This is news? by war4peace · 2013-10-01 02:36 · Score: 2
  
  Think of it from another angle.
  The money incentive is good enough of a reason to start researching. It's a matter of choice. between companies A, B and C, where A definitely offers a reward, B "might" offer you something crappy and C gives you the finger or even worse, sues you, WHAT would you choose? It's equally moral to research for all the above companies, and equally moral to provide them the results; I agree with that. But then, once the moral equality exists, you look at other parts of the deal, and pick the best one.
  THAT is where Yahoo loses.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
18. Re:This is news? by Anonymous Coward · 2013-10-01 02:55 · Score: 1
  
  Yahoo has ensured that the next time someone finds a vulnerability in their webpage, it will go up for sale only to criminal organizations. You can argue until you're blue in the face about what should be, but that doesn't have an impact on what is.
19. Re:This is news? by CODiNE · 2013-10-01 03:00 · Score: 4, Insightful
  
  When a diner doesn't leave a tip the waiter can reason "Maybe they forgot".
  Now when the diner leaves a nickel on the table....
  
  --
  Cwm, fjord-bank glyphs vext quiz
20. Re:This is news? by 6Yankee · 2013-10-01 03:00 · Score: 4, Insightful
  
  Absolutely.
  When I worked in McJail, the grease trap exploded on one of my night shifts. BLAM! Couldn't use the sinks, and (once it had all rained back down from the ceiling and flowed down the walls) the back-room was ankle deep in nasty. In order to get the place ship-shape for the morning, I took all the dirty equipment to the local gas station and jet-washed it on my own dime, after rolling in the grease trying to unblock the pipe with my bare hands. While the other two put the rest of the store in order and went home, I was still there three hours after the end of my shift, cleaning up the mess as fast as it could drip from my body.
  The store manager gave me a warm and heart-felt thank-you, although she had the good sense to refrain from shaking my hand. Then she gave me a present. It was the free plastic pen that the plumber had given her.
  From there on in, every time I was tempted to go above and beyond the call of duty, I thought of that pen. That was ten years ago, and I still have it somewhere as a reminder.
21. Re:This is news? by Joining+Yet+Again · 2013-10-01 03:29 · Score: 1
  
  There are plenty of skilled people out there who don't care about building a better society or who have different moralities.
  
  And they must be dealt with, not pandered to.
22. Re:This is news? by Joining+Yet+Again · 2013-10-01 03:48 · Score: 1
  
  Just because you're a cunt, it doesn't mean everyone who finds a vulnerability is.
23. Re:This is news? by Lumpy · 2013-10-01 03:53 · Score: 1
  
  Okalahoma, Michigan, Wisconsin, Illinois all have laws on the books to make home fortification illegal. I am certain there are more out there.
  
  --
  Do not look at laser with remaining good eye.
24. Re:This is news? by Anonymous Coward · 2013-10-01 03:56 · Score: 1
  
  Wow you were quite the sucker at the time. It's a shame that we all need go learn the lesson that on average corporations and management don't really care about us. You're just another brick in the wall.
25. Re:This is news? by Joining+Yet+Again · 2013-10-01 04:01 · Score: 1
  
  Erm, bounties aren't a good reason to start security research. "Bounty hunting" is in a primitive form of compensation which is usually supplanted by more stable, reliable arrangements for all parties.
  If you're good at that sort of thing, you get a perm job, being paid the money Yahoo would allocate to employees rather than PR exercises.
  I mean I think Yahoo has been pointless since before the turn of the millennium, but that's another matter...
26. Re:This is news? by Joining+Yet+Again · 2013-10-01 04:05 · Score: 1
  
  The guy who merely tells you is not a racketeer.
  The guy who threatens to commit a crime against you if you don't pay him money IS a racketeer.
27. Re:This is news? by MickLinux · 2013-10-01 04:41 · Score: 1
  
  Quote from Farmer Boy (Laura Ingalls Wilder): "Keep you nickle; I can't make change."
  
  --
  Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
28. Re:This is news? by war4peace · 2013-10-01 05:10 · Score: 1
  
  Erm, bounties aren't a good reason to start security research
  No, they're a good reason to pick which one to research, out of many options otherwise equal.
  It's like this: I have a lawn mower, and in front of me there are three houses which need mowing. Should I pick the one where the owner gives me 10 bucks, the one where he gives me a "thanks" or the one where the guy chases me down the road with a shotgun, shooting salt pellets at my ass?
  
  If you're good at that sort of thing, you get a perm job, being paid the money Yahoo would allocate to employees rather than PR exercises.
  That's outside the scope of the conversation. Maybe you already have that job and are doing extra stuff for fun. Fun is in all cases, but the extra small cash you make is the glazing on the cake. Or you could go banzai and pick the company which would sue you. Living on the edge is the thing for some people.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
29. Re:This is news? by ToddInSF · 2013-10-01 06:05 · Score: 1
  
  I'd like to see hackers go after Yahoo's CEO and board members. Embarass them all. Get them all fired.
  
  As a matter of fact, I'd like to see this done to many corporations. It's really the last avenue free people have in our new tech totalitarian corporatogovernment fascism.
30. Re:This is news? by ancientt · 2013-10-01 06:42 · Score: 1
  
  Sure, let me know how that works out for you.
  Meanwhile there will be many, many people who are getting away with doing bad things because they are smart enough to figure out how to and hard enough to catch that they can get away with it for a long time, maybe forever.
  And your morality is what fuels some of them, at least the "build a better society" part. See the thing is that security vulnerabilities need to be exploited in both high and low profile companies in order for those and other companies like them to spend effort and money on security. The very thing that you believe is good for society would be ignored or even punished if it weren't for the very real threat that is posed by people who exploit the vulnerabilities. You may think they're immoral or amoral for doing it but they're providing a very valuable service to society even as they harm it.
  You know what makes a strong immune system? Exposure to germs. Guess what makes a strong internet society?
  
  --
  B) Eliminate all the stupid users. This is frowned upon by society.
31. Re:This is news? by HiThere · 2013-10-01 07:29 · Score: 1
  
  No, as P.T.Barnum is supposed to have said "There's a sucker born every minute."
  And it doesn't take "everyone who finds a vulnerability". It just takes one, as long as the others aren't motivated to report it "responsibly". (I wouldn't bother to report it if after the bother of dealing with lots of idiots and paperwork, the only reward was $13 off and advertisement for the company I was trying to help. And that's what they offered. I bet they still make a profit if the t-shirt is sold.)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
32. Re:This is news? by HiThere · 2013-10-01 07:37 · Score: 1
  
  Actually, their job is to protect the government. To do this they are allowed to enforce the laws, and several other things. This is basically PR and economics. (A safe environment is generally more profitable, which means it pays more taxes.) And if they observe a major crime (felony) they are supposed to try to arrest the perpetrator. Misdeameanors are optional. They can arrest, or warn, or even ignore.
  And I'm talking about honest cops. There are all to many who don't measure up to that. And the "honest cops" protect them. Also remember that nobody chooses to become a cop who doesn't want to exercise authority (which may be either a good or a bad thing).
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
33. Re:This is news? by VortexCortex · 2013-10-01 08:03 · Score: 3, Insightful
  
  Worse than a nickel... They left vouchers for Tee-shirts advertising their shitty website -- Folks for advertizing, so it was actually a negative tip.
34. Re:This is news? by psithurism · 2013-10-01 08:28 · Score: 1
  
  The internet doesn't have cops
  Erm, yes it does. Law enforcement are as aware of the Internet as anything else. Perhaps they misallocate resources, and perhaps that's what you need to concentrate on fixing.
  Yes, to a degree, but no matter how well funded and technically capable law enforcement is, try going down to the local police station and get them to care that somebody set up a XSS attack on your web sight and the script in question seems to be located in eastern Europe, but you think the original attacker may be somewhere in south-east Asia and they've used some of your costumer accounts to send some spam email.
  
  Anonymous reporting is easy....
  Agreed, but I don't see why it should be a necessity. Though starting a bug report with "I am symbol that this internet needs; I am the darkness in the lines; I am internet batman!!!!" sounds really cool now that I think about it. Non-anonymous reporting is easier, and it should allow their security to get details they would not otherwise been able to get and there's nothing wrong with enjoying a thank you.
  
  [bug bounties are] not really a significant method of fixing bugs in your product
  They are a good method though. More often than not the handful of developers who put together some portion of your sight, no matter how security conscious they were, missed a couple things that the thousands of technical users might be able to see. I think you ought to try to reward (or at least not threaten) those that bring the ideas to your attention especially if the problem was big. I don't really see any other way to get that many security conscious eyes on your code with the intent of fixing it.
35. Re:This is news? by MysteriousPreacher · 2013-10-01 08:57 · Score: 1
  
  I'm not sure what cognitive fault causes people to blame the victim, but it seems like a common thought process.
  It's a disturbingly common thought process that is most disturbingly used in sex-related instances, such as unplanned pregnancy and sexual assault.
  People don't want to accept that bad things can happen pretty randomly to good and well prepared people, so it's more comforting to assume the just world hypothesis. People get what they deserve, and as I'm a good person I'll surely be safer.
  
  --
  -- Using the preview button since 2005
36. Re:This is news? by someSnarkyBastard · 2013-10-01 09:50 · Score: 1
  
  Do you have any proof whatsoever that the security researchers in question made such demands?
  No?
  Then lay off the ad hominums and red herrings.
37. Re:This is news? by Joining+Yet+Again · 2013-10-01 10:09 · Score: 1
  
  Meanwhile there will be many, many people who are getting away with doing bad things because they are smart enough to figure out how to and hard enough to catch that they can get away with it for a long time, maybe forever.
  Yup: murderers, rapists, robbers, fraudsters... why do we bother with all these laws when some smart enough people will get away with each of these crimes.
  
  The very thing that you believe is good for society would be ignored or even punished if it weren't for the very real threat that is posed by people who exploit the vulnerabilities. You may think they're immoral or amoral for doing it but they're providing a very valuable service to society even as they harm it.
  It wouldn't be a threat if there weren't people who wanted to exploit vulnerabilities. Circular argument, sigh.
  
  You know what makes a strong immune system? Exposure to germs. Guess what makes a strong internet society?
  You know what germs aren't? Human. Stop reducing humans to factors in a flawed model.
  (And I say have to that repeatedly as a mathematician who has to put up with dumb economists.)
38. Re: This is news? by Anonymous Coward · 2013-10-01 11:38 · Score: 1
  
  I think you learned a highly valuable lesson in only one "wasted" night of effort, one that takes other much less fortunate people a lifetime to learn with far, far greater disappointment on top at the end as well. If someone pays you $12/h they deserve no more than $12 worth. If someone pays you $150,000 p.a they naturally deserve reasonable reciprocation, but unless you get a reasonable cut of the profits or own the business .. always feel for that pen of yours in the pocket and consider if you are getting a reasonable return on that investment in time and energy you are about to make.
  I once sat across an employer who told me "Hey, it is your company as well!".. I was sorely tempted to ask him how many shares I own.
39. Re:This is news? by Joining+Yet+Again · 2013-10-01 20:35 · Score: 1
  
  I'm railing against the idiot commenters who believe that such threats - overt or veiled - are a valid way to go about business.
40. Re:This is news? by Joining+Yet+Again · 2013-10-01 20:37 · Score: 1
  
  Well summarised.
41. Re:This is news? by Sun · 2013-10-01 22:21 · Score: 1
  
  There are more ways to pay for vulnerability data than just money.
  I was once the in-company contact point for those matters at Check Point. Check Point did not (I'm not sure whether they do today) offer bounties or any other monetary rewards. That was okay, because that was a well advertised policy.
  I tried to make really really sure that whenever a researcher reported a vulnerability, they would get the only payment I could give - credit. Once someone reported a buffer overrun, and agreed to hold off publishing until we fix it (about a month). During that month, someone else came forward directly to the mailing lists with the precise same bug (hard to believe it was a coincidence). Luckily, we were about ready with the release, so it did not remain unpatched for long.
  I made sure that on the official announcement, the proper credit be given.
  If you report a vulnerability to a company, and they don't show any signs of fixing it, threaten to sue you, or simply show disrespect, your moral incentives to help that company and its users go down. Depending on who you are, that might not mean you'd start selling vulnerabilities, but it is definitely a disincentive.
  Shachar
42. Re:This is news? by ancientt · 2013-10-01 23:03 · Score: 1
  
  Yup: murderers, rapists, robbers, fraudsters... why do we bother with all these laws when some smart enough people will get away with each of these crimes.
  I don't suggest that people shouldn't be prosecuted when caught or that nobody should bother trying to catch them, I just expect you to be aware that with the internet, there is a far lower chance of getting caught and prosecution has very little deterrent effect. I'm not trying to say "don't bother" so much as "it obviously isn't working very well."
  
  It wouldn't be a threat if there weren't people who wanted to exploit vulnerabilities. Circular argument, sigh.
  There are plenty of examples of companies that have done stupid things like putting customer information in a URL they didn't expect people to stumble onto. Bad security practices cause problems that go beyond "someone really clever might find a buffer overflow." If there weren't people who actually seek to exploit the vulnerabilities, there would be a lot more companies with terrible security practices and there would be a lot more accidental personal data breaches. It isn't circular, but obviously I needed to be clearer.
  
  You know what makes a strong immune system? Exposure to germs. Guess what makes a strong internet society?
  You know what germs aren't? Human. Stop reducing humans to factors in a flawed model.
  An internet society is made up of computers and people. It is a complex mix and a model would need to be complex to represent it accurately. This however, is an analogy, and the analogy is solid.
  
  --
  B) Eliminate all the stupid users. This is frowned upon by society.
43. Re:This is news? by AmiMoJo · 2013-10-02 00:04 · Score: 1
  
  That's why the US is a shitty hell hole where you have to own a gun just to live in some kind of relative safety where you are still far more likely to be murdered than anywhere in western Europe. Apparently it's a police state too.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
44. Re:This is news? by shtolcers · 2013-10-02 00:11 · Score: 1
  
  We are talking about major company with lots of clients here. There shouldn't be big (or any at all) reward for finding holes in systems, owned by small companies with few clients. Analogically - there should be big rewards, if someone pointed out that e.g. bank has some physically weak spot underneath the building or some liquidity problems, that will definitely lead to bankruptcy. It is relevant how many people will be affected and how bad consequences will be.
45. Re:This is news? by MysteriousPreacher · 2013-10-02 02:34 · Score: 1
  
  Cheers, sir/madam.
  
  --
  -- Using the preview button since 2005
Why do people still do this anymore? by Anonymous Coward · 2013-09-30 20:02 · Score: 1

Don't you know that security vulnerabilities go into the NSA arsenal before they are fixed? Why do you still do "responsible disclosure"? Why do you work with the vendors at all? Security vulnerabilities are valuable, but you're propping up a corrupt system and get only peanuts in return, if anything. The NSA does not have moral hangups about their war on the internet. They use what you give them to undermine any and all security protocols. The only problem that companies like Yahoo have with cooperating is when they're found out. They have no shame, only interests.
1. Re: Why do people still do this anymore? by cripkd · 2013-09-30 20:24 · Score: 1
  
  And the solution is?
  No, really, aside words an speaches made as if you're wearing a V mask.
  
  --
  Curiously yours, crip.
2. Re: Why do people still do this anymore? by Anonymous Coward · 2013-09-30 20:25 · Score: 1, Insightful
  
  Sell them.
3. Re: Why do people still do this anymore? by Anonymous Coward · 2013-09-30 20:40 · Score: 1
  
  In which case the buyer might just be a straw man for the NSA.
  So your choice basically is: Tell the company and risk that the NSA gets it as well, or sell it and risk that only the NSA gets it. Now, which one is more responsible?
4. Re:Why do people still do this anymore? by Anonymous Coward · 2013-09-30 21:24 · Score: 3, Informative
  
  Which part of "Forty-eight hours later, Yahoo had patched all of the vulnerabilities" did you miss?
  If you want to object here, then get that tinfoil hat straight and get some sharper Occam's razor.
  Seriously, if you think "bug reported to Yahoo -> NSA demands it from Yahoo -> NSA quickly uses it to hack Yahoo's accounts in 2 days -> Yahoo patches it" is realistic, then you should realize that "NSA demands access to Yahoo accounts -> NSA leisurely browses through all Yahoo accounts they want" would be much more plausible.
  FFS, learn the fucking difference between software on your PC and web services at least. In the latter case, govt spooks won't need any vulnerabilities if it comes to that - they can just come with a subpoena/NSL/whatever.
5. Re: Why do people still do this anymore? by cripkd · 2013-09-30 21:29 · Score: 1
  
  How does that fix the problem? That's what solution means.
  
  --
  Curiously yours, crip.
6. Re: Why do people still do this anymore? by chaboud · 2013-09-30 23:05 · Score: 1
  
  Well, you still have it. It's a vulnerability, not a teddy bear.
They must have an exclusive store by viperidaenz · 2013-09-30 20:07 · Score: 5, Funny

With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"
1. Re:They must have an exclusive store by Anonymous Coward · 2013-09-30 20:27 · Score: 1
  
  With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"
  Or a T-shirt which says "I found a bug and all I got was this lousy mug".
2. Re:They must have an exclusive store by antifoidulus · 2013-09-30 20:59 · Score: 3, Interesting
  
  Considering the ROI on security bug bounties, they really should have one that just has a Yahoo! logo and the text "I'm with stupid"
  
  --
  Monstar L
3. Re:They must have an exclusive store by Reibisch · 2013-10-01 00:01 · Score: 1
  
  They'll also send a W2.
Better idea by atari2600a · 2013-09-30 20:28 · Score: 1

Why not half of what an exploit like that could cost on the black market, because that's how much it'll cost to even begin to look like anyone will pay attention to their 'bug bounty program'.
Better than Microsoft (rember this story?) by Anonymous Coward · 2013-09-30 20:49 · Score: 3, Interesting

When Microsoft lost their Hotmail domain name, some guy snatched it and kindly returned it to Microsoft because he thought it was the right thing to do, to protect Microsoft from their stupidity. Well, Microsoft sent him a personal thank you note and that was all. Yep, the guy could have legally resold the domain for like a billion dollars (wouldn't be the first time.. ahem, live.com) and gotten away with it. All he got was a lousy certificate of gratitude.
1. Re:Better than Microsoft (rember this story?) by Anonymous Coward · 2013-09-30 23:44 · Score: 3, Informative
  
  You mean this guy who got a cheque for $500 and a bunch of software for a problem that took him 2 minutes and $35 to address?
2. Re:Better than Microsoft (rember this story?) by sl4shd0rk · 2013-10-01 01:32 · Score: 1
  
  All he got was a lousy certificate of gratitude.
  Maybe all the people using hotmail could pony-up $2.00 for the guy. After all, they are the ones who would really be affected should the domain be sold.
  
  --
  Join the Slashcott! Feb 10 thru Feb 17!
3. Re:Better than Microsoft (rember this story?) by antdude · 2013-10-01 09:37 · Score: 1
  
  If he kept the domain, then MS would have sued him.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Not bad by Anonymous Coward · 2013-09-30 20:53 · Score: 5, Funny

C'mon. This is WAY better than the Standard Operation Practice: suing them into the ground.
We're moving forward, it seems.
That seems fine by HalAtWork · 2013-09-30 21:05 · Score: 1

There was no expectation in the beginning except to get the problem solved, and that's what happened. Do you want them to hold the vulnerabilities for ransom or something? Maybe in the future some good samaritan will help you out with one of your problems too. Think of all the users you have helped out as well.

--
Twinstiq, game news
1. Re:That seems fine by mysidia · 2013-10-01 00:00 · Score: 1
  
  There was no expectation in the beginning except to get the problem solved, and that's what happened. Do you want them to hold the vulnerabilities for ransom or something?
  Well... they didn't have to hold them for ransom; they could very well have taken the vulnerability to various dark spots on the internet and marketed it. I imagine, they could easily get a few hundred K selling a vulnerability like that on the open market.
2. Re:That seems fine by Gavagai80 · 2013-10-01 00:33 · Score: 1
  
  You could make a lot of money auctioning information about all your neighbors and their valuables and schedules to local burglars too.
  
  --
  This space intentionally left blank
3. Re:That seems fine by Gibgezr · 2013-10-01 04:11 · Score: 1
  
  Could you point me towards more information on this? I like the sound of this "sell out my neighbours on ebay" plan. Not all my neighbours, mind you, just one in particular.
4. Re:That seems fine by VortexCortex · 2013-10-01 07:56 · Score: 1
  
  Could you point me towards more information on this? I like the sound of this "sell out my neighbours on ebay" plan. Not all my neighbours, mind you, just one in particular.
  Well, we like to be discrete so we do these exchanges in person, you see. So, I'll just need your address to get started. Oh, and I'm afraid I have terrible pet-dander allergies. Have you any bunnies, doggies, kitties, or other pets? The schedule's a bit busy this time of year (pre-Christmas rush), so what times are you available in the evenings for us to meet?
Re:So, where's the screwup? by Captain+Hook · 2013-09-30 22:26 · Score: 1

Yahoo, however, has a monopoly as the only interested party ..... I'd suggest finding a shady Russian bar and explain that you have services to offer
But that is the whole point, Yahoo hasn't got a monopoly because they aren't the only interested party.

Next time, the researchers (not just these guys, but researchers in general) are going to ask why they should give Yahoo first bid when they know it's going to lead to nothing but an insult for their efforts.

--
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
Motivation by Anonymous Coward · 2013-09-30 22:32 · Score: 1

I think Yahoo acted correctly in this case. I think paying people to much for bugs will distort the security landscape. The reason is security is an issue about the common good. No vulnerability is good... even if it is in your competitors products. We should have a culture of assisting with security issues without expecting money for it.
What will we have? People selling vulnerabilities to the highest bidder which is socially acceptable? Note that the word here is social, NOT commercial.
Of course security researches needs to get paid... but I think there are other ways that will be more effective and more thorough. Grants to universities for security research, dedicated employees/teams focusing on security and possibly even government/industry bodies funded by tax and/or membership fees. And focus on security where the impact is the biggest... not which get the most headlines....
1. Re:Motivation by HiThere · 2013-10-01 07:55 · Score: 1
  
  No. White hat hackers will just generall ignore Yahoo. What Yahoo will get is various shades from darkish grey to black, and the shades of grey will have just gotten a bit darker.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
It's not Yahoo's work. by Anonymous Coward · 2013-10-01 00:32 · Score: 1

Why do you think that if someone finds a vulnerability in Yahoo's stuff their efforts now belong to Yahoo? What if the person just doesn't want to give it to Yahoo? Do you think that their work should be taken from them summarily? Maybe in the future, only those willing and able to sell the vulnerability to scammers and criminals will be the ones looking because the others had to find some other work that pays bills.
Better to give nothing by istartedi · 2013-10-01 02:25 · Score: 2

Wow. That's all kind of fail. It would be better for Yahoo to state as a matter of policy that they don't pay bounties. You might disagree with that; but at least you'd respect it. What they did instead is the equivalent of leaving a nickel tip at a restaurant. Giving nothing makes you look cheap, careless or unaware of tipping customs. Giving the nickel says, "yes, I know I should tip, here's what I think you're worth".

--
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Re:Quit whining. by Provocateur · 2013-10-01 03:20 · Score: 2

The vouchers are traceable. The REAL reward is coming AFTER the winner or researcher tries to claim it or use it at the store. Supply your own ending e.g. Congratulations, here's your new office...

--
WARNING: Smartphones have side effects--most of them undocumented.
Re:Where does it say... by HiThere · 2013-10-01 07:49 · Score: 1

It sure doesn't need to be an insult. A $13 voucher that can only be spent to advertise the company...that's an insult.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
How sneaky by Tetetrasaurus · 2013-10-01 11:04 · Score: 1

That's quite a blatant yet sneaky way to get these blokes' addresses and credit card infos -- tshirt+shipping is likely over $12.50. Know thine whitehat.
Alternative? by cwsumner · 2013-10-02 06:04 · Score: 1

A T-shirt or something...
Hey! It's better than getting sued!
(As has happened before.)