Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

Posted by timothy on from the yeah-let's-talk dept.

mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."

111 comments

  1. Wow by Anonymous Coward · · Score: 5, Insightful

    Stingy reward. That would have fetched quite a bit more on the black/open market.

    1. Re:Wow by jovius · · Score: 1

      Maybe he also sold on the black market. The data and its structure itself may be interesting.

    2. Re:Wow by Anonymous Coward · · Score: 0

      Depends on the risk/reward analysis. Would you take a "double your lottery win or go to prison for 3 years" gamble? I wouldn't.

    3. Re:Wow by nhat11 · · Score: 1

      Hey stealing from a bank or selling drugs is profitable too you know.

    4. Re:Wow by Wootery · · Score: 1

      Granted, but the analogy only works if we assume that he found drugs/a bank in his bedroom.

      To make money dealing drugs/breaking into banks, one has to go out and buy drugs/break into banks. In this case, Reginaldo Silva (why his name isn't mentioned anywhere in the summary, or indeed the comments, I don't know) found the weakness, and was only then faced with the choice.

      Ultimately of course you're right. Doubtless one can often make more money by breaking the law. Nothing new there. Still though, there's an argument that it would make good sense for Facebook to up the reward money.

    5. Re:Wow by blackicye · · Score: 1

      Depends on the risk/reward analysis. Would you take a "double your lottery win or go to prison for 3 years" gamble? I wouldn't.

      I think your estimate for the black market price of an exploit of this type might be way, way too low.

  2. Crime does pay by TheNastyInThePasty · · Score: 2

    $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

    --
    The best thing about UDP jokes is I don't care if you get them or not
    1. Re:Crime does pay by sandytaru · · Score: 5, Insightful

      Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.

      --
      Occasionally living proof of the Ballmer peak.
    2. Re:Crime does pay by Anonymous Coward · · Score: 0

      Why choose ? He could have sold the sploit on thr black market (taking the usual precautions to hide his identity) AND gone to facebook.

    3. Re:Crime does pay by Anonymous Coward · · Score: 0

      One can go on your resume... the other, not so much.

    4. Re:Crime does pay by bobbied · · Score: 3, Funny

      Who says he didn't sell it twice? Of course the black market might put a hit on him for it if they had enough bitcoin...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    5. Re:Crime does pay by sl4shd0rk · · Score: 0

      without the risk of jail time to boot.

      That's no guarantee that the next cracker reporting an exploit will be treated the same way. Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    6. Re:Crime does pay by Xacid · · Score: 1

      And this is why we can't have nice things.

    7. Re:Crime does pay by kasperd · · Score: 1

      Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

      This has indeed happened multiple times in the past. But none of the cases I know of were from a company, which was offering a bug-bounty. Has any company made such a dirty move after publicly announcing a bug-bounty program?

      --

      Do you care about the security of your wireless mouse?
    8. Re:Crime does pay by CastrTroy · · Score: 2

      I don't know if anybody has been taken to court, but it's not guaranteed that the company with the bug bounty program will pay out. If you want something specific, here's an example involving Facebook.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    9. Re:Crime does pay by vux984 · · Score: 5, Insightful

      $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

      How is it a problem?

      Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

      My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

      Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

        I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

    10. Re:Crime does pay by HoldmyCauls · · Score: 4, Insightful

      This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.

      --
      Emacs: for people who just never know when to :q!
    11. Re:Crime does pay by SmlFreshwaterBuffalo · · Score: 4, Funny

      $33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

      How is it a problem?

      Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

      My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

      Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

      I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

      Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.

    12. Re:Crime does pay by morgauxo · · Score: 1

      Maybe but that's $33,500 in the clear with no worry about getting caught and consequences.

    13. Re:Crime does pay by vux984 · · Score: 2

      The 'keys to the kingdom' phrasing was in reference to the article summary which claimed the hacker had the keys to kingdom for facebook... I, perhaps naively, presumed he didn't get into Zuckerberg's pants.

    14. Re:Crime does pay by PRMan · · Score: 1

      Documenting your hit payment with bitcoin is an incredibly stupid thing to do. It's only anonymous until they look though your PC.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    15. Re:Crime does pay by Wootery · · Score: 1

      the black market might put a hit on him

      If he sold it without taking proper steps to hide his identity, sure. The man's a security expert, though, so...

    16. Re:Crime does pay by akinliat · · Score: 1

      That's not really the point. This sort of security breach could have cost Facebook millions in stock value alone, to say nothing of potential losses in revenue. Paying such a niggardly amount is not only insulting to the value that the man has provided to the company, but it also says a great deal about how Facebook views its own investors, who would bear the burden of a sudden drop in stock value.

    17. Re:Crime does pay by bobbied · · Score: 1

      the black market might put a hit on him

      If he sold it without taking proper steps to hide his identity, sure. The man's a security expert, though, so...

      Well, this "security expert" just took a highly publicized payment from Facebook for showing them the exploit.

      I'm thinking "security expert" in this case might not mean what you think it means...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    18. Re:Crime does pay by Anonymous Coward · · Score: 0

      Facebook doesn't actually lose money if the stock value drops; Facebook investors do. Now if that happens enough or the drop is big enough, then the investors could try to mount a revolt - if it weren't for the fact that a large majority of the votes is held by Mark Zuckerberg. As long as Zuckerberg is willing to absorb a drop in his "personal worth", he can ignore it. But Facebook is a bit of an unusual case for publicly traded companies in that respect.

    19. Re:Crime does pay by Wootery · · Score: 1

      I'm thinking "security expert" in this case might not mean what you think it means...

      If he wanted to have it both ways, he could've sold it on the black market 6 months ago, with a disclaimer saying I plan to tell Facebook about the exploit, in 6 months time.

      Of course, if the buyer then actually uses the exploit, Facebook might discover and fix the problem ahead of time, which would be a problem.

      I wonder if security researchers ever buy exploits on the black market, then write papers about them and disclose responsibly...

    20. Re:Crime does pay by Anonymous Coward · · Score: 0

      Your analogy makes no sense. Facebook didn't approach this researcher and say "We found this bug, could you verify for us?" and then pay him. He discovered what could otherwise be a very profitable zero-day and he turned it in. So your analogy would be more appropriate if "I found a strangers wallet with a house key in it." and then you returned it to them. This guy wasn't Facebooks 'friend' as no one can be a friend to a corporation, and with billions of dollars at their disposal this is a cheap as fuck thank you. Like if you returned the wallet and got a "oh yeah, thanks." with a door slammed in your face as you stood on the porch of some Rothschild sized mansion.

    21. Re:Crime does pay by Anonymous Coward · · Score: 0

      Same anon coward making an addendum. Facebook rarely 'does the right thing' so yeah, you'd be "screwing over" people who most certainly deserve it...because they screw you over ever day for money and get off with calling it a business model.

  3. That's cheap by Anonymous Coward · · Score: 0

    Should've made an app and sold it to them for 3 billion.

  4. NSA's response: by Anonymous Coward · · Score: 1

    Bummer!

  5. We all know about it. by Anonymous Coward · · Score: 0

    ...awarded him for the proof of concept remote code execution which he quietly disclosed to them."

    We all know about it, so it's not that quiet.

    Or did they mean he didn't go, "HERE YOU GO! HERE'S THE REMOTE CODE!"

    1. Re:We all know about it. by Stewie241 · · Score: 2

      What is meant by that is that the quietly disclosed it to Facebook, so that Facebook could fix the problem before it was exploited, rather than going public with it first and putting the pressure on Facebook to fix it quicker.

      These things generally get announced after the fact especially if it was disclosed in a bug bounty program because part of the deal is the recognition that the security researcher gets (which is a big deal in the security world from what I can tell).

      tl;dr - the quietly refers to the fact that we heard about it after it was fixed and not before.

  6. a pittance in ayn rands america. by nimbius · · Score: 1, Interesting

    as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

    instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

    code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

    --
    Good people go to bed earlier.
    1. Re:a pittance in ayn rands america. by fast+turtle · · Score: 3, Insightful

      The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

      The Empire State Building has a Bounty called Rent and it's still collecting.

      The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

      As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

      So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    2. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 2, Informative

      as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

      instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

      code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

      I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

    3. Re: a pittance in ayn rands america. by Anonymous Coward · · Score: 1

      Finding code bugs and potential vulnerabilities that can be exploited is really hard, even with top notch security-aware developers and in-house security engineers. Why not hire bright minds and offer a bounty, too? They're acknowledging reality, which is more than you can say for a lot of conglomerates.

      I like Rand. Don't use her philosophes to make an ill supported point.

    4. Re:a pittance in ayn rands america. by Chameleon+Man · · Score: 3, Interesting

      So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.

    5. Re: a pittance in ayn rands america. by Anonymous Coward · · Score: 0, Insightful

      I like Rand.

      Oh, to be 15 again...

    6. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      ...Empire State building...

      These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct.

      Ahahahahahahahahahahahahaha, nice troll.

      The only company which considers "the welfare of their employees sacrosanct" is a cooperative. To a capitalist business, whether it's the Soviet Union's state capitalism - everything belongs to Government Inc. - or the modern Western version of capitalism where a couple dozen companies control almost everything - your fate is the same. Thank goodness for the union movement to give workers just an inch of protection, though.

    7. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

      Same question for you: Where do you get the idea that there is anyone buried in the concrete of the Hoover Dam? That would likely weaken the structure, so the engineers would never have allowed it. Anyway, the concrete was poured so slowly that anyone who had fallen in would have been able to get out fairly easily.

    8. Re:a pittance in ayn rands america. by Antipater · · Score: 1, Interesting

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

      Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled out as an unacceptable structural risk.

      http://en.wikipedia.org/wiki/Hoover_Dam#Concrete

      --
      Everything is better with chainsaws.
    9. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct.

      Let me just link this for your consideration:

      But, Hoover Dam’s construction had its ugly aspects. “Racial and ethnic discrimination, profiteering at the company store, and the flouting of health and safety regulations” all existed. Blacks workers were segregated while Asian labor was banned. Poor safety standards led to appalling deaths from heat stroke, badly executed detonations, and carbon monoxide poisoning among others.

      The response from Crowe and his underbosses was merciless. Strikes were crushed, the exhausting pace of work continued, and injury compensation was denied. Indeed, fraud was not uncommon. The medical staff, at management’s behest, sometimes intentionally misdiagnosed men suffering from carbon monoxide poisoning (contracted from truck exhaust while blasting out tunnels) with illnesses. As Hiltzik notes, diseases such as tuberculosis or pneumonia were “all conditions for which the men were ineligible to claim injury compensation.”

    10. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      Considering the amount of annual damage to infrastructure and use-costs associated with trucks (Seriously, it's 99+% of the total), they pay far, far less than their "fair share" in taxes to use the interstate highway system.

      Tax them at a fair rate; I'd have no problem with manufacturers and shippers adding the additional cost to the price of their products, since it would be a far more equitable way of spreading out the costs to the average American for actual costs generated by their consumption than by individual taxes on motorists.

    11. Re:a pittance in ayn rands america. by ustolemyname · · Score: 1

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

      Apparently that is a myth: http://nsla.nevadaculture.org/...

    12. Re:a pittance in ayn rands america. by joe545 · · Score: 4, Informative

      That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.

      Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.

    13. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      >More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.
      Wow. You are kinda retarded, aren't you?
      http://www.usbr.gov/lc/hooverdam/History/essays/fatal.html

    14. Re:a pittance in ayn rands america. by KingOfBLASH · · Score: 2, Interesting

      You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

      So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

      And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

    15. Re:a pittance in ayn rands america. by The+Mighty+Buzzard · · Score: 1

      You're an idiot. No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it. Paying for bug reports instead of the standard of ignoring them or prosecuting the reporter is the right way to do things.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    16. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      you stupid? all the projects mentioned had bounties for successful completion.

    17. Re:a pittance in ayn rands america. by operagost · · Score: 1

      instead of hiring more security engineers and challenging developers to write safer stronger code

      The fact that someone outside Facebook found a security flaw does not mean that Facebook is deliberately not investing in sufficient personnel. Everyone makes mistakes.

      they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

      I can't help but notice that government meddling in the economy wasn't part of your straw man.

      code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working.

      Right. And just because Facebook's team didn't find this one doesn't mean that they are too small. Do you even have a clue of the daily, weekly, and monthly processes required to maintain security compliance? This has to be done, along with vetting new code and detecting breaches and circumventions of policy.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    18. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

      instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

      code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

      I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

      More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

      I can't speak for the Empire State Building, but I've read a bit on the Hoover dam. Aside from drowning in concrete a dam worker also enjoyed a high risk of falling to his death or being crushed by falling construction debris. I don't know where the gp found that idealized version of construction labor in that era, but I'm pretty sure those jobs sucked only slightly less than starving to death. Workers weren't valued; if one was lost there were a thousand others eagerly waiting for a chance to take the opening.

    19. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      If you think that Facebook does not pay a living wage then you have not been paying attention to all the very recent news related to gentrification in SF.

    20. Re:a pittance in ayn rands america. by bender647 · · Score: 2

      This is my problem in general with a lot of what we call software "engineering". It isn't engineering. When the price of fixing a problem is just recompiling, as opposed to having a building fall down, it seems nothing is planned well or constructed right the first time.

    21. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

      [...]

      As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

      So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

      Bitter much, old man?

      Sorry my reply is so short, I had a hard time holding back my derisive laughter long enough to write anything more substantial.

    22. Re:a pittance in ayn rands america. by tlhIngan · · Score: 1

      No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it.

      And most "Hello World" programs have bugs in them! There are error conditions that they don't handle and many assumptions few people realize. (Here's a simple one - what happens if there's no stdout? How do you handle that case?)

      Sure the failure of Hello World doesn't really amount to much, but doing it properly takes a lot of extra work.

    23. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      They usually give completion bonuses for finishing early and a late fee for late completions. No idea if that was in place back then, but certainly could.

    24. Re:a pittance in ayn rands america. by Bill_the_Engineer · · Score: 2, Insightful

      You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.

      The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.

      Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild. It's not like Facebook just sits back and depends solely on bounties to keep their infrastructure working. He seems upset that paid staff don't get bonuses for fixing their own mistakes. Somehow he mistakenly believes that by paying bounties, Facebook is slighting their staff.

      I agree he has a lot to learn.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    25. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      Tax them at a fair rate; I'd have no problem with manufacturers and shippers adding the additional cost to the price of their products, since it would be a far more equitable way of spreading out the costs to the average American for actual costs generated by their consumption than by individual taxes on motorists.

      Ha ha. Yep, YOU might not. The rest of the country, though? Go ahead, try. Raise prices of certain goods. Raise them a truly marginal amount. Maybe, say, 0.2%. Hell, 0.05% should do the trick. It'll be worth watching. Shit will be flipped. Lots of shit. Flipped REAL fast. Shit will be flipped faster and in greater quantities than the entire national pancake output of a more unpleasant shit-themed IHOP chain. The pursuit and love of the zero price asymptote is what led to Wal-Mart dominate American commerce with an iron fist. People will flip their shit if price A now is higher than price A from last year with no concern for long-term benefits or detriments. That'll happen with zero tolerance, too. And you're invoking the evil, evil, hateful, liberal, horrible, liberal, ugly, liberally LIBERAL spectre of taxes to do so? Man, you'd be lucky to live a week without being torn limb from limb and processed into dog food by the idiots that make up this country. Processed into dog food which would then be sold cheaper than last year's dog food.

    26. Re:a pittance in ayn rands america. by Stewie241 · · Score: 2, Funny

      What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

    27. Re:a pittance in ayn rands america. by bill_mcgonigle · · Score: 0

      And the lives of the dozen+ people who died building the Empire State Building and Golden Gate Bridge apparently mean nothing to him.

      When did the mods start +5'ing psychopaths?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    28. Re:a pittance in ayn rands america. by SQLGuru · · Score: 1

      But a bounty gets multiple people to fill the role of the single hired expert. There is also nothing that precludes the bounty participant from holding another job (potentially as an expert for a company that DOES pay a living wage) and participating in the bounty program. Even if FB does hire experts, having the bounty program allows you to tap the knowledge of far more experts......and we've already seen that even the best can't foresee every possible avenue of attack. The hive mind is smarter than a single expert.

    29. Re:a pittance in ayn rands america. by necro81 · · Score: 1

      instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business

      I'm not going to debate whether Facebook, et al., exploits its employees - it's a different discussion for another day. I will point out that, even if Facebook tripled its security staff, and tripled the salary and benefits of that staff, vulnerabilities and bugs large and small will still exist. Fewer of them, one would hope, but they'd exist in some fashion. What should Facebook do to reward those white hats out there that find these vulnerabilities and report them?

    30. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      Nimbius got a schooling, fucking idiot.

    31. Re:a pittance in ayn rands america. by cellocgw · · Score: 1

      What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

      Naaah, what's *really* interesting is breaking down an old parking garage concrete floor and discovering a skeleton of a dragon-like beast which never existed on Earth in the first place.

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    32. Re: a pittance in ayn rands america. by cellocgw · · Score: 1

      I like Rand.

      Oh, to be 15 again...

      Me, I prefer int(rand)

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    33. Re:a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      When did the mods start +5'ing psychopaths?

      Around time the latter wised up and started calling themselves "libertarians".

    34. Re:a pittance in ayn rands america. by khellendros1984 · · Score: 1

      It sounds more like ignorance than malevolence. If it makes you feel better, the post wasn't at +5 anymore when I read it.

      --
      It is pitch black. You are likely to be eaten by a grue.
    35. Re:a pittance in ayn rands america. by khellendros1984 · · Score: 1

      The price of a customer encountering a serious bug can be the loss of that customer to a competitor, schedules for new development slipping to make time to fix the bug, lawsuits over loss of customer data, etc. The rule of thumb that we use is that a bug found by QA might cost 10x as much as if the developer didn't produce buggy code (due to delays in testing, the developer having to diagnose the problem, abandoning their current work to re-immerse themselves in the buggy section of code, etc). A bug found by a customer will be at least 10x the cost of a bug found by QA, once you consider support time, the escalation process, the same costs of a QA-found bug, impact on development schedules, the potential for lawsuits, time spent by the release engineering group in packaging and deploying a hotfix, etc.

      The price of fixing a problem varies, depending on when and where the problem is found, and the price of fixing it is only "just recompiling" if the developer finds the problem in the course of the preliminary testing done prior to checking the code in. Granted, most devs aren't going to have to worry about fatal consequences in their bugs, and it's not like we have to buy more physical materials when there's a mistake, but saying that it's not engineering and that the cost of a problem is near-zero is just goofy.

      --
      It is pitch black. You are likely to be eaten by a grue.
    36. Re:a pittance in ayn rands america. by Salgat · · Score: 1

      Bounties are important because you distribute risk substantially. Instead of relying on your employees to catch every single bug (which is near impossible to be perfect), you make the entire world a potential employee with a reward for anyone who comes across the flaw.

    37. Re:a pittance in ayn rands america. by bill_mcgonigle · · Score: 1

      Around time the latter wised up and started calling themselves "libertarians".

      Beautiful Orwellian Doublespeak, when those who eschew violence are the psychopaths and the bombers of cities are the peacemakers.

      Oh, no, you're just a fool.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    38. Re:a pittance in ayn rands america. by weilawei · · Score: 1

      As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

      Not sure which states you drive (drove?) through, but I really don't mind truckers. They're usually the most polite drivers on the Interstate around here. It's the assholes in their BMWs doing 20+ MPH faster than the flow of traffic, weaving in and out, when it's busy, that are the most obnoxious.

    39. Re:a pittance in ayn rands america. by weilawei · · Score: 2
      Good point. Urban myth.

      In 1986, Tom King, Director of the University of Nevada Oral History Program, interviewed several men who had labored on the construction of Hoover Dam that told him a number of bodies lie buried in it. "These stories were made somewhat plausible by the authority of the tellers, themselves dam workers, and by our knowledge that building the dam was indeed an extremely hazardous enterprise," according to King, "however, further questioning revealed that none of the storytellers had actually witnessed such a tragedy or knew the identity of any of the victims. This was not surprising: the tellers believed what they were saying, but their stories were folklore--there are no bodies in the dam."

      Actually, the dam was poured in relatively small sections, so about all a fallen worker had to do to get his face clear of the rising concrete was to stand up. Officially, 96 dam workers died of various causes, and 112 persons unofficially, but none were permanently buried in concrete.

      The closest any worker came to being buried was on November 8, 1933 when the wall of a form collapsed sending hundreds of tons of recently-poured concrete tumbling down the face of the dam. One worker below narrowly escaped with his life, however W.A. Jameson was not so lucky and was covered by the rain of debris. Jameson was the only man ever buried in Hoover Dam, and he was interred for just 16 hours before his body was recovered. His remains were shipped to Rock Hill, South Carolina, where a brother and sister lived.

      A structural engineer interviewed for a Discovery Channel documentary on Hoover Dam argued that it would be sheer folly to leave a worker buried in the dam. A decomposing body would jeopardize the dam's structural integrity and risk the multi-million dollar project including property and lives downstream on the Colorado River.

    40. Re:a pittance in ayn rands america. by RightSaidFred99 · · Score: 1

      God, shut the fuck up. Next time you go on a meandering, bewildering rant like that try to at least make some sort of valid point, you idiot.

    41. Re: a pittance in ayn rands america. by Anonymous Coward · · Score: 0

      It is only a bug when it does not work the way it is supposed to. Failing H,W takes a lot of hard work, when done seriously.

  7. Props to this guy by thedillybar · · Score: 4, Insightful

    Nice to associate the term "hacker" with "honest" once in a while

    1. Re:Props to this guy by Anonymous Coward · · Score: 0

      If you associate "hacker" with "honest" only "once in a while" you don't belong on this website

    2. Re:Props to this guy by Anonymous Coward · · Score: 0

      BEFORE ANYTHING:

      Who is the hacker who determined him as being a hacker, so I can worry that I'm dealing with a hacker, before wasting my time against a simple dishonest person?

  8. Nice by mahmudl4480 · · Score: 1

    nice!!

  9. Re:Bounty? Meh! by sudden.zero · · Score: 1

    I'm with you; down with Facebook! I never see my family any more, but their entire lives are broadcast on Facebook.

  10. If only he shut it down by 0xdeaddead · · Score: 0

    for good. :(

  11. Bounty by Anonymous Coward · · Score: 1

    The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

    The Empire State Building has a Bounty called Rent and it's still collecting.

    Bounty. You keep using the word. I don't think it means what you think it means.

    The problem with both of these examples is that they're commercial projects, built for a Commercial Reason.

    Absolutely! Facebook is a non-commercial project. They have ads; not commercials!

    So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

    I can't respond to that because I'm snickering too much.

  12. Re:Bounty? Meh! by Anonymous Coward · · Score: 1

    This coming from someone who has their G+ linked to Slashdot.

  13. Apples and oranges by Zontar_Thing_From_Ve · · Score: 2

    You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Golden Gate Bridge. As best I can tell, as much as could be done for safety was done. Only 5 people died in building the Empire State Building. But 112 people died in building the Hoover Dam. Does that fit the bill of "considering the welfare of their employees sacrosanct"? I'm not thinking that it does. I've come to the conclusion that even with the absolute best practices, it is impossible to write any sizable code that can not be exploited, and the bigger the project, the more likely it can be exploited. You are right that Facebook does indeed try to be cheap in some ways with regards to employees (Zuckerberg is a very loud voice in the "We can't function without more H1-B visa employees!" argument) but the problem is that when you are a big website, some guy with time on his hands may try to crack your security for giggles. It's kind of like having a dozen people every day trying to take down and destroy the Golden Gate Bridge than what you imply, which is that Facebook is just too cheap and maybe too stupid to write good code.

  14. /etc/password or /etc/shadow? by Nimey · · Score: 5, Informative

    All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.

    About all /etc/passwd gains an attacker is a list of good login names.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
    1. Re:/etc/password or /etc/shadow? by gnu-sucks · · Score: 2

      A good list of usernames is sometimes all you need.

      I purchased a server from Goodwill once, and it just so happened that it had an intact hard disk. The server was running some version of Solaris, and was part of a database for a large fortune 500 company that you have probably heard of. As an interesting "exercise", I decided to put it on my network and hack into it.

      The box had a very bad telnet daemon, and using the simplest of exploits imaginable, I was able to return the contents of arbitrary files and run commands on the box. This is pretty good, but of course, you gotta always try for more. I returned /etc/passwd and tried all the accounts with the standard top-500 lists you can find online. I got into the system admin's account. He had dumped the contents of his personal windows computer as well as his palm pilot (google that on your iPhone, kids, and then get off my lawn). These included him and his wife's passports (scanned for some reason), blueprints for their house, and of course, his resume where he lists all sorts of bogus security certifications.

      Word of advice to admins: protect the entire computer. Don't accept that certain files are not that big of a deal, they ALL matter. Every file should be considered a potential threat and permissions and updates applied accordingly. Never enable remote root anything. Always use alternative accounts. Audit user passwords for weaknesses. Deactivate old accounts ASAP. Be aware of repeated invalid login attempts. This isn't even scratching the surface...

  15. Grading your rant paragraph by paragraph. by Anonymous Coward · · Score: 0

    Completely false, completely true, complete non-sequitur.

  16. /etc/password, not /etc/shadow! by Anonymous Coward · · Score: 4, Insightful

    It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

    1. Re:/etc/password, not /etc/shadow! by Nimey · · Score: 5, Interesting

      And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    2. Re:/etc/password, not /etc/shadow! by Martin+Blank · · Score: 1

      Code execution in an unprivileged account is one small step away from executing exploit code to get root, and then you've got just about everything.

      --
      You can never go home again... but I guess you can shop there.
    3. Re:/etc/password, not /etc/shadow! by L4t3r4lu5 · · Score: 1

      ... the most attention-getting thing this guy could have said to Facebook's PHB in charge of Bounty Payouts.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  17. Words to not type into a Google search at work... by Anonymous Coward · · Score: 0

    NT

  18. XML Injection not remote code exec by Anonymous Coward · · Score: 2, Informative

    That is XML injection not remote code execution.

    You send XML with an include this file and the XML parser reads the chosen file.

    1. Re:XML Injection not remote code exec by Anonymous Coward · · Score: 0

      He used the XML injection to get a RCE. RTFA

  19. when i read the headline... by schlachter · · Score: 1

    I expected something like $100K. Would be trivial for them. The could build a whole ecosystem of people trying to report bugs to them.

    --
    My God can beat up your God. Just kidding...don't take offense. I know there's no God.
  20. prizes were an integral part of American history by schlachter · · Score: 1

    No, you're wrong, bounties and prizes were an integral part of American history.

    https://challenge.gov/p/about

    http://www.slideshare.net/crai...

    --
    My God can beat up your God. Just kidding...don't take offense. I know there's no God.
  21. Re:the empire state building by DocSavage64109 · · Score: 1

    I'm pretty sure I've seen pictures of the builders of the empire state building sitting on some I-beam with no safety gear or even a rope to hold on to. I somehow doubt construction employers cared more about their employees then than they do today.

  22. Slashdot is of poor taste/gone to the trolls by 228e2 · · Score: 1

    A white hat does exactly what he is supposed to do (allegedly) and a company takes the proper route and doesnt sue him into oblivion, takes the proper steps to make a timely fix and gives him a reward. And yet everyone here swings and misses on the topic.

    Congrats. This place is the officially one rung above 4chan.

    --
    Since when does being a Socialist mean 'someone who has a different opinion than me'?
  23. Do the right thing, get screwed over by Anonymous Coward · · Score: 0

    This guy should have hired a lawyer and found out if it was permissible to send Google their passwords as "proof of life" and then announce you are willing to negotiate a reasonable compensation based on the value of the bug uncovered. No threats to release it, but just remind them that if you found it, so could somebody else and that the clock is ticking. As long as there was no threat involved, it would not be extortion. If they would not negotiate, then either accept the stupidly stingy offer or move on to something else.

    1. Re:Do the right thing, get screwed over by Anonymous Coward · · Score: 0

      I meant Facebook. But you all knew what I meant.

    2. Re:Do the right thing, get screwed over by RightSaidFred99 · · Score: 1

      What's wrong with you greedy fucks? $33.5k is chump change to you? You must all be 1%ers.

  24. like planes "usually" crash. 99.9% of the time, no by Anonymous Coward · · Score: 1

    > Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears.

    It might look that way if the only information you were familiar with on the topic was news reports.
    The thing is, newsworthy events are by definition NOT the usual events. Based on looking
    at airplane flights in the news, you might conclude that plane flights usually end in a crash.

    In reality, planes usually don't crash, so you don't see them on the news. 99.98% of flights go well.
    In reality, security issues usually aren't ignored, so you don't see them on the news. 99.98% of reported issues are handled.

    http://cve.mitre.org/ tracks the resolution of about 20 security issues per day.
    For example, I found one could have easily taken down wikipedia and many other top sites, CVE 2012-0206. http://securitytracker.com/id?1026729 . You'll note 2012-0206 was one reported on January 10th. Ten days into the year, over 200 issues were in the resolution pipeline. MOST issues are handled the same way as CVE 2012-0206. Out of the ~8000 issues publicly tracked each year, two or three are grossly mishandled and make the news. What's not in the news are the other 7,998 issues that are timely resolved through the normal process.

  25. I'm curious by nobuddy · · Score: 1

    Why would you keep your bitcoin after you spent them? Especially on such a thing.

    "time to pay off this hitman. better photocopy the cash before I do."

    1. Re:I'm curious by bobbied · · Score: 1

      It's not the coin really, it's the wallet keys. The Transaction will be hashed in the coin for life and tied to the wallet that spent it.

      Having a stash of bitcoins on your computer doesn't mean they where ever yours. You could have been mining or something.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  26. PS I'm the reporter, AC to preserve moderation by Anonymous Coward · · Score: 1

    My post above may be slightly unclear, especially not knowing who it's from. I had already moderated the thread so I posted AC.
    CVE 2012-0206 is an example of a security issue I discovered and reported. I'm familiar with the usual process because I'm part of the usual process.

    CVE 2012-0206 is typical - I reported the issue to the security@ contact. Within a few hours they responded.
    They asked if I had further information, if I would hold off on further disclosure for 48 hours so they could test a patch and ship it to their largest users (wikipedia, etc.), and they asked how I'd like to be credited in the CVE and any other public postings.

    I told them no problem waiting 48 hours or more, let's get wikipedia and the big hosting companies patched before releasing details, and I asked that they include my web site in posts "Ray Morris from bettercgi.com discovered ...".

    24 hours later, servers responsible for several thousand domains had been quietly patched.
    46 hours after the report, the fix was on the web site. Two hours after that, the CVE was posted on the security lists.
    Over the next few days, distributions released new packages. I think Debian was first. Gentoo was on it within 24 hours, though they needed to discuss the fix https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-0206

    That's what USUALLY happens.

  27. This bounties make me feel even MORE INSECURE by Anonymous Coward · · Score: 0

    Now, he not only got MY ID no doubt, since they admit he got the /etc/passwd, he also got a encrypted form of my password, if its not shadowed which I hope it is. Now somebody out there has my Facebook ID.

    The problem is they ENCOURAGE and PAY for hackers to hack MY ACCOUNT SERVICE.

    What kinda idiot does that.

    Honestly, encouraging people to attack services MY ACCOUNTS are on, is a personal attack on ME.

  28. Ripped off by Anonymous Coward · · Score: 0

    33,500? He would have made 100x that or more on the bm. You'd think a billionaire company could at least pay what the bug was worth.

  29. uhhh by Anonymous Coward · · Score: 0

    if passing some xml to facebook servers gets one root, then their shit is highly insecure