Bug Bounties Aren't Silver Bullet for Better Security

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

Sure not

[Chatterton]

But their are a bullet in the arsenal against bugs...

Re: Sure not

[illiac_1962]

"an elite few produce the biggest volume and highest quality of bug reports across multiple products," They do appear to be working quite well, so why the doo and gloom? It's not like it's some fruitless, wasteful fad.

TFS fails to make its case

They're getting bug reports. Would they have gotten those without the bounties?
Would in-house researchers find the same ones? Especially if only the elite are finding them.
And why would anyone think bug bounties should be a replacement for a job?

Re: TFS fails to make its case

TFS is bullshit. The reason bug bounties are not working is because they are not well funded. The price for a finding should be /higher/ than full time salary of a dedicated security analyst times amount of time for them to find.

I announced a bug against American Express. They asked me to âoeresponsibly discloseâ on HackerOne which is just an NDA. They donâ(TM)t actually pay you. And even them giving you credit is hidden from the public. And Iâ(TM)m probably even breaking NDA just to tell you this.

Thatâ(TM)s why I just write up the exploit, set a release date, and ask the vendor âoewhatâ(TM)s in it for me if I send it to you first?â Iâ(TM)m very modest in what Iâ(TM)ll accept, but usually they donâ(TM)t do even that so I just full disclosure on my blog.

How to fix bugs

[AHuxley]

Write good code by hiring on merit only.
Keep the inner core of skilled coders working hard on quality productive code.
Once low quality code is part of the company it is hard work to go back and try and find good workers.

Re:How to fix bugs

You're a moron, not a coder. Shut up.

Re:How to fix bugs

[mwvdlee]

Kinda like how hospitals should only hire good doctors so nobody will ever die again.

Re:How to fix bugs

[patilise]

Kinda like how hospitals should only hire good doctors so nobody will ever die again.

Fixing the metaphor - hospitals should only hire good doctors so people who can be saved by an accurate diagnosis will not die.

Re: How to fix bugs

"Coder" - hah! Go back to Reddit. Slashdot is for _programmers_ and other real nerds.

Re:How to fix bugs

Well, the managers who needed to learn this need to be fired for 101 stuff.
Usually the problem is that coders test the code and the testers are quarantined from looking at the source.
And when a bug is found, the review team rarely gets a rasberry for missing it.
Best bang for buck is many eyes on the source code, or at least release to highly trusted persons who who how to do code benchchecking from greenbar printouts.

Re:How to fix bugs

Wrong.
they fire the ones costing them rework from mistakes and infections, or lower scores than their peers. But then then elete surgens say we wont opearte on Miss Jones because she is obese, has other problems - someone HAS to operate on higher risk patinets.

For programmers: Good Fast and Cheap - pick any TWO, Also reject programemrs who won't or cant comprehend other programmers code, and insist on their rewrite.

Re:How to fix bugs

[packrat0x]

Also reject programemrs who won't or cant comprehend other programmers code, and insist on their rewrite.

Well, that excludes most C++ programmers.

Just kidding.

Maybe...

Re: How to fix bugs

[jd]

Coders are useless without good specifications, good practices and good languages. Test driven design beats most other forms.

Not many workplaces know how to do that, let alone budget the time to.

Re: How to fix bugs

They know and they donâ(TM)t care what you say about them but thanks for the mental bandwidth

Re: How to fix bugs

Shut up, you stupid dumbfuck.

Re: How to fix bugs

"Coder" - hah! Go back to Reddit. Slashdot is for _programmers_ and other real nerds.

Slashdot is being kept going as a very obvious honeypot for nazi cunts like AHuxley, you fucking idiot.

Re:How to fix bugs

[Daralantan]

Kinda like how hospitals should only hire good doctors so nobody will ever die again.

This just reminds me of how hospitals try to reduce their bad "deaths while in care of" numbers by just rushing out people that are terminal. Trying to get them to hospice, etc, instead. That way someone might day a day after the hospital but hey, they didn't die there so look how safe you are in this hospital!

Re: How to fix bugs

The companies that I've seen using test-driven type methods often end up writing many trivial tests, especially at the beginning of a feature/application/library/whatever. The big problem is that TDD seems to severely limit freedom to make large changes, which is often what is happening to a project in its early stages. This is a big barrier. Let's say maintaining tests is 70% of the effort in a project. Now, you're early in your project and being bogged down by a constant barrage of failing "regression" tests. In reality, the functionality is changing and the tests need to change too. As the project firms up, this starts to become more reasonable but not at the beginning. I have not heard a convincing argument against this problem with TDD.

Re: How to fix bugs

In electrical engineering for chip design, we are still firmly in the test-driven design camp. In fact, if we can have test-cases ready before the design that is a win for everyone, because the RTL designers can immediately start running stimulus against their SystemVerilog code.

You're absolutely correct that things change more rapidly at the beginning of a project when specification and customer requirements are all in flux, or the specification just has mistakes and the designers and test-developers begin pointing the issues out and we work through the problems.

In the case of electrical-engineering, the people writing the tests hold the exact same qualifications as the people designing the RTL, that is a bachelors or a masters in either Electrical Engineering, or Computer Engineering (with the occasional physics major that I've worked with). When specifications change, the engineer coding the RTL design begins a git-branch for the modifications, and the engineer that owns the test cases works in that same branch. Once we have everything working, we merge the branch back into master.

This is a very smooth flow, and doesn't cause nearly the problems one might think. It's only when RTL designers rush and rush and push changes into master branch before the test-cases are ready that everything goes to hell. Now no one can trust tests, no one can easily make forward progress, and in the long-run the chip is delayed.

Pareto principle

[alvinrod]

Sounds like another case of the Pareto principle where a small number of people (the elite few) find the majority of the quality bugs.

I don't know if these elite few are doing this full time, but I'd imagine that they aren't if they only make ~$35k. Most could easily get six figures doing security consulting work, and I would expect that a lot of them do and only do this as a hobby or for the added notoriety. I looked up the pwn2own contest and the main page reports one guy hauled in over $100,000 in the 2018 contest, so some can clearly make a good living doing nothing else if they don't want to. I don't know if those guys are the .1% or something, but I'm somewhat more skeptical about the claims that not even the elite can make it as bug bounty hunters.

Uh okay?

[bhcompy]

It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western

Who said it's supposed to be a full time job? Bounties aren't jobs. They're rewards for ethical disclosure

Re:Uh okay?

That's not realistic. You don't stumble upon security bugs. Finding these bugs requires targeted effort. Somebody has to pay for that effort. The black hats are motivated: they can profit by exploiting the bugs. Why would a white hat put in the effort if they don't get paid adequately?

Re:Uh okay?

You could ask the same thing of, say, DEA agents. Why take the high risk government pay job when they could make far more money as a drug lord? Or even simply policemen vs. the crooks they're after. It has to do with their motivation. Nevermind that your "black hats" run lots of risk including no reward for their efforts. Many of the c'sec kids would do the same thing regardless of pay. They just don't want to run the risk of getting caught facilitating crime. Why do that work they'd do anyway on commission when they could be working on a paycheck instead?

You could even ask the same of salesmen and engineers. The latter work for a paycheck to pay off their student debts. The former don't need to have studied much of anything, it's their go-getter attitude that gets them their commissions.

So, are your "white hats" really salesmen?

Re:Uh okay?

You could ask the same thing of, say, DEA agents. Why take the high risk government pay job when they could make far more money as a drug lord? Or even simply policemen vs. the crooks they're after.

You honestly think that being a DEA agent is more risky than dealing drugs? Or being a cop is more risky than being a thug?

Re:Uh okay?

The argument was about high risk/low pay vs high risk/high pay. The risk doesn't have to be equal to still make a useful comparison. Your question is thus focusing on not so very relevant detail to sidestep the actual point.

Re:Uh okay?

For very few people, finding vulnerabilities is like climbing a mountain. "Because it's there" isn't sufficient motivation for most people. Security is difficult and takes lots of experience. Without adequate pay, there won't be enough specialists who can and will hunt vulnerabilities. Realistically, this kind of work should pay far more than ordinary software development, but actual bug bounties amount to far far less.

Re:Uh okay?

[Errol+backfiring]

If one really must see the entire world through capitalistic glasses, I think the real money is to be made by selling these holes to criminals and secret services. There's your market.

Re:Uh okay?

[AmiMoJo]

Ethical disclosure is most people's default behaviour. Bug bounties are a signal that the company is grateful and not about to sue the messenger.

Re:Uh okay?

You could ask the same thing of, say, DEA agents. Why take the high risk government pay job when they could make far more money as a drug lord?

This argument is flawed in that the skills for being a DEA agent are distinct from the skills for being a successful drug lord, whereas the skills for being a $COLOUR hat are independent of $COLOUR.

Re:Uh okay?

For very few people, finding vulnerabilities is like climbing a mountain. "Because it's there" isn't sufficient motivation for most people.

Which is why most people aren't doing this at all.

Some of those "most people" might be programmers or sysadmins (or both), run into security problems, figure out the details, and send in reports. Those will do so anyway, too.

Security is difficult and takes lots of experience.

Which is why it isn't particularly helped by treating it like a gold rush with bounties.

Without adequate pay, there won't be enough specialists who can and will hunt vulnerabilities.

I don't think there'll be enough specialists to patch up the problems after hordes of half-trained idiot coders from the "everyone can code!" schools, whatever you do. The talent, much like "being a good programmer" is rare.

There is also that security cannot be bolted on after-the-fact. So finding exploits is only useful if their existence is already threatened by good security practice built-in from the start. Otherwise it's just make-work, because there'll always be something else wrong, if not in this version, then the next.

So I don't think you can get enough specialists regardless of pay, whatever you do, because of external factors. IOW this isn't a problem you can possibly solve by throwing money at "security".

But also, what constitutes adequate pay? Apparently "bounties" isn't it.

Realistically, this kind of work should pay far more than ordinary software development, but actual bug bounties amount to far far less.

I don't know that, actually. I'd say that the "ordinary software developers" who handle the input of foreign data might need a massive upgrade, with talented people and decent-for-the-skillset pay. People who'll create the primitives that lesser programmers might use safely. Right now any idiot might throw XML (or JSON or whatever else) at his problem and not understand where his security problems come from. He's using industry standard XML, donchaknow!?!

Full disclosure: I actually like tinkering with tooling and state machines checking input and such, but I have exactly no interest in chasing problems all through the disassembly listings, though I've done the latter also, writing exploits, and so on. But non-pay-related reasons mean that employers will most likely have to find someone else to do this particular job.

Anyway, the point is that chasing exploitable bugs isn't really productive at actually fixing the overall security problem, so throwing money at people who do exactly that, well, perhaps there are more productive ways to secure the software.

Re:Uh okay?

Bounties are what companies use instead of paying real money to skilled coding teams and they do it because...

1) It is cost effective. Companies get people to find problems and get great PR along the way.
2) It is expected. Bounties are the new norm for bug fixes.
3) It is a form of ass-covering. "If hundreds of bug-hunters could not locate that bug in X-months, than how were we supposed t do it?"
  Bounties are just a form of outsourcing and allow the companies to reap the benefits of the gig-economy while disconnecting themselves from responsibilities and controlling costs.

Good or bad, bounties are here for a while.

Re: Uh okay?

[illiac_1962]

Because we are in an age where sjw jump at the chance to champion the cause of people who were lured in by easy money who are now butt hurt because they can't make thier bills sitting around all day. Uber drivers as employees spring to mind.

Re:Uh okay?

Is it ethical for Facebook to never pay bug bounties to independent researchers?

Multiple Bug bounties submitted to Facebook -> NEVER PAID

There is always an excuse like this one:
CSRF filtering should be added to every router in the entire world, instead of in Facebook's filtering system.
Actual Response from Facebook Devs as to why I wasn't paid for discovering CSRF bugs affecting EVERY SINGLE USER on their platform in the entire world...

Re:Uh okay?

Who wants the emails?

Re: Uh okay?

Current CrapTastic (tm) cliche counter:
"We are in an age..." -- 1
SJW --10
"jump at the chance..." --1
"champion the cause..." --1
"lured in by easy money..." -- 3
"butt hurt..." --2
"sitting around all day..." --2
"spring to mind..." -- 1

Total CrapTastic (tm) count = 21

Congratulations. You qualify as a trollbot.

Re: Uh okay?

Because not everyone becomes a drug kingpin. Most drug dealers make average money. They aren't all tony Montana.

Re: Uh okay?

Release the sploit into the wild next time. Fuck em.

Re:Uh okay?

"They're rewards for ethical disclosure".

Or maybe even, they could be seen as acknowledgement. A Thank You. It doesn't hurt to tip your hat to someone who has done you a solid.

The danger of making this about the money is that this presents a temptation to a bug finder. Not exactly news this, but if the Dark Side pays better, and it's all about the money, then why not sell to the Black Hats?

Neither is Open Sores

Loonix sycophants cheerleading for loonix toreball's little hobby OS and other garbage Open Sores abominations riddled with shit security.

Re:Neither is Open Sores

You sir, are a retard.

Re:Neither is Open Sores

I bet you have at least 10 university degrees based on that sentence alone. I shall defer all my future major decisions to you, sir, for I am just a humble idiot.

Just free pentesting for shitty companies

All they are is free pentesting for companies who do not want to pay for pentesting or appsec engineers. They're also an "easy" button for shitty developers or developers who aren't educated in how to write secure software.

Basically, the community uses bug bounties to get recognition; but at the same time the companies abuse them. Sad really; as a security engineer, you should not participate in this shit.

"ethical disclosure"?

Apparently the people in the "security industry" are only "ethical" if you pay through the nose for them to be "ethical".

I'm pretty sure that's not how this "ethics" thing works anywhere else, so it's not surprising it doesn't actually work that way in the imperial textile industry that calls itself "computer security". Funny you lot need MIT to figure that out.

Re:Like that new movie Blacrimony

"Inbred Nazi faggot imagines visually online how he'll be tortured for eternity in retard republican hell, news at 11"

They are always a public relations execise

What kind of credulous moron believes they are about improving security or (LOL) creating work for unemployed engineers?

Re:Like that new movie Blacrimony

"Triggered jew faggot compulsively repeats itself; drinks n1ggerpiss in frustration"

Well, this is awkward...

I sure hope my boss doesn't read this article, since yesterday I held a long presentation for the whole board of directors entitled: "Bug Bounties -- the Silver Bullet for Better Security?" where my conclusion was a resounding "YES!"... They applauded. I got multiple pats on the shoulder. Everyone was happy. And now this.

Even I'm not w/ that & why... apk

I came here, initially, to see the type of stuff being said by "loonix sycophants" back circa 2005 & there was a ton of bs, lies, & crap said by them - such as "we can't be infected" (or much like it - just like Apple tried & amended to "no PC viruses" (fucking marketing asshole BULLSHITTERS)), & being a programmer & network admin for decades I knew THAT was bullshit TO THE MAX. The REAL deal is "security by obscurity" that Linux enjoys.

They've largely CUT THE CRAP since then though on that note & why? I used this against them here a few times, makes a point:

What PROVES that? ANDROID DOES (more attacked than Windows by FAR, even over time, though both have had the SHIT beaten out of them (which is, in a way, GOOD - you learn by it, just like in life)) & yes, ANDROID is a Linux (stupidly using "DALVIK" (fucking JAVA which is, security shit)). Now, some of the dorks around here will TRY DENY that, but good luck.

NOW, on the FLIPSIDE?

I've used Linux since 1994, & again in 1999, then in 2010 (where it ALMOST had me) & since June last year up to now (& intend to KEEP using it, does all I need & devtools like FreePascal + it's Lazarus IDE are FINALLY not CRUDE BULLSHIT)

I've also found LINUX IS SIMPLER TO SECURE than Windows (& trust me on that, I know Windows having used it from Windows 3.0, thru all 9x series, all NT series (NT/2000/XP/Server 2003) & programmed on it for DECADES.

Securing Linux is pretty much only 3-4 files to shore up (rest is in your modem OR firewalling router (usually most modems, blow, but not all here)).

APK

P.S.=> Problem imo, nowadays? Companies "want to save $" & are hiring ROOKIE NOOBZ & dispensing w/ guys of age + experience (who yes, COST more but are worth every penny vs. noobs) - oversimplifying things, but as an AC, /. only lets me post SO MUCH (far less than registered users, even when they do AC submits) so, there you are... apk

Re: Even I'm not w/ that & why... apk

As usual, you haven't a clue about security. You've repeatedly posted that open source is inherently not secure because malware authors could create malicious imitations of legitimate software. Of course, the same type of code audits you cite to defend your work can also protect against malicious imitations of open source programs.

No Linux user who understands security would say that Linux can't be infected. However, the Linux security model prevented many of the same classes of vulnerabilities that affected Windows XP systems. You're intentionally misrepresenting what people actually said, so you have an excuse to criticize Linux. That's hardly shocking, considering the other BS you've posted.

You also don't seem to have a clue what Linux really is, because you're conflating it throughout your post. If Linux is a kernel, many security issues have little to do with it. Android is not the same as GNU/Linux, the latter of which is what people typically mean when they talk about Linux systems. Android is most certainly not GNU/Linux, and you know it. Many of the security issues in Android are with other components of the OS, and have little to do with the kernel. That means they also don't affect GNU/Linux systems that don't use those vulnerable components. You need to go learn the differences between Android and GNU/Linux.

As for securing GNU/Linux systems, you most likely think that hosts files are a great way to secure a system, one of those 3-4 files you mention. Of course, a blacklist-based approach is really a pretty bad way to secure a system, and does little to protect against many modern threats like Spectre and Meltdown. Although you claim that hosts can prevent you from resolving domains used to host malicious programs, that assumes your hosts files are intended to block such domains from being resolved. It also only addresses known threats, meaning that you're vulnerable to any new threats that aren't yet blocked. Whitelists and heuristics are far superior to your blacklisting for detecting and blocking such threats.

You don't have a damn clue about security.

Re: Even I'm not w/ that & why... apk

Holy crap APK kicked the shit out of you with solid proof in all 4 of his posts completely crushing every line of maneur you spewed.

Re:Even I'm not w/ that & why... apk

Apk enough. Isn't it enough you humiliated the anonymous troll who stalks you 8 times in your replies to his lies? Please stop.

Re: Even I'm not w/ that & why... apk

LOL. Said no one ever.

Re: Even I'm not w/ that & why... apk

Dude before you did. So did I here https://tech.slashdot.org/comm... so learn to read.

It takes more than one bullet

[johnsie]

Like in any way, you would want to have as many bullets as possible at your disposal. However, you fight with the army you have, not the army you would like to have, so you need to fit everything within your budget.Having a dedicated pen tester is cool, but a lot of them just go through a set of tools or tests and then that's it. They dont necessarily know the best ways to exploit a particular system.

Re:It takes more than one bullet

[gweihir]

Indeed. Security is _hard_ and expensive. A level of security where most or all relevant attackers will just go elsewhere can be reached but it takes real effort. And it takes experience, KISS and using pen-tests, potentially bug-bounties (that are higher than what scum like the NSA feeding bug-traders offer), secure architecture and design, having security-aware coders, external security-reviews of architecture, design and implementation, etc.

Expect secure coding to be at the very least to be about 2x as the slap-dash insecure messes usually rolled out these days.

Re: It takes more than one bullet

[illiac_1962]

Yep. There comes a point where you have to know the business before you can start uncovering the really juicy exploits.

There is no silver bullet

[gweihir]

But clueless people keep looking for it. Always the same with those that mistake technology for religion that will solve all problems in magic ways.

Re: Like that new movie Blacrimony

jewgger cocksuckers are nazies. Exterminate them.

Re: Like that new movie Blacrimony

Hideous hag pinned under rock for eternity - claims burning smell distracted her

How do you find those elites?

[booboo]

I worked in a very popular bug bounty for a short amount of time. It's about as pure a meritocracy as you can get. Young folks from all over the planet were working very hard to find bugs and some of them did very well for themselves. I would say it's clear that the bug bounty gave them the foothold and the financial backing to start a career in security.

Only the dumbest assholes on the planet think you can survive solely on a bug bounty. However, if you run it properly (which is exceedingly difficult) you can get some real value from it while giving an opportunity for folks that are new to the industry a medium in which they can gain valuable experience and possibly launch a career.

Re: How do you find those elites?

[illiac_1962]

It doesn't have to be all pomp and circumstance. Bug bounties can simply work to get your in house developers to give a few shits about security.

Re: How do you find those elites?

It also forces the company to have visibility and a process around security issues.
There are many software companies that don't even have the basics like an email address or bug tracker to report security issues to.

There are no silver bullets for anything.

[140Mandak262Jamuna]

There are no silver bullets for anything.

Saying X is not a silver bullet for Y is a misleading rhetorical tactic. If X is better than !X for Y, then X is one of the solutions. That it is not a complete solution is irrelevant. If there is a Z that is better than X, then that is a valid argument.

X will not solve Y is typically used by vested interests against X not people who are genuinely interested in solving Y.

Re:There are no silver bullets for anything.

[bill_mcgonigle]

It's Clickbait for Nerds, dude.

Ah, the UNIDENTIFIABLE anonymous expert

Ah, the UNIDENTIFIABLE anonymous expert on SECURITY who knows all - Lookup Google EFast & tell us another one!

* CLUE: Android uses a LINUX core stupid. That's NOT MacOS or Windows, dummy - that makes it a Linux.

APK

P.S.=> You're a joke & all you can DO is show everyone how much you're AFRAID of me by STALKING me by UNIDENTIFIABLE anonymous posts because it's obvious I've TOTALLY FLOORED YOU BEFORE under your registered "luser" (probably a few sockpuppets) accounts here before & have it bookmarked to TOSS BACK IN YOUR FACE - too obvious... apk

Proof hosts stop Meltdown/Spectre attacks

"Of course, a blacklist-based approach is really a pretty bad way to secure a system, and does little to protect against many modern threats like Spectre and Meltdown" - by UNIDENTIFIABLE anonymous NO BALLS WORM who STALKS ME on Monday January 21, 2019 @04:36AM (#57994726)

Here's SPECIFIC EXAMPLES of hosts stopping an INTEL cpu based attack (done by javascript MELTDOWN & SPECTRE) https://www.bleepingcomputer.c...

Now MELTDOWN https://spectreattack.com/spec... - Here IS another (spectre) https://meltdownattack.com/mel...

BOTH NEEDED LOCAL CODE DOWNLOADED TO WORK

3 proofs hosts can stop Meltdown/Spectre/Portsmash etc. by blocking the source of download!

APK

P.S.=> Unbelievable - between THIS post & my other one https://tech.slashdot.org/comm... to you PROVES you're stupid... apk

You say "hosts = bad security"? Bullshit

"Of course, a blacklist-based approach is really a pretty bad way to secure a system" - by UNIDENTIFIABLE anonymous NO BALLS WORM who STALKS ME on Monday January 21, 2019

See subject: MANY evidences to the contrary https://tech.slashdot.org/comm... & YOU DENY 'EM??

"Whitelists and heuristics are far superior to your blacklisting for detecting and blocking such threats." - by UNIDENTIFIABLE anonymous NO BALLS WORM who STALKS ME on Monday January 21, 2019

Whitelists & heuristics GENERATE FALSE POSITIVES LIKE MAD - hosts specifics don't & you can EASILY EDIT HOSTS ENTRIES to remove any stupid (can you with a binary's heuristic algorithm? NO).

APK

P.S.=> Between this post, & this one where YOU BLEW IT on spectre/meltdown being STOPPABLE by hosts https://tech.slashdot.org/comm... & ANDROID does use a LINUX core (certainly not MacOS or Windows) https://tech.slashdot.org/comm... ??? You have PROVEN yourself STUPID, lol... apk

you are an idiot

There are no silver bullets for anything.

there most certainly is a "silver bullet" that will solve every problem

the "silver bullet" is keeping the customer happy.

they keep sending checks, you keep paying employees, the company succeeds

but you do seem to be having fun pretending you know something

Re:you are an idiot

Specious argument, but go on pretending you know something.

Rubbing salt into your many cuts on Portsmash

"You basically have to already be able to run your own evil code on a machine in order to PortSmash it." from https://www.theregister.co.uk/...

* RoTfLmAO @ U, you WEEZIL stupid UNIDENTIFIABLE anonymous STALKER of me... lol!

(it's NOT the only way you can be attacked by Spectre/Meltdown/Portsmash etc. BUT it IS the way it's used against folks - far more effective DELIVERY & SURFACE AREA OF ATTACK IS DONE BY ONLINE METHODS vs. local file based off say, a DvD of an OS (or bushwhacking other code on distro disks)).

APK

P.S.=> See subject & as an ADDENDUM to your STUPID statement here

"Of course, a blacklist-based approach is really a pretty bad way to secure a system, and does little to protect against many modern threats like Spectre and Meltdown" - by UNIDENTIFIABLE anonymous NO BALLS WORM who STALKS ME on Monday January 21, 2019 @04:36AM (#57994726)

Vs. my OTHER Spectre/Meltdown PROOFS hosts CAN STOP THEM https://tech.slashdot.org/comm... ... apk

Whitelists & Heuristics = FALSE POSITIVES

"Whitelists and heuristics are far superior to your blacklisting for detecting and blocking such threats." - by UNIDENTIFIABLE anonymous NO BALLS WORM who STALKS ME on Monday January 21, 2019 @04:36AM (#57994726)

See subject: Everyone KNOWS whitelists = maintenance nightmares (makes users bitch) & heuristics = known for false positives!

* DAMN YOU ARE REALLY STUPID!

APK

P.S.=> Between these posts blowing you away too per "yours truly" on every so-called 'point' (bullshit) of yours:

Vs. Portsmash hosts work https://tech.slashdot.org/comm...

Vs. Meltdown/Spectre hosts work https://tech.slashdot.org/comm...

ANDROID uses a Linux CORE (sure not MacOS or Windows) o it IS a Linux (stupidly using JAVA ("dalvik") - a security nightmare) https://tech.slashdot.org/comm... & "ALL THOSE EYES" bs SPEWED GARBAGE this ARTICLE PROVES that way off too!

Google EFast IS an example of CLONED "OpenSORES" being ABUSED TOO, stupid... apk

False dichotomy

[Shaitan]

"Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs"

There is no reason you can't do both. Hell the ones you hire can even be eligible for the bounties as bonuses. It's a built in incentive program.

"Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards."

Obviously the bounties are too low and/or the bugs aren't being acknowledged properly and paid out.

Security PROS etc. disagree w/ you on hosts

"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER

ZD NET http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"

SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...

Aryeh Goretsky/ESET/NOD32: hosts = good security https://it.slashdot.org/comments.pl?sid=7442373&amp.cid=49747129/

Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/

Spybot S&D uses hosts.

APK

P.S.=> Malwarebytes' hpHosts hosts & RECOMMENDS my program forum.hosts-file.net/viewtopic.php?f=5&t=4290

RoTfLmAo: You've been PUBLICLY ANNIHILATED

See subject: It was MY PLEASURE publicly DESTROYING you (who STALKS me by UNIDENTIFIABLE anonymous posts) as usual!

* RoTfLmAo!

APK

P.S.=> Oh, I know you'll come along & "downmodbomb" my points ANNIHILATING you PUBLICLY but then I'll just do my usual & RUN YOU DRY of your ABUSED "downmodpoints" (since you have a registered 'luser' account on /. & use AC to harass me + then downmod me later when I crush you, lol) as I can post UNLIMITEDLY unlike MOST AC posters - go for it, I'll just BURN YOUR ASS as always, lol... apk

SplitSpectre (javascript based) stopped by hosts

"successfully able to carry out a SplitSpectre attack against Intel Haswell/Skylake/AMD Ryzen processors via... Firefox's JavaScript engine" FROM https://it.slashdot.org/story/...

Done by Javascript HOSTS = mitigation that STOPS sources of attack BLOCKING them from user access via online methods & that's that!

* YOU LOSE, loser.

APK

P.S.=> Oh, I am REALLY enjoying KNOCKING THE PISS out of YOU you little SCUMBAG that STALKS me on /. by UNIDENTIFIABLE anonymous posts (then downmod bombing me using your doubtless 1 of MANY sockpuppet accounts you keep here to 'farm karma' to CHEAT the easily cheated "downmoderation system" of /. - fine by me - I'll just REPOST again, NULLIFYING your EFFETE ineffectual "wannabe weapon of WEEZILS" (like you) just to see you DANCE & SQUIRM, bitch)... apk

Stopped

A lot of hackers stopped submitting to bug bounties, because of companies like Facebook never paying their bounties.

There was always an excuse as why they didn't have to pay. Eventually after submitting multiple bounties and not being paid, they just stop submitting.

Most probably stop looking for bugs, others start selling them on the black markets so they can at least get paid for their work.

Bug Bounties only work for as long as the companies keep their word.

Facebook is NOTORIOUS about not paying for them and have screwed countless individuals out of their bounties.
They will only pay official companies, but their default policy is to try to find any way possible to not pay if it is an independent researcher.
I still have multiple emails where Facebook Developers told me a bug in their system needed to be fixed in EVERY router in the entire world to prevent CSRF protection instead of filtering CSRF in their system. Then they implemented CSRF filters in their system, but I never got paid for that bounty or any bounty I have EVER submitted to Facebook, which are numerous.

It is VERY well documented online and in blogs, almost as much as Google Adsense stealing from publisher (which has been proven and getting exponentially worse.)

How can you expect bug bounty programs to work after the hackers and developers wise up to not being paid and instead completely screwed over?!

Bugs are inevitable

Its a constant to discover bugs and fix them. Then you have software improvements which could add even more bugs. Windows is a perfect example of software that has no end to bugs, you will never reach a maturity where they would end.

I'm not even CLOSE to being done MAULING him

I'm not even CLOSE to being done MAULING him - the stupid little cocksucker lies about me, libels me, downmod bombs me constantly.

* No, no senor - I'm FAR from FINISHED fucking that little STUPID cocksucker the FUCK up... PAYBACK is a BITCH!

APK

P.S.=> Especially to disgusting "ne'er-do-well" DO-NOTHING BITCHES that STALK me by UNIDENTIFIABLE anonymous (& sooner or later, he'll FUCKUP like c6gunner did using his "registered 'luser'" account IMPERSONATING me & OBVIOUSLY FORGETTING TO SUBMIT BY AC to harass me instead https://linux.slashdot.org/com... (just because I challenged him FAIRLY to show he's done better work than mine AFTER putting down my work others like/use/praise in my hosts engine ALTERING their praises no less) - once he does that & he will inevitably? Oh, I am going to RIDE HIS ASS RIGHT OFF /. - won't be a first either, I've done it before PUBLICLY HUMILIATING "not men" like those doing that (punks & WEEZILS - wastes of LIFE)... apk

Re: I'm not even CLOSE to being done MAULING him

LOL. I don't understand why good people have to die, while we have mouth breathing idiots like APK who run around untouched. May god have mercy on your soul.

Re: I'm not even CLOSE to being done MAULING him

He is untouchable because he used facts you can't get the better of as you stalk him by unidentifiable anon posts troll. Poor showing for you.

Half agree. Good developers discover requirements

[raymorris]

> Coders are useless without good specifications, good practices and good languages.

Good practices make a world of difference. Peer review, for example, is huge.

Good specifications, or requirements, are critical. Just as good developers learn how to write particular functions, they learn methods of finding out exactly what the requirements are. So "the requirements weren't clear" isn't an excuse for a a software engineer to have done poorly, it's what they did poorly. There are good ways of getting the requirements defined, and it is the programmers job to learn those methods and use them.

I'd say "good languages" are overrated by many. "It's a poor craftsman that blames his tools." One language has benefits and drawbacks compared to another, and being able to choose the language (and style of language) that best fits a given task is useful. If the code is crap, though, it's not because the language sucks, it's because the programmer did a poor job. It is true that trying to write code to query set-based data in Python instead of SQL is likely to result in crappy code.

> Test driven design beats most other forms.

Test driven development is at least a consciously-chosen process. That's certainly better than no methodology, just writing whatever code and throwing it on production with no thought to process.

Obviously

[nospam007]

Silver bullets work only against werewolves, bugs have to be squashed.

Hats sit on heads, that's all.

That's very questionable, actually. It's how the security s'kiddies do things now, but they haven't been making much headway actually structurally improving security very much at all. You need to understand what the adversary is doing, but copying him verbatim isn't getting you the leg up to actually secure much of anything. See also: Bruce Schneier's bit of math about the hypothetical software with a million exploitable security bugs and the lone "black hat" vs. the team of a hundred "white hats". Spoiler: The lone guy still has a good chance of winning.

DEA-agents likewise need to understand how drug lords work, how deals are made, how to make fake purchases that'll stick in court, that sort of thing. Securing means you need to understand the adversary, not be the adversary. That's the idot's game. As they say: Never argue with an idiot. He'll drag you down to his level then beat you with experience. That's exactly what the "white hats" have been doing, with more stupidity besides.

Re:Hats sit on heads, that's all.

Fair enough, thanks.

Undo mod

[godel_56]

Undo errant mod.

Pay for Work

No shit: you get better results for paying people to work rather than asking them to work for free and only pay them if they find something. Nobody is going to make a lot of money finding bugs in my crappy website or application. Bug bounties only make sense for huge, juicy targets like Google, Apple, Microsoft, etc., and critical infrastructure like OpenSSL, Apache httpd, ntp, bind, etc.

Retarded bitch APK's pretend friend

Look everyone it is that retarded bitch Alexander Peter Kowalski's even more retarded friend. That one that talks just like him, always posts as AC, and manages to say dumber shit than he does.

Retarded bitch APK hides

Look it is the retarded bitch APK pretending there is support for himself. If you aren't Alexander Peter Kowalski then you are an even bigger retard than he is since he isn't even trying his usual bitch tactics to defend himself of repeating himself, calling people names, or deflecting from valid criticism.

And retarded bitch APK talks to himself

Retarded bitch Alexander Peter Kowalski you really need to stop talking to congratulating yourself. You think you won but really just showed everyone how much of a spastic retard you are. I see you are still gay wanting to ride some dude's ass but at least you aren't wanting to have violent butt sex with him.

Report Author Conflict of Interest

[Littleman_TAMU]

Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”

Katie started the bug bounty program at Microsoft and now owns a company doing pen testing. Guess what the report recommends? I wonder what it would recommend if she were still heading up a bug bounty program? Maybe I'm overly cynical, but it appears the authors are trying to structure bug bounty programs to be more like they are, security consultants. If you're going to propose such a large change, why look at only one data set? Even the Hacker One CEO said their data set isn't representative of the whole.

It's clear from the news article, which has a very clickbait-y title, that there are ways to improve bug bounty programs. As others have pointed out in comments here, it's still a useful tool. There's a blog post linked in the news article gives a good overview. That should've been the Slashdot submission.

When you grow a pair of balls? apk

When you grow a pair of balls & use your real name? Then you can talk. Until then you're nothing but a "ne'er-do-well" do-nothing worm STALKING me by UNIDENTIFIABLE anonymous (some "accomplishment" on your part (not)).

* You fear me - this much is obvious!

APK

P.S.=> I say that because you HIDE from me the way you do which only proves I've dusted you before beneath 1 of your doubtless MANY 'sockpuppets' accounts on /., lol... apk

When you grow a pair of balls? apk

See subject: & use your real name? Talk. You're a "ne'er-do-well" do-nothing worm STALKING me by UNIDENTIFIABLE anonymous (some "accomplishment" on your part (not)).

* You fear me - this much is obvious!

APK

P.S.=> I say that because you HIDE from me the way you do which only proves I've dusted you before beneath 1 of your doubtless MANY 'sockpuppets' accounts on /., lol... apk

You're hiding... apk

See subject: You're hiding behind UNIDENTIFIABLE anonymous troll posts STALKING me like the psycho weakling you prove you are.

APK

P.S.=> You're disgusting... apk

Retarded bitch APK is mad

Looks like the retarded bitch Alexander Peter Kowalski is mad that more of his bullshit has been exposed. Maybe you should go stalk arth1, Ol Olsoc, JustAnotherOldDude, Zontar the Mindless, or Khyber instead. Maybe Zontar can send you another non threatening post card that you can report to the police.