Just adding my 2 cents. I agree with you that crashing is never acceptable (as in you have something broken), but a forced exit out of the program through an assertion is the most sane thing to do when the error handling has failed and you have an inconsistent state. The best choice of bad ones so to speak. You should not continue hoping things will turn out good (imagine you were talking about a life critical system), but just exit and avoid further damage and restart the program. You might of course be able to write code to take you out of the situation and fix itself, but that is not assertions then, it is error handling.
There is an inherent flaw in this thinking, and this flaw also shows us why large powerful governments are a bad idea,. That flaw is trust, or more specifically, trust in a single entity. Think about it. Almost every malware attack vector starts with exploiting a common point of trust (eg. You trust java or flash or your browser). When trust is centralized, the baddies only need to focus their efforts on subverting that single point. This is true in both government, and information security. My point is, creating an eco system that relies on a central point of trust is setting us up for failure. (sorry for typos, using a tablet)
While I absolutely agree with you that a single authority is a dangerous thing to have, what is even worse is to mix different levels of trust. That is what we have have been living with up to this point. There hasn't really been any restrictions on what applications can do on the system in the context of the user running it. It takes only one malicious or badly written software to compromise the security of your whole system. By sandboxing the different pieces of software in the system, the security of the whole system would no longer be equal to the security of the lowest common denominator. (Up to this point, I rarely install any software simply because I have no control or assurance what it is doing on the system. With iOS I felt for the first time somewhat confident to install 3rd party apps from developers I never heard about)
I'm not saying that there aren't any issues. I just think that the security benefits overweigh the downsides of a more controlled environment. From a technological standpoint, this is absolutely the way to go in the consumer market. If this leads to some applications getting rejected, it is not a technological problem. It just means that it needs to be solved in some other way. For instance, allowing users to install root certificates for 3rd party "app stores". This could be the case for instance how MacPorts and other other package management systems would work in the future.
PS. It was probably also a smart move to deny emulators in iOS. I'm already somewhat skeptical about games because of concern for battery life. Running something inside emulators does not sound good until we have phones running on supercapacitors or some better power source.
The way I see this is going, this might be the case by default. Typical users get their software through Apple. Controls the user experience by denying applications they don't want for their users for whatever reason. On the upside users get safer downloads and applications with at least some level of quality. The fact that applications are being sandboxed and what they can do are controlled by "entitlements" given by Apple will eventually increase the security of OS X. Too long has the access rights of a process equaled the access rights of the user. Whitelisting applications will be much more effective than blacklisting (= virus scanners). I'm not quite sure why most people see this as a bad thing.
For the users on the other side of the spectrum, e.g. developers, I would not worry too much. Unlike iOS, OS X is being used to create applications. Software just don't magically appear in their final form on the doorstep of Apple. You may need to sign your software before being able to run it, but the option will be there. But why should this be enabled by default? Most people will never touch the code.
I would like to compare Battlefield Bad Company and Battlefield Bad Company 2. The first game had a singleplayer consisting of short clips of what is going on. Otherwise you'd be quite freely running/driving/flying around, do whatever you want with plenty of routes to choose. You could drive straight into an enemy base, or you could avoid the base entirely, maybe snipe a few guys along the way. The game has lots of replay value for this reason; nobody dictates how to play it.
In Bad Company 2 however, you're not given any choice. The game is trying to give this "cinematic" experience, and it is totally boring. There is only one path to move forward across and the experience is "dumbed" down to be the same for everyone. For instance, there was that one place where a burning guy was running towards you. Not so impressive, because I did not do anything to make that happen (and I actually had seen it before in the trailer). It always happens. An other example was a place in single player where there was just one narrow route forward, no cover. It was so obvious that there would be an ambush there. I would have tried to flank, but as there were no alternative routes I threw some grenades on the route forward and got some kills. After that I continued, and had one of the AI squad mates shout "ambush!"... Yeah, nice except I already killed all the enemies. Total mood killer.
Everybody plays differently and me for instance, I always try to take the non-obvious paths (the ones without the ambush). Cinematic experiences hardly ever work the right way if you play like this. And even if they do, there is no replay value. I don't think real cinematic experience comes from having some predefined animations or events that occur when you stumble upon them. Cinematic experience comes when some totally random stuff occurs, would it be single- or multiplayer. It is like having an RPG fly very close by or managing to take cover from a tank... And these things just happen. They are never scripted.
I think that my main point is that everybody builds their own experience, and should come up with own goals rather than have the game developer decide how you should play.
I used to play Tom Clancy's Ghost Recon (the original PC version) a lot, as well as the good old Rainbow Six series. I usually set up a game with 15 min rounds, no respawn, no threat indicators (a cursor that showed roughly in which direction the enemy is). The games were one shot, kill. Some people complained that it was boring, but I liked it. Your heart would beat like crazy at times. When your whole team was gone with only you left, you would definitely feel the pressure knowing the whole other team was hunting just for you. You should check some videos on YouTube.
My guess is that the data is fetched to the phone when other means of positioning fails. This data is probably not your location, but the location of nearby Wifi hotspots. By using the nearby Wifi hotspot locations the phone still approximates your location, which is ofcourse neat. According to the update in the article, Android phones would seem to do the same.
Buffering data on the device makes sense. Downloading it every time you visit a location be much bigger privacy issue. Ofcourse downloading it in the first place would reveal your approximate position to Apple (or is it Google?). In my opinion, there is two things that could be improved: 1) disabling of Wifi hotspot positioning entirely and 2) expiration of data (shorter, if there already is expiration) of maybe one month to a couple of months.
I don't have an iPhone so I have not analyzed any data, but this would seem logical to me. My bets are that this is not some evil scheme to "track your every move", so calm down.
I'm sorry, but the NYT story was just stupid. I think I'm like many others in here: I come here for the news and the discussion. I don't care about the "social media". I don't want to have any "Facebook and Twitter integration". I don't care about what some guy wrote on his blogpost. And I don't care if some article is a day or half a day late - hardly ever are news really that important. And if I did not follow the link, then I probably just did not think the topic was worth my time.
... It's compromised. Fortunately, your IT guy is on the ball. At 11am the next day, you get a call from your network admin asking you if you are signed into the VPN because he expects that you're in the office, but you also appear to be signed in remotely. You confirm that you are not signed in and the two of you realize that you've been hacked. He temporarily disables your access. You go home, clean up your home computer (assuming that you can) or bring it in to have them clean it up, and then it's time to give you access back.
Now here's where things diverge. If you've used a password, you just have to change your password to a new one, and it's secure again. Your fingerprint isn't changeable....
I have not used biometrics and aren't any expert on the matter, but I think there is a obvious solution to this problem: biometrics should only be used for authentication on the local side. Successful local authentication would authenticate local user remotely using public-key cryptography. In this case, if the account get compromised, all you need to do is generate a new pair of keys to a clean computer and you're secure again.
I am shocked that there is a bunker under the US Vice Presidents residence. Here in Finland all bigger structures require bunkers by law. Quote from Wikipedia:
Finland has over 40,000 air-raid shelters which can house 3.8 million persons (71% of the population). Private homes rarely have them, but houses over 600 square meters are obligated to build them. Fire inspectors check the shelters every 10 years and flaws have to be repaired or corrected as soon as possible. The law requires that inhabitants of apartment blocks can clear the shelters and put them into action in less than 24 hours. Also, the shelters must possess a working phone line connection that must be usable at all times.
If 2% of the votes were lost, how many were incorrect or not registered properly? If the system can lose votes, it can very easily put them for the wrong person as well...
As far as I know, the reason why votes were lost was that the voting system had a very bad UI. For the vote to be registered, you had to push an OK-button more than once *) - something that wasn't that apparent, and which all users did not understand to do. Also, when then removing the voting card from the machine, no indication was given if the vote was registered or not. This caused votes to be lost simply by a bad UI design, which could be fixed later on.
*) Having a confirm button is good, but the system should in that case clearly indicate that the voting is still in progress.
There's no standard way to control a device from a standard headphone jack
Sounds like a good argument to develop a standard rather than applaud this bad behaviour.
A reality check please; companies rather push out new products immediately, than argue about some random feature in a standards committee. In fact, it is much more in the interest of the company to keep shut about this kind of features.
But don't get me wrong. I think standards are good and crucial to the whole business. It is just that there should not be any expectation on the companies for developing these standards.
Right. But even if you'd be ok with your corporate mail being monitored this law applied to any "community subscriber". This includes the high-speed Internet connection you are sharing with your neighbours. Would you like to give your neighbours legal right to capture all your protocol headers starting with IP? This is more than the police has authorization to do in normal circumstances. This law will do absolutely nothing to stop IP theft, just cause paranoia between people.
I'm not very into mobile phones so correct if I'm wrong, but isn't the limit for a SMS message 160 characters? Now if you send a text message longer than that, it actually sends several text messages and thus is counted as several messages on the service provider side, even though it looks like one message on the modern mobile phones.
Now, filling 160 characters is not hard. With an average word length of 5.1 in English that would mean around 30 words per SMS when including whitespace. Even this post, that would be counted as not that long by Slashdot standards, would make up 7 SMS messages giving a count seven times larger than it actually is. Now imagine that you combine this with lots of short messages like "OK" you could easily get a large number of SMS messages even though your communication has really not been that intensive.
Does this explain the bizarre amount of messages this girl has sent? No. Is there a possibility that she has "broadcasted" her messages to all her friends for instance? That would explain a lot.
We often complain about the efforts made by China and others in blocking Internet content. But how does this compare to modifying the content? With blocking you know it is blocked, but with modified content, can you tell? The ISP might say that it just puts ads on the pages, but would you trust it? Having a secret ISP framework for modifying content is a disaster waiting to happen. Personally, I think the web should go https.
If that is the law to follow, they will make it "strictly necessary" by adding features using that data, I guess. Just making it a bit harder is a lot of lawmaking for little effect.
One would think that this will be considered in a law. Would the new feature in the service be strictly necessary? Should it be separated from the basic service? I would not suggest for companies to try to circumvent laws like this, as their intentions would not be friendly looked at.
Governments should be able to impose fines on, or make it easier for injured parties to sue, large commercial entities with shoddy quality.
The problem with fines (or suing) is that it can be used only after the damage is already done. The weight should be on the preemptive actions.
Subjecting small organizations to the same rigour as large ones only prevents innovative startups from happening, and ensures that only the lumbering megacorps will survive.
Having audits on all comercial software would of course not make much sense. The most common criteria for deciding should software be audited should be determined by the count of end users of the software (as you briefly mentioned). This would allow large companies to make small software excluding audits and also mandate small companies to audit highly popular software, the idea being that the more people a potential problem might affect, the more time should be spent of finding such problems.
This could turn out very favourable for small companies, which currently often have problems competing with high market share products, even if these were of poor quality. This also prevents high market share products to be bundled with low quality software, as both would have to be audited because of the market share. I think even Microsoft would think twice about all the software that is in one package, if all had to be carefully audited. Also as we have seen, companies do prefer features over correctness (for obvious reasons) for their new releases, and this could be a way of giving a balance between these two.
Is it worth having more government pork to audit Microsoft for security issues? No.
With the use of Microsoft products in the US government, law enforcement and military, there should definitely be some interest in the quality and correctness of the products. Lack of interest would show a pure ignorance of the potential hazards the software could cause.
2) Reporting the exploit and very possibly facing a defamation lawsuit costing him $10,000 to defend and some nice EBay fodder (e.g. HIS laptop).
Having reported about security problems to Apple myself, I think this is silly. Unless you publish a zero day exploit, I don't think there is a problem. The proper way is to contact the vendor and have the issue fixed. It is not that difficult.
We should be happier with this approach because no end users were harmed by it, and no end users will be harmed by it if Apple remedy the problem when they're told about it (they may indeed already have been told -- we don't know yet, because the details aren't being published until Apple have been notified, and have been given a chance to fix the problem).
I might have not expressed myself clearly. The point was that this action is harmful as somebody might already be or could become aware of the same flaw and use it maliciously. Especially when the trend seems to be specific attacks instead of global attacks, it is harder for the vendors to get to know the attack when the number of targets is greatly reduced.
Cheating is using trickery to gain advantages that non-cheaters don't have. This was not the case here, because the people attacking Vista and Ubuntu could have done precisely the same things as this guy did, so he was working under exactly the same conditions as all the other entrants.
I did not mean this by cheating. I meant more like "cheat starting". The idea of hacking contests should not to publish new exploits, but to actually find new exploits.
From a practical POV though, who's to say this guy would even bother finding obscure (one hopes) security holes anyway, without the financial and other incentives offered by this contest?
Black hats are often funded by criminals. May as well offer a carrot to the White/gray hats so they don't get tempted by the dark side.
I agree. Making a living or even getting compensation out of software auditing might not be the easiest thing in the world and I don't think anyone has got the definite business plan for this. At least yet. Personally I have been toying around with the idea of government enforced requirement of 3rd party audits for comercial software. Not only would this create a new software auditing business, but also improve software quality and not only in security.
That the software industry is maybe the least regulated business does not make much sense when so much depends on computing these days. Just as an example, this week there has been much criticism over a (national) banking system replacement, where the new system caused credit cards to stop working, banking accounts disappearing, double billing and reports of seeing other customers' information. To name a few. Also multiple XSS flaws where found in the web bank in matter of hours, not to mention privacy concerns with the same site, where information of all page loads were sent to a 3rd party advertisement company. And this is a banking system that deal with peoples money! Regulation would make businesses to take issues more seriously as they would have to deal with the authorities, not some random white hat. But this is a whole other discussion...
Or he reported it to Apple and they simply haven't fixed it yet.
Regardless of the exact situation, I fail to see what the problem would be with any of them.
As I replied to an other poster, I don't think it is ethical to deny a patch being released as soon as possible, if this was the case here. Also having a pre-made exploit for a hacking contest is like cheat starting and pretty much defeats the whole point of organizing such events IMO. Read my other comments if you want a more lengthy reply.:-)
He also reported it anonymously to Apple and did not disclose it publically.
If he did this when he initially found the bug, everything ok, case closed. If this included unnecessary waiting for the contest I would consider it unethical as he would have knowingly denied a patch being released as soon as possible. What comes to the contest, I do think that having a pre-made exploit defeats the whole purpose of having such contests in the first place and I would not support giving out prices in these cases. It is like cheat starting and what is the fun of that?
So what if he did? As somebody who uses a Mac (and Linux, and Windows XP), I'm much happier with him having taken this route to gaining from the exploit than the one so many Windows hackers use of putting it up for auction to the highest bidder, or the Month Of Apple Bugs tactic of making exploits public before giving the people or companies whose code was at fault a chance to fix them. Nobody was directly harmed by his actions, and Apple get to close this particular hole before before its details are published, so this is a net benefit to all Mac users except rabid Apple fans who are being forced to eat crow
All bugs should be reported immediately to the developer. Period. I don't have a problem with someone gaining something out of a software bug, as long as it doesn't happen in the expense of the end user. A good example of doing this the wrong way is the "month of" bugs tactic you mentioned, where 0-day exploits are made public one per day during a month. In this case the gain is publicity. But delaying bug reports is not much better and I don't see why I should be much happier with this approach. As someone who works with life critical systems I don't just think of finding and getting a bug fixed, but also the timeframe of the fixing if such bug is found. I don't think this should differ that much from the IT security business.
But as we have seen now and in the past, there are people who do play the game mostly into their own pockets. This should not be endorsed by hacking contests. These contests should be about finding new ways exploiting systems. Having a pre-made exploit kind of kills the whole idea, and to be honest tastes cheating.
The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000.
In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?
I have an old XP box (Dell GX620, ~ 3 GHz processor with 1 GByte of RAM) that I am running Vista business on.
You must be joking. If this is the perception of old, minimal HW at Microsoft, you need to get back to reality. Not all people upgrade their machines at least every second or third year. I'm in the field and currently my fastest setups at home are G4 1,2 GHz and x86 1,0 GHz. The Mac runs the latest OS without problems. Gone trough, what is it, two or three major OS upgrades? Even greater number on my other Mac. Without hardware upgrades. I find it hard to come up with any justification for this constant pressure to upgrade hardware on Microsofts part. It is also why I have moved to console games, Sony BTW. This rat race has to stop.
Slashdot Mirror
Just adding my 2 cents. I agree with you that crashing is never acceptable (as in you have something broken), but a forced exit out of the program through an assertion is the most sane thing to do when the error handling has failed and you have an inconsistent state. The best choice of bad ones so to speak. You should not continue hoping things will turn out good (imagine you were talking about a life critical system), but just exit and avoid further damage and restart the program. You might of course be able to write code to take you out of the situation and fix itself, but that is not assertions then, it is error handling.
There is an inherent flaw in this thinking, and this flaw also shows us why large powerful governments are a bad idea,. That flaw is trust, or more specifically, trust in a single entity. Think about it. Almost every malware attack vector starts with exploiting a common point of trust (eg. You trust java or flash or your browser). When trust is centralized, the baddies only need to focus their efforts on subverting that single point. This is true in both government, and information security. My point is, creating an eco system that relies on a central point of trust is setting us up for failure. (sorry for typos, using a tablet)
While I absolutely agree with you that a single authority is a dangerous thing to have, what is even worse is to mix different levels of trust. That is what we have have been living with up to this point. There hasn't really been any restrictions on what applications can do on the system in the context of the user running it. It takes only one malicious or badly written software to compromise the security of your whole system. By sandboxing the different pieces of software in the system, the security of the whole system would no longer be equal to the security of the lowest common denominator. (Up to this point, I rarely install any software simply because I have no control or assurance what it is doing on the system. With iOS I felt for the first time somewhat confident to install 3rd party apps from developers I never heard about)
I'm not saying that there aren't any issues. I just think that the security benefits overweigh the downsides of a more controlled environment. From a technological standpoint, this is absolutely the way to go in the consumer market. If this leads to some applications getting rejected, it is not a technological problem. It just means that it needs to be solved in some other way. For instance, allowing users to install root certificates for 3rd party "app stores". This could be the case for instance how MacPorts and other other package management systems would work in the future.
PS. It was probably also a smart move to deny emulators in iOS. I'm already somewhat skeptical about games because of concern for battery life. Running something inside emulators does not sound good until we have phones running on supercapacitors or some better power source.
The way I see this is going, this might be the case by default. Typical users get their software through Apple. Controls the user experience by denying applications they don't want for their users for whatever reason. On the upside users get safer downloads and applications with at least some level of quality. The fact that applications are being sandboxed and what they can do are controlled by "entitlements" given by Apple will eventually increase the security of OS X. Too long has the access rights of a process equaled the access rights of the user. Whitelisting applications will be much more effective than blacklisting (= virus scanners). I'm not quite sure why most people see this as a bad thing.
For the users on the other side of the spectrum, e.g. developers, I would not worry too much. Unlike iOS, OS X is being used to create applications. Software just don't magically appear in their final form on the doorstep of Apple. You may need to sign your software before being able to run it, but the option will be there. But why should this be enabled by default? Most people will never touch the code.
I would like to compare Battlefield Bad Company and Battlefield Bad Company 2. The first game had a singleplayer consisting of short clips of what is going on. Otherwise you'd be quite freely running/driving/flying around, do whatever you want with plenty of routes to choose. You could drive straight into an enemy base, or you could avoid the base entirely, maybe snipe a few guys along the way. The game has lots of replay value for this reason; nobody dictates how to play it.
In Bad Company 2 however, you're not given any choice. The game is trying to give this "cinematic" experience, and it is totally boring. There is only one path to move forward across and the experience is "dumbed" down to be the same for everyone. For instance, there was that one place where a burning guy was running towards you. Not so impressive, because I did not do anything to make that happen (and I actually had seen it before in the trailer). It always happens. An other example was a place in single player where there was just one narrow route forward, no cover. It was so obvious that there would be an ambush there. I would have tried to flank, but as there were no alternative routes I threw some grenades on the route forward and got some kills. After that I continued, and had one of the AI squad mates shout "ambush!"... Yeah, nice except I already killed all the enemies. Total mood killer.
Everybody plays differently and me for instance, I always try to take the non-obvious paths (the ones without the ambush). Cinematic experiences hardly ever work the right way if you play like this. And even if they do, there is no replay value. I don't think real cinematic experience comes from having some predefined animations or events that occur when you stumble upon them. Cinematic experience comes when some totally random stuff occurs, would it be single- or multiplayer. It is like having an RPG fly very close by or managing to take cover from a tank... And these things just happen. They are never scripted.
I think that my main point is that everybody builds their own experience, and should come up with own goals rather than have the game developer decide how you should play.
I used to play Tom Clancy's Ghost Recon (the original PC version) a lot, as well as the good old Rainbow Six series. I usually set up a game with 15 min rounds, no respawn, no threat indicators (a cursor that showed roughly in which direction the enemy is). The games were one shot, kill. Some people complained that it was boring, but I liked it. Your heart would beat like crazy at times. When your whole team was gone with only you left, you would definitely feel the pressure knowing the whole other team was hunting just for you. You should check some videos on YouTube.
My guess is that the data is fetched to the phone when other means of positioning fails. This data is probably not your location, but the location of nearby Wifi hotspots. By using the nearby Wifi hotspot locations the phone still approximates your location, which is ofcourse neat. According to the update in the article, Android phones would seem to do the same.
Buffering data on the device makes sense. Downloading it every time you visit a location be much bigger privacy issue. Ofcourse downloading it in the first place would reveal your approximate position to Apple (or is it Google?). In my opinion, there is two things that could be improved: 1) disabling of Wifi hotspot positioning entirely and 2) expiration of data (shorter, if there already is expiration) of maybe one month to a couple of months.
I don't have an iPhone so I have not analyzed any data, but this would seem logical to me. My bets are that this is not some evil scheme to "track your every move", so calm down.
I'm sorry, but the NYT story was just stupid. I think I'm like many others in here: I come here for the news and the discussion. I don't care about the "social media". I don't want to have any "Facebook and Twitter integration". I don't care about what some guy wrote on his blogpost. And I don't care if some article is a day or half a day late - hardly ever are news really that important. And if I did not follow the link, then I probably just did not think the topic was worth my time.
... It's compromised. Fortunately, your IT guy is on the ball. At 11am the next day, you get a call from your network admin asking you if you are signed into the VPN because he expects that you're in the office, but you also appear to be signed in remotely. You confirm that you are not signed in and the two of you realize that you've been hacked. He temporarily disables your access. You go home, clean up your home computer (assuming that you can) or bring it in to have them clean it up, and then it's time to give you access back.
Now here's where things diverge. If you've used a password, you just have to change your password to a new one, and it's secure again. Your fingerprint isn't changeable. ...
I have not used biometrics and aren't any expert on the matter, but I think there is a obvious solution to this problem: biometrics should only be used for authentication on the local side. Successful local authentication would authenticate local user remotely using public-key cryptography. In this case, if the account get compromised, all you need to do is generate a new pair of keys to a clean computer and you're secure again.
I am shocked that there is a bunker under the US Vice Presidents residence. Here in Finland all bigger structures require bunkers by law. Quote from Wikipedia:
As far as I know, the reason why votes were lost was that the voting system had a very bad UI. For the vote to be registered, you had to push an OK-button more than once *) - something that wasn't that apparent, and which all users did not understand to do. Also, when then removing the voting card from the machine, no indication was given if the vote was registered or not. This caused votes to be lost simply by a bad UI design, which could be fixed later on.
*) Having a confirm button is good, but the system should in that case clearly indicate that the voting is still in progress.
A reality check please; companies rather push out new products immediately, than argue about some random feature in a standards committee. In fact, it is much more in the interest of the company to keep shut about this kind of features.
But don't get me wrong. I think standards are good and crucial to the whole business. It is just that there should not be any expectation on the companies for developing these standards.
Right. But even if you'd be ok with your corporate mail being monitored this law applied to any "community subscriber". This includes the high-speed Internet connection you are sharing with your neighbours. Would you like to give your neighbours legal right to capture all your protocol headers starting with IP? This is more than the police has authorization to do in normal circumstances. This law will do absolutely nothing to stop IP theft, just cause paranoia between people.
I'm not very into mobile phones so correct if I'm wrong, but isn't the limit for a SMS message 160 characters? Now if you send a text message longer than that, it actually sends several text messages and thus is counted as several messages on the service provider side, even though it looks like one message on the modern mobile phones.
Now, filling 160 characters is not hard. With an average word length of 5.1 in English that would mean around 30 words per SMS when including whitespace. Even this post, that would be counted as not that long by Slashdot standards, would make up 7 SMS messages giving a count seven times larger than it actually is. Now imagine that you combine this with lots of short messages like "OK" you could easily get a large number of SMS messages even though your communication has really not been that intensive.
Does this explain the bizarre amount of messages this girl has sent? No. Is there a possibility that she has "broadcasted" her messages to all her friends for instance? That would explain a lot.
We often complain about the efforts made by China and others in blocking Internet content. But how does this compare to modifying the content? With blocking you know it is blocked, but with modified content, can you tell? The ISP might say that it just puts ads on the pages, but would you trust it? Having a secret ISP framework for modifying content is a disaster waiting to happen. Personally, I think the web should go https.
One would think that this will be considered in a law. Would the new feature in the service be strictly necessary? Should it be separated from the basic service? I would not suggest for companies to try to circumvent laws like this, as their intentions would not be friendly looked at.
The problem with fines (or suing) is that it can be used only after the damage is already done. The weight should be on the preemptive actions.
Having audits on all comercial software would of course not make much sense. The most common criteria for deciding should software be audited should be determined by the count of end users of the software (as you briefly mentioned). This would allow large companies to make small software excluding audits and also mandate small companies to audit highly popular software, the idea being that the more people a potential problem might affect, the more time should be spent of finding such problems.
This could turn out very favourable for small companies, which currently often have problems competing with high market share products, even if these were of poor quality. This also prevents high market share products to be bundled with low quality software, as both would have to be audited because of the market share. I think even Microsoft would think twice about all the software that is in one package, if all had to be carefully audited. Also as we have seen, companies do prefer features over correctness (for obvious reasons) for their new releases, and this could be a way of giving a balance between these two.
With the use of Microsoft products in the US government, law enforcement and military, there should definitely be some interest in the quality and correctness of the products. Lack of interest would show a pure ignorance of the potential hazards the software could cause.
Having reported about security problems to Apple myself, I think this is silly. Unless you publish a zero day exploit, I don't think there is a problem. The proper way is to contact the vendor and have the issue fixed. It is not that difficult.
I might have not expressed myself clearly. The point was that this action is harmful as somebody might already be or could become aware of the same flaw and use it maliciously. Especially when the trend seems to be specific attacks instead of global attacks, it is harder for the vendors to get to know the attack when the number of targets is greatly reduced.
I did not mean this by cheating. I meant more like "cheat starting". The idea of hacking contests should not to publish new exploits, but to actually find new exploits.
I agree. Making a living or even getting compensation out of software auditing might not be the easiest thing in the world and I don't think anyone has got the definite business plan for this. At least yet. Personally I have been toying around with the idea of government enforced requirement of 3rd party audits for comercial software. Not only would this create a new software auditing business, but also improve software quality and not only in security.
That the software industry is maybe the least regulated business does not make much sense when so much depends on computing these days. Just as an example, this week there has been much criticism over a (national) banking system replacement, where the new system caused credit cards to stop working, banking accounts disappearing, double billing and reports of seeing other customers' information. To name a few. Also multiple XSS flaws where found in the web bank in matter of hours, not to mention privacy concerns with the same site, where information of all page loads were sent to a 3rd party advertisement company. And this is a banking system that deal with peoples money! Regulation would make businesses to take issues more seriously as they would have to deal with the authorities, not some random white hat. But this is a whole other discussion...
As I replied to an other poster, I don't think it is ethical to deny a patch being released as soon as possible, if this was the case here. Also having a pre-made exploit for a hacking contest is like cheat starting and pretty much defeats the whole point of organizing such events IMO. Read my other comments if you want a more lengthy reply. :-)
If he did this when he initially found the bug, everything ok, case closed. If this included unnecessary waiting for the contest I would consider it unethical as he would have knowingly denied a patch being released as soon as possible. What comes to the contest, I do think that having a pre-made exploit defeats the whole purpose of having such contests in the first place and I would not support giving out prices in these cases. It is like cheat starting and what is the fun of that?
All bugs should be reported immediately to the developer. Period. I don't have a problem with someone gaining something out of a software bug, as long as it doesn't happen in the expense of the end user. A good example of doing this the wrong way is the "month of" bugs tactic you mentioned, where 0-day exploits are made public one per day during a month. In this case the gain is publicity. But delaying bug reports is not much better and I don't see why I should be much happier with this approach. As someone who works with life critical systems I don't just think of finding and getting a bug fixed, but also the timeframe of the fixing if such bug is found. I don't think this should differ that much from the IT security business.
But as we have seen now and in the past, there are people who do play the game mostly into their own pockets. This should not be endorsed by hacking contests. These contests should be about finding new ways exploiting systems. Having a pre-made exploit kind of kills the whole idea, and to be honest tastes cheating.
In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?
You must be joking. If this is the perception of old, minimal HW at Microsoft, you need to get back to reality. Not all people upgrade their machines at least every second or third year. I'm in the field and currently my fastest setups at home are G4 1,2 GHz and x86 1,0 GHz. The Mac runs the latest OS without problems. Gone trough, what is it, two or three major OS upgrades? Even greater number on my other Mac. Without hardware upgrades. I find it hard to come up with any justification for this constant pressure to upgrade hardware on Microsofts part. It is also why I have moved to console games, Sony BTW. This rat race has to stop.