Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.
Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.
So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.
IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.
This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.
Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.
On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.
"If the QR idea takes hold memorials will be able to tell much more to future generations."
Not necessarily. QR codes are only links to other resources, they can't hold useful information by themselves. The availability of the information depends on the provider of the content they refer to.
While one can arguably say everything can be hacked (unless air-gapped), in certain scenarios you can at least mitigate the impact of a breach to make it almost irrelevant.
Easiest example is password storing. Some SQLi may get through and provide someone with a dump of your user passwords, but if you follow up to date recommended security practices, the data will be nearly useless.
Beind said that, just by reading the Web Application Hacker's Handbook and following all of its recommendations you will have a pretty secured app.
I'm kind of an old school gamer and I always thought in time games would evolve not only to provide better realistic graphics but also to increase the freedom you have in them. When a game really touches you, you automatically get trapped withing its unique universe, and your experience is so much better when you really feel that "I can do almost everything" feeling.
It's a shame current state-of-the-art games usually just focus their appeal on graphics and pre-scripted sequences that only look great the first time you get to them. And even if you are not planning to play again the game after finishing it, a scripted scene always has that feeling of having nothing to do with the actions you just performed, or more importantly, that it has not happened because you *choose* it to happen.
Call of Duty 4 is a perfect example of this. Sure, the game looks great, definitely top-notch fps gameplay. However the game stinks of immutability. There is no freedom available on how to complete missions. There is only one way to do them. Maybe it is just too well designed to appeal casual and hardcore gamers at the same time. Maybe they just tried to make the game approachable for the big audience. They probably succeeded in that but they left freedom out in the process.
Take Half-Life 2 as a counter-example. When I played this game for the first time I really had bad times figuring out gameplay mechanics. Nobody in the game tells you can use flammable barrels as grenades with your gravity gun. Nobody tells you a lot of things in that game. You just figure them out as you play, in a way maybe intended by developers, but perfectly dressed to make you believe you actually come with the solution by yourself. The sense of accomplishment in this game is absolutely brilliant. Maybe it's not perfect, but it definitely points in the right direction while CoD4 doesn't. GTA is another great example of that kind of freedom illusion games should offer nowadays.
I haven't picked up Mass Effect yet, but I'm really looking forward. Seems like an oasis in the desert of immutable games flooding us lately.
I have a friend who is addicted to WoW. He doesn't belong to any big guild and it has been long since he got to lvl 60. He basically plays everyday for long hours the tiny content WoW offers to small (10 people) guilds and solo players.
What I have observed when he rants about the game is that he truly thinks the game is about skill rather than about time investing. He is obsessed with the unfairness of players with epic equipment (which is obtained in 40-people raids) killing him again and again. I have never told him, but he is clearly wasting the time he spends playing, in terms of achieving goals in the game. He simply plays, without doing what he is supposed to do to continue powering up his character, yet he thinks that time he spends is reflected on his skill.
So in my opinion the bad thing WoW is teaching is making players think what they've achieved through routine and time, but not difficulty, should be admired and respected. They pour hours of plain work into something without really worrying about efficiency or hard work, and they expect the time they spent to be rewarded.
It's like going to work for 10 years at 8am but only sit on a chair the whole day without doing nothing, and still expect to be well paid.
I don't think anyone has ever explained better what it takes to "enjoy" a mmorpg. And no, I don't think EQ and WoW have different gameplay concepts. In the end, they are both games designed with time-investment in mind, and that's utter and wicker design
The thing is the examples provided are between games which share relatively common periods of time in which the technology applied to sequels does not suppose a big leap between first installments.
We are talking here about a gaming platform which has to last by itself for...what? 5-6 years like the PS2 did (does) ? Consider most games released during first 1 or 2 years of life of the PS2 fitted in a single CD almost without ripping any content.
The article should consider the weight progression of games along the full life of a console. If we take PS2 as a good example of this, I would expect size of games to be increased by a 3x factor in the next 2-3 years.
Clearly we'll see a HD-DVD or Blu-ray adapter for the current 360. Maybe because of high-def textures, lossless sound, maybe for videos and extras or maybe only because there is room... but developers definitely are going to use everything they've got available sooner or later.
Well, I haven't really read in detail anything about videogame development costs but, are they really more expensive to produce than a blockbuster movie with, say, julia roberts and brad pitt plus the best of the FX ? I'm pretty sure than each one of the Lord of the Rings movies was more expensive to make than Halo 2 and I haven't seen yet a 60$ DVD of a single movie.
I don't think it's justified princing a videogame in 60$. Maybe costs per unit in the cartridge era where higher and we could in some way accept that price, but now hay games come in optical media? Apart from the game itself, their cost is less than a dollar to manufacture for crying out loud!
And as people said before, nowadays they have a very populated audience. Videogames are no longer a hobby for a few, and neither its price should be.
But in the case of the PS2, you can now make the new PSTwo version to play pirated games without a chip by just booting from a special DVD and breaking two plastic switches without even having to take a screwdriver.
Earlier versions need to be chipped or a more complicated work to break those switches because the dvd loader uses a tray.
Maybe new versions of Xbox are harder to mod, but for psx/ps2 so far it's been the other way around
Gotta be Metal Gear Solid(PSX version). IMHO he was the first to truly introduce the concept of stealth play in a seductive way to the masses.
Nowadays its hard not to find an action game without at least a level or mission in which you must avoid being spotted or setting off the alarm. Stealth game play its the perfect complement to action gameplay enriching the experience.
MGS also one of the first and better aproaches to film-like videogames according to the frame of reference of mainstream movies. RPG's always have been better at storytelling but the true aproach to plots, cinematics and characteres following hollywood films was first made with games like MGS or Silent Hill.
No, I'm just saying people who concentrate only on flaws and raise their importance to the maximum level (even long before they actually see the movie), probably wont't be able to see any good income the movie could deliver to a less exigent audience.
It's sort of "the trees do not let you see the forest" thing. The same thing happens when a JRR Tolkien fan talks about how bad the Jackson's movies are because they modified completely several parts of the books.
Every time some little detail about Episode III is revealed, people is always looking for catastrophical flaws at first sight and flashbacking to episode I.
Seriously guys, if you try hard enough, you can easily see flaws in almost everything, even in the old trilogy. Try to imagine yourselves writing an opening crawler for episode III that couldn't be in some way criticised for any stupid elitist star wars zealot.
As they are the first who introduced those stereotypes. These kind of videogames such as GTA only try to emulate cinema through development of characters and plots similar to those seen on common blockbuster titles at big screen.
The hardware requirements to play smoothly Doom 3 on a windows machine are high enough to think that the result of a emulation through wine would require even higher computer specs to play D3 the way it was meant to be played.
Doesn't emulation decrease perfomance? So what kind of megacomputer would you need to play that kind of graphically bloated games through emulation?
Apart from the relatively small variety of games Nintendo has compared to Sony or MS, the article only points out the gamecube is unable to play movies as a example of one of the reasons for the future fall of Nintendo.
Seems to me the ability to play dvd movies on your videogame system is more a marketing thing than actually a real advantage. I think almost everybody owning a PS2 or GC has some other kind of platform (dvdplayer/computer) to watch movies on DVD.
Yes, the PS2 can play movies but... is it really the main reason for its success? I guess not. People don't buy a console only to play movies, but they do only to play games, or games and movies.
Consoles are still all about games, and Nintendo knows it.
Is good to know the classic fantasy spirit that made Star Wars films so moving for an entire generation is still alive.
These fan activities prove, the latest films like Episode one and two have not killed that spirit as many critics state
Slashdot Mirror
Not trying to play devil's advocate here but any vulnerability researcher must understand that finding flaws is only half of the job. You must also be able to successfully explain and make understand each flaw to even non-technical people or your work is somewhat worthless.
Now it's true that one can expect a reasonable technical skill from the Facebook person reviewing your bug submissions, but they also, as they stated, go through a lot of invalid and spurious submissions a day.
So in case you are hoping for a reward, you better make your submission as clear as possible before going mad and go public. Also you should at least retry and send additional details before giving up on them (reports do not mention whether the researcher "repeatedly" tried to explain the vuln to them.
IMHO the lack of patience from the researcher illustrates he really does not care about making Facebook (or anything) more secure. Only money drives him. This is perfectly acceptable but no quite the image for raising money as if he were a true whitehat.
This is indeed true specially for popular companies with rather mature SecOps that pay minimum wages for vulnerabilities that are indeed hard to find or require a pretty darn good skill level to discover. Some of them even only offer swag in exchange of finding serious threats such as persistent XSS or authentication bypass. They maybe feature the researcher in some blog post to publicly thank him and attract the wannabe crowds.
Having said that, I myself have participated in several of these programs (with varying success) and come to realize that probably Google and Facebook are the only VRPs currently paying reasonable wages for bugs in terms of cost efficiency for the researcher.
On the other hand, some of us just enjoy from time to time trying to find security bugs for fun (maybe because we are huge nerds) so these programs offer a great opportunity to test things and not risking ending up in jail.
"If the QR idea takes hold memorials will be able to tell much more to future generations."
Not necessarily. QR codes are only links to other resources, they can't hold useful information by themselves. The availability of the information depends on the provider of the content they refer to.
Considering current situation with XSS prevalence, javascript obfuscation techniques and content filters bypassing, this will only make matters worse
While one can arguably say everything can be hacked (unless air-gapped), in certain scenarios you can at least mitigate the impact of a breach to make it almost irrelevant.
Easiest example is password storing. Some SQLi may get through and provide someone with a dump of your user passwords, but if you follow up to date recommended security practices, the data will be nearly useless.
Beind said that, just by reading the Web Application Hacker's Handbook and following all of its recommendations you will have a pretty secured app.
Decisions are good for games
I'm kind of an old school gamer and I always thought in time games would evolve not only to provide better realistic graphics but also to increase the freedom you have in them. When a game really touches you, you automatically get trapped withing its unique universe, and your experience is so much better when you really feel that "I can do almost everything" feeling.
It's a shame current state-of-the-art games usually just focus their appeal on graphics and pre-scripted sequences that only look great the first time you get to them. And even if you are not planning to play again the game after finishing it, a scripted scene always has that feeling of having nothing to do with the actions you just performed, or more importantly, that it has not happened because you *choose* it to happen.
Call of Duty 4 is a perfect example of this. Sure, the game looks great, definitely top-notch fps gameplay. However the game stinks of immutability. There is no freedom available on how to complete missions. There is only one way to do them. Maybe it is just too well designed to appeal casual and hardcore gamers at the same time. Maybe they just tried to make the game approachable for the big audience. They probably succeeded in that but they left freedom out in the process.
Take Half-Life 2 as a counter-example. When I played this game for the first time I really had bad times figuring out gameplay mechanics. Nobody in the game tells you can use flammable barrels as grenades with your gravity gun. Nobody tells you a lot of things in that game. You just figure them out as you play, in a way maybe intended by developers, but perfectly dressed to make you believe you actually come with the solution by yourself. The sense of accomplishment in this game is absolutely brilliant. Maybe it's not perfect, but it definitely points in the right direction while CoD4 doesn't. GTA is another great example of that kind of freedom illusion games should offer nowadays.
I haven't picked up Mass Effect yet, but I'm really looking forward. Seems like an oasis in the desert of immutable games flooding us lately.
I have a friend who is addicted to WoW. He doesn't belong to any big guild and it has been long since he got to lvl 60. He basically plays everyday for long hours the tiny content WoW offers to small (10 people) guilds and solo players.
What I have observed when he rants about the game is that he truly thinks the game is about skill rather than about time investing. He is obsessed with the unfairness of players with epic equipment (which is obtained in 40-people raids) killing him again and again. I have never told him, but he is clearly wasting the time he spends playing, in terms of achieving goals in the game. He simply plays, without doing what he is supposed to do to continue powering up his character, yet he thinks that time he spends is reflected on his skill.
So in my opinion the bad thing WoW is teaching is making players think what they've achieved through routine and time, but not difficulty, should be admired and respected. They pour hours of plain work into something without really worrying about efficiency or hard work, and they expect the time they spent to be rewarded.
It's like going to work for 10 years at 8am but only sit on a chair the whole day without doing nothing, and still expect to be well paid.
I think it is time to look back
I don't think anyone has ever explained better what it takes to "enjoy" a mmorpg. And no, I don't think EQ and WoW have different gameplay concepts. In the end, they are both games designed with time-investment in mind, and that's utter and wicker design
The thing is the examples provided are between games which share relatively common periods of time in which the technology applied to sequels does not suppose a big leap between first installments.
...what? 5-6 years like the PS2 did (does) ?
We are talking here about a gaming platform which has to last by itself for
Consider most games released during first 1 or 2 years of life of the PS2 fitted in a single CD almost without ripping any content.
The article should consider the weight progression of games along the full life of a console. If we take PS2 as a good example of this, I would expect size of games to be increased by a 3x factor in the next 2-3 years.
Clearly we'll see a HD-DVD or Blu-ray adapter for the current 360. Maybe because of high-def textures, lossless sound, maybe for videos and extras or maybe only because there is room... but developers definitely are going to use everything they've got available sooner or later.
Well, I haven't really read in detail anything about videogame development costs but, are they really more expensive to produce than a blockbuster movie with, say, julia roberts and brad pitt plus the best of the FX ? I'm pretty sure than each one of the Lord of the Rings movies was more expensive to make than Halo 2 and I haven't seen yet a 60$ DVD of a single movie.
I don't think it's justified princing a videogame in 60$. Maybe costs per unit in the cartridge era where higher and we could in some way accept that price, but now hay games come in optical media? Apart from the game itself, their cost is less than a dollar to manufacture for crying out loud!
And as people said before, nowadays they have a very populated audience. Videogames are no longer a hobby for a few, and neither its price should be.
But in the case of the PS2, you can now make the new PSTwo version to play pirated games without a chip by just booting from a special DVD and breaking two plastic switches without even having to take a screwdriver.
Earlier versions need to be chipped or a more complicated work to break those switches because the dvd loader uses a tray.
Maybe new versions of Xbox are harder to mod, but for psx/ps2 so far it's been the other way around
Gotta be Metal Gear Solid(PSX version). IMHO he was the first to truly introduce the concept of stealth play in a seductive way to the masses.
Nowadays its hard not to find an action game without at least a level or mission in which you must avoid being spotted or setting off the alarm. Stealth game play its the perfect complement to action gameplay enriching the experience.
MGS also one of the first and better aproaches to film-like videogames according to the frame of reference of mainstream movies. RPG's always have been better at storytelling but the true aproach to plots, cinematics and characteres following hollywood films was first made with games like MGS or Silent Hill.
At the time of this post, most of the sections of the site are unavailable with a 'coming soon' sign on them.
Is that what you would call a "live site with trailers and information *now* available" ??
No, I'm just saying people who concentrate only on flaws and raise their importance to the maximum level (even long before they actually see the movie), probably wont't be able to see any good income the movie could deliver to a less exigent audience.
It's sort of "the trees do not let you see the forest" thing. The same thing happens when a JRR Tolkien fan talks about how bad the Jackson's movies are because they modified completely several parts of the books.
Every time some little detail about Episode III is revealed, people is always looking for catastrophical flaws at first sight and flashbacking to episode I.
Seriously guys, if you try hard enough, you can easily see flaws in almost everything, even in the old trilogy. Try to imagine yourselves writing an opening crawler for episode III that couldn't be in some way criticised for any stupid elitist star wars zealot.
Don't bury the movie till you see it
As they are the first who introduced those stereotypes. These kind of videogames such as GTA only try to emulate cinema through development of characters and plots similar to those seen on common blockbuster titles at big screen.
The hardware requirements to play smoothly Doom 3 on a windows machine are high enough to think that the result of a emulation through wine would require even higher computer specs to play D3 the way it was meant to be played.
Doesn't emulation decrease perfomance? So what kind of megacomputer would you need to play that kind of graphically bloated games through emulation?
Maybe I'm missing something
Apart from the relatively small variety of games Nintendo has compared to Sony or MS, the article only points out the gamecube is unable to play movies as a example of one of the reasons for the future fall of Nintendo. Seems to me the ability to play dvd movies on your videogame system is more a marketing thing than actually a real advantage. I think almost everybody owning a PS2 or GC has some other kind of platform (dvdplayer/computer) to watch movies on DVD. Yes, the PS2 can play movies but... is it really the main reason for its success? I guess not. People don't buy a console only to play movies, but they do only to play games, or games and movies. Consoles are still all about games, and Nintendo knows it.
Is good to know the classic fantasy spirit that made Star Wars films so moving for an entire generation is still alive. These fan activities prove, the latest films like Episode one and two have not killed that spirit as many critics state