In my experience the most valuable thing you get from implementing a bug bounty is:
1) Creating a procedure for responding properly to external incidents. (Can be really hard with complex supply chains!)
2) Motivating external people who are already doing the research to tell you about it.
3) After slowly cranking up the rewards, you might motivate people to start researching specifically to find bugs in your products.
It's not always a good idea to start aiming for 3 if you don't have 1 yet.
The problem is that the definition for hacking is overly broad.
It is clearly advised by the published guidelines that an organisation should define for themselves what they consider acceptable and what's not acceptable. An organisation might, for example, rule out social engineering attacks or DDoS.
IT journalist Brenno de Winter calls the guidance useless. "If hackers first have to report the vulnerability, they lose their anonymity without having a guarantee that they will not be prosecuted. And even if a company promises that it will not press charges, the Public Prosecutions Department can start a case."
A published responsible disclosure policy is a legaly binding document. If a organisation states that it find's certain behavior acceptable and even clearly states that it won't take legal action against people holding themselves to that document they have to follow that promise. As for the public prosecutor there are two parts that will protect responsible hackers. The first is the fact that the crime of hacking (computervredebreuk in Dutch law) requires the access gained by the hacker to be unlawful (wederrechtelijk). When a company states that certain behavior is acceptable, the legal test for wederrechtelijkheid will fail and the public prosecutor will have no case for the crime of computervredebreuk.
Further more, the Dutch minister Opstelten has promised to talk to the public prosecutor about how they will handle responsible disclosure cases. Given the well thought-out contents of the released documents and the clear intentions of the gouvernment I have no reason to doubt the results of these talks.
As far as I can tell the system has a rather uncommon and interesting booting method. Will there be technical documentation available for developers of other operating systems who want to write a port for the Raspberry Pi?
You can't fully learn how to program a system if you don't know how to boot.
While I really like this development, there's one thing I'd like to see resolved: eye contact with the driver.
When passing in front of a car I always try to make eye contact with the driver. For me this is the best way judge if the driver has spotted me and if I can cross safely. A robot driver should have some really simple visual way of saying: Hey, I've spotted you and I will break for you.
Re:I wish I had time to study Lisp, but...
on
Land of Lisp
·
· Score: 1
I have spend an hour or two on lisp. It basically ruined Python for me.
Almost all my Python code is filled with nested map(), reduce(), filter(), lambda's and list comprehensions.
It's great when programming, but when reading it's terrible.
I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.
Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"
But how does one upgrade from, say, OpenBSD 4.7 to 4.8?
Is there a direct quote from these two girls?
And you are of course right when you say that it is possible for Assange to have done these things. However the correct approach is _allways_ to assume innocence until proven otherwise. And the fact that there are people with the motive and the means to try to discredit Assange in this way should make you even more suspicious.
As far as I know Hans Reiser didn't have powerful enemies. It would be correct to state that Assange is innocent until proven otherwise, but in this situation I think it is also fair to say that the timing of the allegations is at least highly suspicious.
Reminds me of the Dutch party TON (Trots op Nederland / Proud of The Netherlands).
They tried to write the official election program on a public wiki. That was a disaster!
All I can remember was "free toothpaste for everyone".
Asking the general public for an opinion on everything is nice, but they should be able to make an informed decision.
Re:Sounds rather disappointing, really
on
Hollow Spy Coins
·
· Score: 1
No, you will have spy pants.
To become the spy you wil have to put the MicroSD card in......
Slashdot Mirror
In my experience the most valuable thing you get from implementing a bug bounty is: 1) Creating a procedure for responding properly to external incidents. (Can be really hard with complex supply chains!) 2) Motivating external people who are already doing the research to tell you about it. 3) After slowly cranking up the rewards, you might motivate people to start researching specifically to find bugs in your products. It's not always a good idea to start aiming for 3 if you don't have 1 yet.
The problem is that the definition for hacking is overly broad.
It is clearly advised by the published guidelines that an organisation should define for themselves what they consider acceptable and what's not acceptable. An organisation might, for example, rule out social engineering attacks or DDoS.
IT journalist Brenno de Winter calls the guidance useless. "If hackers first have to report the vulnerability, they lose their anonymity without having a guarantee that they will not be prosecuted. And even if a company promises that it will not press charges, the Public Prosecutions Department can start a case."
A published responsible disclosure policy is a legaly binding document. If a organisation states that it find's certain behavior acceptable and even clearly states that it won't take legal action against people holding themselves to that document they have to follow that promise. As for the public prosecutor there are two parts that will protect responsible hackers. The first is the fact that the crime of hacking (computervredebreuk in Dutch law) requires the access gained by the hacker to be unlawful (wederrechtelijk). When a company states that certain behavior is acceptable, the legal test for wederrechtelijkheid will fail and the public prosecutor will have no case for the crime of computervredebreuk. Further more, the Dutch minister Opstelten has promised to talk to the public prosecutor about how they will handle responsible disclosure cases. Given the well thought-out contents of the released documents and the clear intentions of the gouvernment I have no reason to doubt the results of these talks.
Just install from snapshots every few weeks.
Try Tahoe-LAFS.
http://floorter.blogspot.com/2011/05/protecting-your-privacy-with-adsuck.html
As far as I can tell the system has a rather uncommon and interesting booting method. Will there be technical documentation available for developers of other operating systems who want to write a port for the Raspberry Pi? You can't fully learn how to program a system if you don't know how to boot.
I absolutely hate Flash for several reasons, but do you mean these specifications are not open? http://www.adobe.com/devnet/swf.html
Ah! The economics of fun!
If a free game can entertain me for 10 minutes, how long should a $0.99 game entertain me?
While I really like this development, there's one thing I'd like to see resolved: eye contact with the driver. When passing in front of a car I always try to make eye contact with the driver. For me this is the best way judge if the driver has spotted me and if I can cross safely. A robot driver should have some really simple visual way of saying: Hey, I've spotted you and I will break for you.
I'm not cursing at my computer. I'm writing perl code!
To train security people.
I have spend an hour or two on lisp. It basically ruined Python for me. Almost all my Python code is filled with nested map(), reduce(), filter(), lambda's and list comprehensions. It's great when programming, but when reading it's terrible.
The OpenBSD installer can auto-partition your disk for you. No calculations needed if you don't want to.
Suspend/resume support has been improved enormously. I have been using it without problems on my Asus Eee PC 1000H for a while now.
I'm curious. Having never used a BSD-based system, how are upgrades managed? I understand that instead of installing packages, one uses ports. My impression of that is that you run a file in a ports directory and it compiles the software and installs it. Correct me if I'm wrong.
Ports are meant for building packages. Users should only use packages normally. You can update your packages after you upgraded your base system with "pkg_add -ui -D update -D updatedepends"
But how does one upgrade from, say, OpenBSD 4.7 to 4.8?
OpenBSD has excellent docs and FAQ's: http://openbsd.org/faq/upgrade48.html
Observational bias?
Get your facts straight: We OpenBSD users are a bunch of masturbating monkeys.
Is there a direct quote from these two girls? And you are of course right when you say that it is possible for Assange to have done these things. However the correct approach is _allways_ to assume innocence until proven otherwise. And the fact that there are people with the motive and the means to try to discredit Assange in this way should make you even more suspicious.
The dalvik runtime will eventually support transcoded javascript, php, python, etc.,
What is your source for this?
As far as I know Hans Reiser didn't have powerful enemies. It would be correct to state that Assange is innocent until proven otherwise, but in this situation I think it is also fair to say that the timing of the allegations is at least highly suspicious.
I've never had a problem with theft.
Or dates.....
Reminds me of the Dutch party TON (Trots op Nederland / Proud of The Netherlands). They tried to write the official election program on a public wiki. That was a disaster! All I can remember was "free toothpaste for everyone". Asking the general public for an opinion on everything is nice, but they should be able to make an informed decision.
No, you will have spy pants. To become the spy you wil have to put the MicroSD card in ......
Peter N. M. Hansteen has written a nice article about a similar atack. http://bsdly.blogspot.com/2009/11/rickrolled-get-ready-for-hail-mary.html The first thing I would do (at install time) is to disable root login over ssh.
....and having a competent human watch over everything and set the security policies.
Ha!