Yes, we know they're sock puppets, but the question was how do we communicate with them.
I usually just go with the BOFH approach and push enough technical terms on their stack until it overflows and then tell them what to do while their still rebooting.
How, exactly, is the user supposed to get the email, when they can't log on to the network?
I was actually referring to a more general network application rather than a users network logon. The network logon does actually require the ability for an administrator (not the helpdesk, but an actual network admin) to be able to enter a specific password. Ideally this password would also be random, but provided to the user either over the phone or preferably in person on a piece of paper. Of course, in the case of a network password reset you would have a more stringent check to verify identity, rather than just changing the password of anyone at will.
In a corporate atmosphere, having anyone with the ability to both know and change a password at the same time is a flaw. The way it should be setup, is that the helpdesk has a button that says "Reset this users password" that generates a new random password and e-mails it to the user, using the e-mail address tied to that username. The first time the user logs in after getting the password reset they should be forced to pick a new password. This has the flaw that the old one time password could be intercepted on the network, or from the e-mail server, but the odds of that happening before the affected user has picked a new password are slim.
A few other guidelines. As a previous poster has already commented, all passwords should be hashed and salted. If a password can be recovered, you've done something wrong. Usernames should not be tied to sensitive information. A good example of this is a site I recently went to that was using a persons social security number as the username. If a password is reset, it should use a one time random password, not a "default" constant, or even a default based on some user info. Examples of this are sites that use things like the username, or the last 4 digits of your social as the reset password.
Final thoughts concerning security is that the system is only as strong as its weakest link. It doesn't matter if you have a login page that is secured six ways from Sunday, if you have a public feedback form that's susceptible to a SQL injection attack. It's always best to assume that at least part of your application or site has been compromised and work from there, that's part of the reason passwords should be salted in addition to being hashed, even if your DB has been compromised somehow you won't make the job any easier for the attacker.
Who cares? They still got revenue for the sales however these licenses were purchased, and revenue is what matters.
If this was a story about the revenue Microsoft was making on sales of Vista, then yes, that would be a valid point. However, the way this story has been worded it's clear that this is a PR move to try an claim Vista is a superior OS and bolster uptake. The PR department is basically saying "See, all these people think Vista is super cool, why haven't you bought your copy yet?", which is why everyone is jumping on the numbers and trying to point out that licensees "sold" is not the same as "people using".
Except things like Ico or Shadow of the Colossus, eToy, Singstar and a heap load of other games. Those are all last generation games. The games themselves are not particularly innovative by any stretch of the imagination with the possible exception of the eToy, although that was very under-utilized. Also, anything third party can not count towards the merits of the actual Console, seeing as that was a decision made outside the control of the manufacturing company. I believe Sony did make the eToy, so they get credit for that one, but something like Guitar Hero was third party all the way, so no credit there.
The Gamecube was quite a bit better then the PS2 and very close to the XBox, while being cheaper then both of them. What the Gamecube lacked where games, not graphic power. That may be from a technical perspective, I don't know, I haven't looked at the raw hardware specs. What I do know is, that games on PS2 had a lot more eye candy than on Gamecube. I could be that that was a choice by the developers to put that horsepower to use in other ways than graphics, but that's pure speculation.
I think the realized two things: a) there is a market for casual gamer games b) you can make a hell of a lot more money with old hardware then with bleeding edge stuff Yes, I'm sure they did realize that, but they also realized the best way to bring in casual gamers was to embrace new and creative controls and game designs. Traditionally the primary target of console makers has been the hardcore gamer crowd that prefers a certain amount of depth or skill requirement in a game. Nintendo on the other hand has embraced a lighter less demanding skill set that often turns off more traditional gamers. In many ways the Gamecube was an experiment that Nintendo was using to try and fine tune the game experience to satisfy the largest quantity of both hardcore and casual gamers.
Giving how they still don't have any online games on the Wii, very few on the DS and how they try to make life extra hard with friend codes, I don't think so. When they continue their current strategy online play will never be much interesting on Nintendo consoles. The latest consoles are still very young and Nintendo is a new player to the online gaming market. The fact that they have the store and web browser shows they are at least cognizant of the demand for online content, and they have made statements concerning online play in upcoming games. I'm not going to judge one way or the other on those games based on the previous offerings for the DS. The DS was a very different platform from the Wii, and the DS was also serving as a test bed for online play. It is true that if Nintendo goes with a roll your own architecture ala PS2 it will fail, and also if they insist on friend codes for any online play it will also fail. What would work most likely while preserving some of the features Nintendo seems to like would be lobby style random battles, while relying on the already existing Wii codes to allow people to find and play with specific friends.
XBox360 is still #1 In terms of raw sales atm yes. However two things to bear in mind are that they had a significant lead on both the Wii and PS3, and that supply for the Wii is still lagging behind demand. After everyone who wants a Wii has purchased one, and everyone that wants a 360 has purchased one, say in a years time, then we can see who has come out on top, until then, it's really anybodies game.
I think the relative failure of the Gamecube
GameCube wasn't a failure. It was a profitable system for Nintendo, and as far as I know, everybody that bought one doesn't regret their purchase either.
The GC was only a failure relative to the PS2. I actually own a GC I was quite happy with it, but it didn't have anywhere near the sales figures the other systems did, and as a result was very lacking in terms of third party games. Now, as usual the games on offer from Nintendo were great for the most part, but very few of the third party titles were worth owning.
Well, I understand more or less what the article is about (although they said it in a very long winded way), but I'm thinking unless you're a astrophysicist, are studying particle physics, or possible electro-magnetic phenomena then this is a rather dry article.
It's my understanding based on the article that what they discovered (or more accurately proved) was that the bow shock produced by the solar wind colliding with earths magnetosphere is not actually a single giant bow shock, but more like a whole bunch of continually reforming bow shocks stacked on top of each other. Of course, I'm not a physicist, so I could be wrong in that interpretation. Also, it doesn't seem as if this discovery has any immediately applicable implications but is more of a hey, that's kind of neat, type thing.
Just for reference, the Wii is not currently in 1st place. It's in 2nd behind Xbox 360.
Depends a lot on the metric you use and who's data you believe. I'm not going to argue who is in first place as of right now, although I'm thinking a couple years down the road Wii will probably be in first or second place. Of course, even with the last generation of consoles it was hard to call a winner. Most would say the PS2 had the lead, although there is some argument for the X-Box, particularly given that it's the new kid on the block and was facing entrenched competition.
In the end it's not just about total units sold (and that's sold at retail, not sold to retailers, MS tried that trick with the Zune to try an inflate the numbers) but about demand, and perceived success. If the public believes a system to be successful and there's enough demand to convince developers to make games for it, then it's a win for the manufacturer and will help sales when the next system comes out. I think, had Nintendo seen better sales of the Gamecube, the demand for the Wii would have been even greater, and by the same token, had they not gone such a radically different direction with the controllers the Wii would have tanked. Also, had the PS2 not done as well, the demand for the PS3 (at launch) would have been less.
In the interest of disclosure let me just say that I own a Wii and rather enjoy it (although I also have a gaming PC), and I've been considering picking up a 360 Elite when the price comes down a bit, but unless Sony either smartens up and drops the PS3 price drastically, or comes out with some game that I can not live without, I probably won't be buying one. This actually saddens me quite a bit, as the PS2 was my favorite console from the previous generation (with the GC placing second).
All the game companies are good at certain things, it's just that the markets are reflective of what each company is basing their priorities on.
Microsoft was intialy trying to make the X-Box into a platform to try to force the convergence of console and PC gaming. Later when it became clear that they were really on to something with X-Box Live, they switched tactics and focused on providing top shelf online content (although the latest half hearted attempt to bring Live to Vista bodes poorly for Microsofts learning abilities).
Sony on the other hand has always been focused primarily on graphics performance. Yes they had some good games, but nothing ever revolutionary, but pretty and often fun. The primary hallmark of the Playstation platform is a shotgun approach to game development. They make as many games as they can, throw them out there and see what sticks. This approach can lead to some very good games, but also leads to some very very bad games. The primary failing of Sony is in not providing any new innovation in the latest generation of consoles. The Playstation 3 was positioned to be a multimedia convergence device, but so far the market for said devices has proved to be rather poor, and what little there is is primarily dominated by inexpensive PCs. The good news for Sony is that historically the Playstation consoles really only hit their stride after a year or two on the market, so it has the potential to outperform the competition in terms of raw power. There is also some rumbling of Sony taking online content more seriously, although whether or not they can provide a credible challenge to Live remains to be seen.
The last player on the market, and the most relevant to this article is Nintendo. Nintendo realized a long time ago that fun games, and innovative systems will out sell fancy graphics. A clear cut example of this is the origional Gameboy versus the graphically superior Gamegear. The Gamegear had a color screen and more processing power, but was more expensive, slightly bulkier, and was much more demanding on power (which resulted in it eating batteries left and right, I should know, I had one). Nintendo has always been middle of the road in terms of graphics and processing power, but what has set them aside has traditionally been their willingness to try new and innovative controls and games. Sometimes this has hurt them, and they have made more than a few products that failed spectactularly (Virtualboy anyone?), but on the other hand they have released a number of products that show some genuine innovation. I think the relative failure of the Gamecube served as a wakeup call to Nintendo, they realized that they weren't able to compete on graphics and if they were going to survive they needed to embrace the creative aspects of their game and console design more fully (prior to the DS and Wii most Nintendo products were less daring in departure from the norm of console gaming). It will be interesting to see if Nintendo can pull off the online portion of the gaming puzzle (which will be critical for all three consoles) sufficiently to keep Wii ahead of X-Box 360 and Playstation 3, of if they will fumble it and have to settle for second place.
Actually, if they win it will just be appealed, and they'd win in appeal. Of course, if it went to a higher court before being laughed out, it might send a stronger message. On the other hand, judging by this suit these guys are total morons, so they're probably dumb enough to appeal if they lose, so it may go to a higher court no matter what.
Bailiff: All rise for the honorable judge NotImportant
Judge walks in sits down and shuffles through papers.
Judge looks up at the defendent.
Judge: The court finds in favor of the defendent on account of the prosecution being a bunch of twits. Case dismissed.
Judge stands up and walks out.
It ran ok on my old system (AMD 64X2 with a Radeon x1600 [I think, been a while] and 2 gig of ram), but after I upgraded to my previous system (AMD 64X2, GeForce 7900GS, 2 gig of RAM) it ran just fine with just about all graphics settings maxed. About the only lag I ever encountered was if I pushed the FSAA to high, or I had network latency. Now that I've upgraded my graphics card to a 8600GS I imagine it probably runs very smooth, although I can't say for sure since I canceled my account (everybody I knew stoped playing and they finally suckered me into playing WoW).
That's a fairly good point, selling the actual flaw is not (usually) illegal. What is illegal however, and what is primarily trafficked in on the black market, are utilities (viruses, worms, and root kits to name a few) that take advantage of those exploits to break into systems. Often the cracked systems themselves are sold off as well. Of course, with some of the most recent legislation, and creative lawyers and politicians putting a fair amount of spin on things, it may not be long before selling ANY exploit is considered illegal. As it is, a lot of people are being charged under the DMCA with the companies claiming that whatever is cracked is bypassing a copyright prevention device. Of course, you need not even do anything illegal technically, as if they really want they can press charges for just about anything, they just have to be civil charges. It's important to remember a civil suit does not have to be based on anything at all, although it's risky to file as if the court sides against you, they can slap some pretty nasty fees on you for wasting the courts time (although they seem to exercise this right more against individuals than corporations).
You must live in a very different world than I do. Yes, selling exploits on the black market is illegal, but that's why it's called the black market, it's a place people go to sell illegal things. Because it's illegal and risky, it drives the price up, the higher the price, the more people are willing to risk getting caught to make money. If on the other hand there's a legitimate legal way to make money, even if it's a fraction of that possible on the black market, more people will be willing to pass up the higher profits in favor of a secure risk free channel. Of course, if the companies did their jobs properly and produced fairly secure code in the first place, then maybe these bounties would go more than a week before someone claimed them. The fact that companies can announce a bounty and get results so quickly proves that the product has a LONG way to go before it's worthy of even claiming any sort of security. As a good example of how this kind of bounty can be a good metric on somethings security, consider the bounties the RSA pays for cracking their algorithms. As it is, you can have a very good sense of exactly how strong a particular RSA algorithm is, based on the sheer amount of computing power and time it takes to crack any given one of them. Now, if you had a company that put out one of these bounties, and nobody was able to claim it for say a year or more, I'd feel pretty confident running that software.
I think the biggest concern is more over time spans involved. It's important before hand to agree to how quickly the details of any vulnerabilities should be disclosed, otherwise either the company isn't happy because they have to scramble to patch something overnight, or the researcher isn't happy because he can't release any of the details about what he discovered. Having a fixed time agreed to also serves as motivation for the company to actually do something, instead of just sitting on it and waiting until the next version before doing anything.
the DMCA would not apply because you had express permission.
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
I can only speak for myself, but I would not participate in any such contest in which the vulnerability was not immediately reported, and/or where I did not have the right to immediately release it to the public.
Would you be willing to do it assuming there was a reasonable lag time between the announcement of the discovery and the announcement of the details of the exploit? Something reasonable like say a week or two (agreed to before the contest is started), to give some time for the developer(s) to fix the problem and release a patch. Assuming that the requisite time has passed then either party could release the details, and also have a legally binding contract giving them that right (maybe with a clause that the developers are legally required to attribute the discovery to whoever wins the contest).
Ah, I see we have another wanker on here.</sarcasm>
Seriously, even though the guy has a biased summary, most of his points are fairly valid. Not that I'm saying this deserves to even be on slashdot of course. Frankly I have to agree with what most of the others have said, the guy is just trying to drive up traffic by posting a story espousing some very controversial opinions but without much meat to it.
0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.
1) Open development environment of your choice 2) ??? 3) See one of the following:
a) Abandon project, no one is interested (see at least 50% of source forge)
b) Idea is good, people like it, but you're implementation is lacking, code forks.
c) People love it, everyone is using it and working on it, but you don't have time to work on it
anymore so someone else takes over.
d) People love it, everyone is using it and working on it, you successfully manage to keep it on
task and moving forward. Congratulations, you have a successful open-source project.
Interestingly enough, SL already has a "jail" that they send people to to punish them. It's a giant corn-field with a tractor and a house. Not sure of all the details as I don't even play SL, but I ready a article about it a while back when one of the SL griefers got tossed in there.
What I'd like to see is something along the lines of the way tutorials and such are handled by most applications. When the permissions dialog pops up, in addition to allow or deny, there should be two check-boxes, one that says "Don't prompt me about this again this session." and another that says "Don't prompt me about this from now on.", although it should also come with an extra warning message if you check the second one. The great thing about this system is, that you can just run an app, check the second box and allow for every action you're fine with, deny for every action you don't want, and from then on the application will just run without prompting you, and you know it only has access to what you've approved.
Save or open common dialogs grant "sudo" access to whatever file the user selects outside that scope.
I think perhaps this isn't exactly what you meant. "sudo" generally grants root privilages to a user (or in your example an application) which is really a rather bad idea. What should happen is applications run as a restricted user with only access to their own directory, and maybe a couple other explicitly assigned directories (such as/tmp), but accessing certain functions such as a common open dialog (OS supplied) would temporarily grant the same privilages as the user running the application. Of course, it should still be possible to request access to other privilages, but doing so would prompt the user to accept, and if the user doesn't have permission to access those resources they should be prompted for the credentials to someone who does have access (such as root, but not necessarily root).
Slashdot Mirror
Yes, we know they're sock puppets, but the question was how do we communicate with them.
I usually just go with the BOFH approach and push enough technical terms on their stack until it overflows and then tell them what to do while their still rebooting.
I was actually referring to a more general network application rather than a users network logon. The network logon does actually require the ability for an administrator (not the helpdesk, but an actual network admin) to be able to enter a specific password. Ideally this password would also be random, but provided to the user either over the phone or preferably in person on a piece of paper. Of course, in the case of a network password reset you would have a more stringent check to verify identity, rather than just changing the password of anyone at will.
In a corporate atmosphere, having anyone with the ability to both know and change a password at the same time is a flaw. The way it should be setup, is that the helpdesk has a button that says "Reset this users password" that generates a new random password and e-mails it to the user, using the e-mail address tied to that username. The first time the user logs in after getting the password reset they should be forced to pick a new password. This has the flaw that the old one time password could be intercepted on the network, or from the e-mail server, but the odds of that happening before the affected user has picked a new password are slim.
A few other guidelines. As a previous poster has already commented, all passwords should be hashed and salted. If a password can be recovered, you've done something wrong. Usernames should not be tied to sensitive information. A good example of this is a site I recently went to that was using a persons social security number as the username. If a password is reset, it should use a one time random password, not a "default" constant, or even a default based on some user info. Examples of this are sites that use things like the username, or the last 4 digits of your social as the reset password.
Final thoughts concerning security is that the system is only as strong as its weakest link. It doesn't matter if you have a login page that is secured six ways from Sunday, if you have a public feedback form that's susceptible to a SQL injection attack. It's always best to assume that at least part of your application or site has been compromised and work from there, that's part of the reason passwords should be salted in addition to being hashed, even if your DB has been compromised somehow you won't make the job any easier for the attacker.
If this was a story about the revenue Microsoft was making on sales of Vista, then yes, that would be a valid point. However, the way this story has been worded it's clear that this is a PR move to try an claim Vista is a superior OS and bolster uptake. The PR department is basically saying "See, all these people think Vista is super cool, why haven't you bought your copy yet?", which is why everyone is jumping on the numbers and trying to point out that licensees "sold" is not the same as "people using".
The GC was only a failure relative to the PS2. I actually own a GC I was quite happy with it, but it didn't have anywhere near the sales figures the other systems did, and as a result was very lacking in terms of third party games. Now, as usual the games on offer from Nintendo were great for the most part, but very few of the third party titles were worth owning.
Well, I understand more or less what the article is about (although they said it in a very long winded way), but I'm thinking unless you're a astrophysicist, are studying particle physics, or possible electro-magnetic phenomena then this is a rather dry article.
It's my understanding based on the article that what they discovered (or more accurately proved) was that the bow shock produced by the solar wind colliding with earths magnetosphere is not actually a single giant bow shock, but more like a whole bunch of continually reforming bow shocks stacked on top of each other. Of course, I'm not a physicist, so I could be wrong in that interpretation. Also, it doesn't seem as if this discovery has any immediately applicable implications but is more of a hey, that's kind of neat, type thing.
Depends a lot on the metric you use and who's data you believe. I'm not going to argue who is in first place as of right now, although I'm thinking a couple years down the road Wii will probably be in first or second place. Of course, even with the last generation of consoles it was hard to call a winner. Most would say the PS2 had the lead, although there is some argument for the X-Box, particularly given that it's the new kid on the block and was facing entrenched competition.
In the end it's not just about total units sold (and that's sold at retail, not sold to retailers, MS tried that trick with the Zune to try an inflate the numbers) but about demand, and perceived success. If the public believes a system to be successful and there's enough demand to convince developers to make games for it, then it's a win for the manufacturer and will help sales when the next system comes out. I think, had Nintendo seen better sales of the Gamecube, the demand for the Wii would have been even greater, and by the same token, had they not gone such a radically different direction with the controllers the Wii would have tanked. Also, had the PS2 not done as well, the demand for the PS3 (at launch) would have been less.
In the interest of disclosure let me just say that I own a Wii and rather enjoy it (although I also have a gaming PC), and I've been considering picking up a 360 Elite when the price comes down a bit, but unless Sony either smartens up and drops the PS3 price drastically, or comes out with some game that I can not live without, I probably won't be buying one. This actually saddens me quite a bit, as the PS2 was my favorite console from the previous generation (with the GC placing second).
All the game companies are good at certain things, it's just that the markets are reflective of what each company is basing their priorities on.
Microsoft was intialy trying to make the X-Box into a platform to try to force the convergence of console and PC gaming. Later when it became clear that they were really on to something with X-Box Live, they switched tactics and focused on providing top shelf online content (although the latest half hearted attempt to bring Live to Vista bodes poorly for Microsofts learning abilities).
Sony on the other hand has always been focused primarily on graphics performance. Yes they had some good games, but nothing ever revolutionary, but pretty and often fun. The primary hallmark of the Playstation platform is a shotgun approach to game development. They make as many games as they can, throw them out there and see what sticks. This approach can lead to some very good games, but also leads to some very very bad games. The primary failing of Sony is in not providing any new innovation in the latest generation of consoles. The Playstation 3 was positioned to be a multimedia convergence device, but so far the market for said devices has proved to be rather poor, and what little there is is primarily dominated by inexpensive PCs. The good news for Sony is that historically the Playstation consoles really only hit their stride after a year or two on the market, so it has the potential to outperform the competition in terms of raw power. There is also some rumbling of Sony taking online content more seriously, although whether or not they can provide a credible challenge to Live remains to be seen.
The last player on the market, and the most relevant to this article is Nintendo. Nintendo realized a long time ago that fun games, and innovative systems will out sell fancy graphics. A clear cut example of this is the origional Gameboy versus the graphically superior Gamegear. The Gamegear had a color screen and more processing power, but was more expensive, slightly bulkier, and was much more demanding on power (which resulted in it eating batteries left and right, I should know, I had one). Nintendo has always been middle of the road in terms of graphics and processing power, but what has set them aside has traditionally been their willingness to try new and innovative controls and games. Sometimes this has hurt them, and they have made more than a few products that failed spectactularly (Virtualboy anyone?), but on the other hand they have released a number of products that show some genuine innovation. I think the relative failure of the Gamecube served as a wakeup call to Nintendo, they realized that they weren't able to compete on graphics and if they were going to survive they needed to embrace the creative aspects of their game and console design more fully (prior to the DS and Wii most Nintendo products were less daring in departure from the norm of console gaming). It will be interesting to see if Nintendo can pull off the online portion of the gaming puzzle (which will be critical for all three consoles) sufficiently to keep Wii ahead of X-Box 360 and Playstation 3, of if they will fumble it and have to settle for second place.
Actually, if they win it will just be appealed, and they'd win in appeal. Of course, if it went to a higher court before being laughed out, it might send a stronger message. On the other hand, judging by this suit these guys are total morons, so they're probably dumb enough to appeal if they lose, so it may go to a higher court no matter what.
Right now the DoD is flipping you the bird as hard as they can. Just be glad they haven't brought out the quad laser.
Judge walks in sits down and shuffles through papers.
Judge looks up at the defendent.
Judge: The court finds in favor of the defendent on account of the prosecution being a bunch of twits. Case dismissed.
Judge stands up and walks out.
Or at least we can hope.
It ran ok on my old system (AMD 64X2 with a Radeon x1600 [I think, been a while] and 2 gig of ram), but after I upgraded to my previous system (AMD 64X2, GeForce 7900GS, 2 gig of RAM) it ran just fine with just about all graphics settings maxed. About the only lag I ever encountered was if I pushed the FSAA to high, or I had network latency. Now that I've upgraded my graphics card to a 8600GS I imagine it probably runs very smooth, although I can't say for sure since I canceled my account (everybody I knew stoped playing and they finally suckered me into playing WoW).
That's a fairly good point, selling the actual flaw is not (usually) illegal. What is illegal however, and what is primarily trafficked in on the black market, are utilities (viruses, worms, and root kits to name a few) that take advantage of those exploits to break into systems. Often the cracked systems themselves are sold off as well. Of course, with some of the most recent legislation, and creative lawyers and politicians putting a fair amount of spin on things, it may not be long before selling ANY exploit is considered illegal. As it is, a lot of people are being charged under the DMCA with the companies claiming that whatever is cracked is bypassing a copyright prevention device. Of course, you need not even do anything illegal technically, as if they really want they can press charges for just about anything, they just have to be civil charges. It's important to remember a civil suit does not have to be based on anything at all, although it's risky to file as if the court sides against you, they can slap some pretty nasty fees on you for wasting the courts time (although they seem to exercise this right more against individuals than corporations).
It's mostly just thousands of spam bots constantly spamming each other. On the plus side, that's more bandwidth not being spent on e-mail spam.
You must live in a very different world than I do. Yes, selling exploits on the black market is illegal, but that's why it's called the black market, it's a place people go to sell illegal things. Because it's illegal and risky, it drives the price up, the higher the price, the more people are willing to risk getting caught to make money. If on the other hand there's a legitimate legal way to make money, even if it's a fraction of that possible on the black market, more people will be willing to pass up the higher profits in favor of a secure risk free channel. Of course, if the companies did their jobs properly and produced fairly secure code in the first place, then maybe these bounties would go more than a week before someone claimed them. The fact that companies can announce a bounty and get results so quickly proves that the product has a LONG way to go before it's worthy of even claiming any sort of security. As a good example of how this kind of bounty can be a good metric on somethings security, consider the bounties the RSA pays for cracking their algorithms. As it is, you can have a very good sense of exactly how strong a particular RSA algorithm is, based on the sheer amount of computing power and time it takes to crack any given one of them. Now, if you had a company that put out one of these bounties, and nobody was able to claim it for say a year or more, I'd feel pretty confident running that software.
I think the biggest concern is more over time spans involved. It's important before hand to agree to how quickly the details of any vulnerabilities should be disclosed, otherwise either the company isn't happy because they have to scramble to patch something overnight, or the researcher isn't happy because he can't release any of the details about what he discovered. Having a fixed time agreed to also serves as motivation for the company to actually do something, instead of just sitting on it and waiting until the next version before doing anything.
Well, that really depends on how exactly the contest is stated. If you discover a exploit and then make a announcement about it at the same time you try to claim the prize the company might turn around and sue you saying that you didn't have the right to announce the exploit to the general public without their express permission. If on the other hand you discover it and only tell them and they try to sue you, yes, then you could pretty much laugh them out of court.
Would you be willing to do it assuming there was a reasonable lag time between the announcement of the discovery and the announcement of the details of the exploit? Something reasonable like say a week or two (agreed to before the contest is started), to give some time for the developer(s) to fix the problem and release a patch. Assuming that the requisite time has passed then either party could release the details, and also have a legally binding contract giving them that right (maybe with a clause that the developers are legally required to attribute the discovery to whoever wins the contest).
Ah, I see we have another wanker on here.</sarcasm>
Seriously, even though the guy has a biased summary, most of his points are fairly valid. Not that I'm saying this deserves to even be on slashdot of course. Frankly I have to agree with what most of the others have said, the guy is just trying to drive up traffic by posting a story espousing some very controversial opinions but without much meat to it.
0-Day exploits are already big business on the black market, better for the companies to pay for disclosure and have a more secure product, than for the exploits to be sold off on the black market and only discovered after a significant portion of the user base has been compromised.
1) Open development environment of your choice
2) ???
3) See one of the following:
a) Abandon project, no one is interested (see at least 50% of source forge)
b) Idea is good, people like it, but you're implementation is lacking, code forks.
c) People love it, everyone is using it and working on it, but you don't have time to work on it
anymore so someone else takes over.
d) People love it, everyone is using it and working on it, you successfully manage to keep it on
task and moving forward. Congratulations, you have a successful open-source project.
Interestingly enough, SL already has a "jail" that they send people to to punish them. It's a giant corn-field with a tractor and a house. Not sure of all the details as I don't even play SL, but I ready a article about it a while back when one of the SL griefers got tossed in there.
What I'd like to see is something along the lines of the way tutorials and such are handled by most applications. When the permissions dialog pops up, in addition to allow or deny, there should be two check-boxes, one that says "Don't prompt me about this again this session." and another that says "Don't prompt me about this from now on.", although it should also come with an extra warning message if you check the second one. The great thing about this system is, that you can just run an app, check the second box and allow for every action you're fine with, deny for every action you don't want, and from then on the application will just run without prompting you, and you know it only has access to what you've approved.
I think perhaps this isn't exactly what you meant. "sudo" generally grants root privilages to a user (or in your example an application) which is really a rather bad idea. What should happen is applications run as a restricted user with only access to their own directory, and maybe a couple other explicitly assigned directories (such as /tmp), but accessing certain functions such as a common open dialog (OS supplied) would temporarily grant the same privilages as the user running the application. Of course, it should still be possible to request access to other privilages, but doing so would prompt the user to accept, and if the user doesn't have permission to access those resources they should be prompted for the credentials to someone who does have access (such as root, but not necessarily root).