|
I like his theory.
|
|
|
|
|
I'm a gamer.
In my world good hardware is life or death.
No reason for bad hardware.
Get the good stuff.
|
|
|
|
|
I've just read some predictions for the future of the PC, written in 1993, by Nathan P. Myhrvold, the former Chief Technology Officer at Microsoft. His memo is amazingly accurate. Note that his term "IHC" (Information Highway Computer) could be roughly equated with today's smartphone or tablet device, connecting to the Internet via WiFi or a cellular network. In his second last paragraph, Myhrvold predicts the winners will be those who "own the software standards on IHCs" which could be roughly equated with today's app stores, such as those on iOS (Apple), Android (Google, Amazon) and Windows 8 (Microsoft). The only thing you could say he possibly didn't foresee would be the importance of hardware design in the new smartphone and tablet industry. Notes from "Road Kill on the Information Highway"
|
|
|
|
|
French security company Vupen is selling a vulnerability in Microsoft's latest operation system and browser [ITworld]
|
|
|
|
|
I don't yet understand how hackers can live with themselves.
|
|
|
|
|
Why not? What's to understand?
No, seriously - if this response has the appearance of someone that is trolling, I apologise for my inability to better choose my words.
Microsoft, Adobe [insert Corp name here] releases a product with proveable, re-producable errors in it. These flaws, and the understanding of how to exploit/avoid them are precious commodities - both for black-hat and white-hat types.
In computing, as in entertainment - it is the size of the market that dictates something/someone's monetary value. That's why national sports-stars and performing music artists can command so much money for a single performance, that's why the value of such an exploit is so high - the affected market is _huge_
If MS aren't prepared to throw a couple of drops in the ocean (that is the cost of development) to protect it, why not sell it to somebody that does value it?
You do realize I hope, that both the Stuxnet and the Flame virii made use of unpublished exploits. Exploits that then helped to offer access to the nuclear-enrichment control systems that Iran runs.
Do you wonder how the writers of these virii, or the finders of the exploits that facilitated their activities live with themselves?
I really am very curious as to just where you're coming from.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
An old lady pulls into her driveway and slowly unloads groceries.
In the process, she accidentally leaves her purse on the hood of her car.
It's now dark and there sits the purse - just brimming with cash.
There are basically two types of people in the world:
1: One guy will steal the purse.
2: One guy will return the purse to the lady.
The thief sees an opportunity to make some easy money. He tells himself the old lady had it coming. She made a mistake and the way to learn is to get burned. He figures she'll still be okay, it isn't like he beat her up or anything - she loses some cash but learns a valuable lesson.
The hero sees an opportunity to serve. His joy is in helping a neighbor in need.
We really need less of #1 in this world and more of #2, not only as individuals, but as companies. I really have no respect for opportunists - they are the worst interpretation of capitalism. There are quite a few of us that grow weary of this mindset. Sorry, but the other guy making a mistake isn't justification for crap behavior.
So while I wish each individual at that company many blessings I hope the company and it's philosophy dies in a flaming vat of malaria.
|
|
|
|
|
You forgot the third type - the guy that walked past afterwards or even watched the lil' old lady unpack her things and leave her purse there. For a sum of just $5, he offers to tell her something that would be very much to her advantage. (Personally, I'd pay the b@stard then follow them home, but that's another matter)
Look, I agree - if the world was filled with #2 type of people then it would be a truly awe-inspiring, wonderful place to live. I think it's entirely impossible to have too many of them.
It's the #2s that make CodeProject and other sites like it flourish. Each of us benefits from that.
However as far as I'm concerned, your analogy while quite good, falls short of accurately modelling the situation being discussed.
Neither person #1 nor person #2 could have _their_ privacy breached as a result of the lady's forgetfulness. Many millions of people stand to suffer as a result of these flaws Microsoft keeps asking us to beta test.
The little old lady is not only unlikely, but also not suspected to be building Molotov cocktails in her garden shed, ready to assault the neighbourhood. With that in mind, there is no perceivable benefit for the community at large by failing to reveal to her that she's left her purse out - and in so doing so, granted access to her home to anybody with her details.
Furthermore, do you think the little old lady would then stroll out to collect her purse at a time that was convenient to her, regardless of the harm that may be caused to her neighbours/people in her phone-book in the time that the purse is not in her hands?
Some companies have a history of being very slow to implement fixes, even after the exploits have been made public - I'm looking right at you Adobe..
Until such a time that Microsoft, Adobe et al try to buy the exploit details AND are refused, I think they're simply reaping what they've already sown. It's our data and our lives they're elephanting with - if they can't be bothered doing it in a secure manner, and are to bull-headed (stubborn) to pay for someone else to do their homework for them, elephant em.
I equally curious as to just why it is that wish them to die a horrible death.
Is it any of the following:
a) They search for exploits
b) They charge for their time and work
c) They do it in part as a way of beating the offending company.
How about releasing info on how to gain root-access to your Android or iPhone? Is that done by those deserving a death in brimstone too? What about those that are reported to be in possession for the master-decrypt key for PS3s? Is it disgusting that some people would love to have it in a heartbeat, so they could take advantage of the power inside, without being artificially retarded by the Hypervisor? I'm certain some governments around the world would prefer not to have to enter special arrangements with Sony to get such access - e.g the US Navy, that has a supercomputer built out of (I believe) series I PS3s, since they allowed "Other OS" as an option. New ones are more power efficient, but have had this feature removed.
Me thinks that this is an issues nuanced by at least 24 bits of greyscale. I think there's a minuscule portion of the entire issue that is either black or white, the majority of the remainder being a matter of point of view or personal preference. Some things while morally okay, are illegal in some parts of the world - while yet other things are legal, yet they're morally reprehensible.
But in closing, I'll rephrase what I wrote earlier - when the companies concerned attempt to purchase the exploit in their own product and are refused, THEN and ONLY then would I consider the exploit-finders a bunch of sunshines. If there isn't even an approach made by the software company, I think they're being cheap, callous and calculating with our privacy and security. If someone else buys the info and shames/embarrasses MS/Adobe, etc - then great! If that then leads to a higher level of security in the products we pay so dearly for - what's the problem?
Make it work. Then do it better - Andrei Straut
modified 6-Nov-12 9:30am.
|
|
|
|
|
enhzflep wrote: You forgot the third type - the guy that walked past afterwards or even watched the lil' old lady unpack her things and leave her purse there. For a sum of just $5, he offers to tell her something that would be very much to her advantage. (Personally, I'd pay the b@stard then follow them home, but that's another matter) You've managed to identify a guy who is even a bigger creep than the outright thief.
You're so replused by it you claimed you'd follow the guy home - ostensibly to administer punishment.
It really isn't another matter, it is the point.
Hopefully karma will follow this company home with a Louisville slugger and spend some quality time there.
|
|
|
|
|
I disagree that the person that has asked for $5 in exchange for some valuable information is a bigger creep than the person that actually took the money. One of the 2^24 grey areas, I reckon - a personal judgement, if you will.
I'd beat the elephant out of the thief on the spot.
If person #3 asks for the money and is refused, before saying "C'est la vie" and walking away - they're a hundred million moral miles in front of the bugger that actually stole it. I'd actually follow them home so that they knew if they tried something like that again, they're not anonymous and I have the capability to effect a devastating punishment should occasion to do so arise.
That's what some ISPs do to copyright infringers. They determine the behaviour has occurred in the past and send a 'we know where you live, and what you've been doing - don't do it again' type message. Future indiscretions are met with a hefty kick in the backside. Perfect!
I have myself, paid for information in a similar circumstance in the past - somebody knew a trick involving my garage door. For the paltry price of a can of beer, I was informed that they have a flaw that enables them to be opened, even when locked. I fixed the problem in 5 mins. I have since found attempted intrusion marks on the door after returning from holidays. That was $2.85 well spent.
Thank-you for your well considered thoughts MehGerbil. Sharing of thoughts and ideas is a great thing unless somebody begins to become unpleasant and to make personal attacks (which I've not recognised an instance of in this discussion) - a perfect opportunity to understand and learn from our fellow man.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
While in theory I don't disagree with "teaching companies a lesson," it's that "Holier than thou, self righteous" attitude that does harm instead of good.
You really think MS or Adobe are hurt by having millions of people's privacy and security breached. Heck no, they'll keep on trucking just like they have. People might get mad for a bit, but they'll still live on.
No. The people who are hurt are the ONES WHOSE INFORMATION IS STOLEN! I'm sick and tired of hackers releasing personal information into the wild to the highest bidder under the guise of, "We're teaching {MS, Adobe, Sony, etc} a lesson." Bull crap, call it what it is. They want profit and recognition, and don't really care about the people they are "helping by revealing flaws so companies will fix errors."
Yes, MS et. al. need to be held responsible, but be realistic about what you are advocating.
- Freedom is the right of all sentient beings.
|
|
|
|
|
vaderjm wrote: You really think MS or Adobe are hurt by having millions of people's privacy and
security breached. Heck no
I disagree. If they didn't think that there wasn't some impact then they wouldn't issue fixes at all.
vaderjm wrote: Yes, MS et. al. need to be held responsible, but be realistic about what you are
advocating.
I didn't see that in what you responded to. Rather it pointed out that there is no guarantee and rather some evidence to the contrary that a private disclousure will result in a timely fix, one that would protect the user, and there is the possibility that a private disclosure could lead to a negative impact for the person that attempts to tell the offending party. That does in fact happen. A public disclosure insures that the offending party can do nothing but take action (or do nothing) rather than attempting to silence the source.
|
|
|
|
|
jschell wrote: A public disclosure insures that the offending party can do nothing but take action (or do nothing) rather than attempting to silence the source.
I appreciate your response, and in reading what you wrote, I don't think you quite understand what I was trying to say.
I completely agree that the vulnerabilities themselves need to be made public so that the offending party is forced to take action, and that a negative impact can and does happen to persons making private disclosures. Your post is indeed correct to that point.
Perhaps when I responded initially I should have clarified that I was not speaking of the vulnerability itself but the data being stolen through the breach. What good would come to the "users" in having personal data sold to the highest bidder?
Quoting your other post:
jschell wrote: And note that they did not in fact use the vent.
We're on the same page.
modified 6-Nov-12 16:20pm.
|
|
|
|
|
Thanks for your thought vaderjm,
No, the security breach in and of itself doesn't really hurt the large corporations (it embarrasses them perhaps, but does not cause blood-loss). What does hurt however, is declining sales due to people's lack of confidence in their products.
Agree - it is the people whose information is actually stolen in the end-game that are truly hurt by the process.
I would argue that the process has a rough analogue in the arms manufacturing industry. You have powder manufacturers, bullet manufacturers, gun manufacturers. It is only through a chain of events that the products of each of the three are brought together, before somebody is shot. It appears naive to place them blame on any of the three companies - it is through the application of their products that harm may be caused - or in the case of LE officers or armies, that a reduction in harm may be effected. But that harm is caused or prevented by the last entity in the chain - the one with the gun.
I simply advocate that if they release buggy products and refuse to either or both (a) fix them (b) pay someone else for the time taken to check their work for flaws, that they deserve to be beaten with a stick.
Once that stick has been used, I would then apply it 10-fold to anybody that stole my information.
Releasing information about the flaws in a product? +10
Using information to steal personal info, then releasing it? -10
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
|
|
ts;db (too ess aitch one tee, didn't bother)
Thanks for your contribution.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
But how much do you want them to spend? You are making the assumption that Microsoft does not care and actively ignores security vulnerabilities? Maybe they have in the past, but do you have any recent examples? Microsoft has stepped up it's security game in recent years and news I received from this website, indicates Microsoft software, despite its ubiquity does not have any vulnerabilities in the top ten exploited vulnerabilities?
A better analogy, perhaps would be if you have a broken lock in your house and I sold knowledge of the lock to a local cat burglar - closer to being an accessory to the crime.
Idaho Edokpayi
|
|
|
|
|
The issue of an exact (or ballpark) figure for the sum paid is not something I have examined or considered. It's the willingness to approach and offer to pay something that I'm looking for..
Not quite sure what of my words has led you to conclude that I assume Microsoft to be either/both dissinterested/actively ignoring known vulnerabilities.
In fact, I read just yesterday a request by one of their staff that adequate time to enact a fix be allowed between revealing the vulnerability to them and the general public. (I'll look for a link when I'm done here)
Presumably, they are in the position of asking (rather than dictating) as a direct consequence of failing to enter into a commercial agreement with the holders of said vulnerabilities. My employer pays me, and before doing so has me sign an NDA. Simple.
Paypal have a 'find-the-flaw' system, whereby they OFFER to pay for information related to security flaws in their products. Bad idea, or clever and practical?
I like your analogy - did you approach the lock's maker first, offering you the information you learned to them for a sum, in the interests of them improving their product? Or was this not a consideration, with you instead choosing to go straight to the thieves?
In fact, something somewhat similar happened recently - the maker of electronic door-locks for hotel rooms has had their sloppy work exposed. (I understand that the lock manufacturer was not made aware of this earlier than others. )
Surely this situation is to the benefit of all except those that had formerly been taking advantage of the hack?
http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/[^]
Thanks for your thoughts, I appreciate them.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
MehGerbil wrote: An old lady pulls into her driveway and slowly unloads groceries. In the
process, she accidentally leaves her purse on the hood of her car. It's now
dark and there sits the purse - just brimming with cash.
Your analogy is flawed. It also ignores that the person wandering by need not do anything at all (neither steal nor tell her.)
A much better analogy...
An old lady runs a profitable, very profitable, dress shop.
And she drives other thriving shops out of business either by buying them out or by reproducing wares and undercutting the price.
Someone walks by every day, every hour, for a year and spends time looking for an open vent.
And then they ask to be paid, by anyone, for the work that had done (every day for a year.)
And note that they did not in fact use the vent.
|
|
|
|
|
Perhaps the best analogy of the thread. +5
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
enhzflep wrote: Do you wonder how the writers of these virii, or the finders of the exploits
that facilitated their activities live with themselves? I realize that most everyone that does hacking, viruses, spyware, etc... is in it for the money. And I realize that money is a powerful motivator.
However, I don't think I could live with myself if I knew was endangering other people (or their electronic lives). It's just not something I can fathom doing.
|
|
|
|
|
It's because I agree with your 2nd line, that I think the Stuxnet and Flame virii were the lesser of a number of evils. In planting the virii, the time taken to successfully enrich uranium in Iran was increased. Thus, providing more time to analyze the threat (perceived or real) posed by a rogue state controlling nuclear materials.
A quite possible alternative would have involved bombing the place into oblivion in the dead-of-night, much to the detriment of any staff in the facility at the time. Israel has certainly done that kind of thing before.
But, that's all a small facet of the problem at hand - it would be a shame to inflate it's importance (I hope I haven't been seen to do so)
Thank-you for your thoughts, GeekForChrist. I appreciate them.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
enhzflep wrote: Thank-you for your thoughts, GeekForChrist. I appreciate them. Thank you.
|
|
|
|
|
System AND browser? Maybe just browser? If so, which one of the 2 IEs?
|
|
|
|
|