Computer security is shit

Yeah, it is honestly shit like that which makes jsfuck possible :D.

And that damn eBay bug… The internal security teams are furious. The fraud teams are more than annoyed. But it appears its like that scene in fight club where Edward nortons character discusses car recalls.

And while PayPal rightly deserves a lot of criticism, we were at least self aware enough to launch a bug bounty program without the consent of dev really (they just didn’t know what they were getting into :D) and got in front of problems like that.

Two friends of mine almost got fired because the BB program was too successful. (Then I stepped in and smoothed things out a tad :D)

2 Likes

I’m not but my knowledge space is limited to Internet technologies, especially browsers. I have zero experience with security vendors, their devices, etc. so it literally isn’t part of my world. When I go to Black Hat, for example, and visit the vendors area, there is literally nothing relevant to my work there.

2 Likes

I was being a bit snarky there. I have opinions, and Scotch…

2 Likes

Snark in the security community? What?

3 Likes

Common Criteria is shit. Fuck Common Criteria. That is all.

2 Likes

As a dev (not a security pro) I’ve had the chance to work with a few outside security consultants or agencies over the years, and read quite a bit. I don’t know how accurate my view is, but the security experts seem to be mostly either people who can run an automated tool and email you the report, but don’t know much about what it’s saying, or people who could macgyver their way into root access on just about any system with nothing more than a commodore 64, some spare wires, and a tuning fork.

I suspect security experts have the same view of us developers. :wink: But I wonder how you view yourselves from the inside. Are most security people actually somewhere on a progression through an average mid-level between the extremes? Or are they as extreme as they appear?

4 Likes

Well, that’s both rather unflattering, and yet somewhat accurate. The industry is newer, the hobby is older. Can I say you are probably better off with someone who really loves what they do and not some dude-bro that realized over the last 5 years that there’s actually money in the industry? (I think I’m speaking as an insider but you may have to verify with some of my peers for accuracy.)

4 Likes

It is all sorts. I get bug reports for our bounty program. For the website ones, it is a bunch of marginally useful idiots running scanners sometimes. Those reports aren’t that useful. I also have a contractor who is a contractor because he kept reporting such useful and godawful scary stuff that we wanted him working on things for us reliably.

I’m actually not much of a coder and am more of a middle manager and program manager. I know the basics of a lot of stuff but I could not likely just sit down and take over someone’s machine from remote (unless they were a real idiot). At least one guy who works for me has done that for fun though. It takes all types.

5 Likes

[quote=“Daaksyde, post:83, topic:73565”]are they as extreme as they appear?
[/quote]

Yes!   When they scan my DNS I find out which kind they are.

Bounty program? Are we talking real money here? I could be marginally useful for real money.

3 Likes

There are a lot of bug bounty programs out there now - FB, Paypal, Google, Square, Mozilla, Apple, Twitter, and many others run them. Depending on the severity of your finding and who’s running the program the money varies. If you can pop a shell you can make a lot, though you must follow the program guidelines carefully. If you’ve got free time and can do better than the average pentester they are worth it, though you shouldn’t go into it planning to make anything.

2 Likes

I’m going to have to run this line by the fuzzing team I manage!

1 Like

Google “Mozilla bug bounty” as I’m on my phone and first coffee here so I don’t have the links handy.

Under mozilla.org/security/

@enso, @nemomen, thanks for the tips, but frankly that’s not enough money to be worth the amount of time and effort I’d be expending, at least at Mozilla.org.

The money’s good enough for students and people who’d want to do it anyway, but personally I have the great good luck to be able to reliably make more dough than that by spending my time in other ways.

In the unlikely event that I get the time to do something nice for Mozilla, I think I’d rather write code for an outstanding issue, like for example Firefox’s file URL handling (explanation why I’d want to fix this is here).

Making $5,000 or more on a bug isn’t worth it? Ooookay.

We have reporters that make over $60,000 a year on the program. Of course, they’re finding critical vulnerabilities as well.

In general security is shit fun I just took the annual security training… oh it was painful. I work at an IT company and we have to be told ‘don’t download strange attachments’ apparently.

Your bug is 7 years and 9 months old. I’m going to make a prediction here: it isn’t going to be fixed… Heck, the last duplicate bug in your list is from 7 years ago too. :slight_smile:

1 Like

Is it an especially difficult bug?

(I don’t understand why it wouldn’t get addressed for that long.)

1 Like

Touching how we deal with URLs could be dicey. Without really digging in, I’d say it is more likely that no one sees it as terribly important or valuable (and may debate how much of a “bug” it is versus poor design). Windows specific issue to do with network shares. Traditionally, Mozilla isn’t that concerned with enterprise environments on Windows or edge cases. Don’t quote me there as I spent a total of 120 seconds looking at this bug.

The bug was closed as “won’t fix” if you look at the link.

1 Like

Thanks.

I’d also wonder if Chrome handles it better. I assume IE or Edge probably does because…windows.