Computer security is shit

Snark in the security community? What?

3 Likes

Common Criteria is shit. Fuck Common Criteria. That is all.

2 Likes

As a dev (not a security pro) I’ve had the chance to work with a few outside security consultants or agencies over the years, and read quite a bit. I don’t know how accurate my view is, but the security experts seem to be mostly either people who can run an automated tool and email you the report, but don’t know much about what it’s saying, or people who could macgyver their way into root access on just about any system with nothing more than a commodore 64, some spare wires, and a tuning fork.

I suspect security experts have the same view of us developers. :wink: But I wonder how you view yourselves from the inside. Are most security people actually somewhere on a progression through an average mid-level between the extremes? Or are they as extreme as they appear?

4 Likes

Well, that’s both rather unflattering, and yet somewhat accurate. The industry is newer, the hobby is older. Can I say you are probably better off with someone who really loves what they do and not some dude-bro that realized over the last 5 years that there’s actually money in the industry? (I think I’m speaking as an insider but you may have to verify with some of my peers for accuracy.)

4 Likes

It is all sorts. I get bug reports for our bounty program. For the website ones, it is a bunch of marginally useful idiots running scanners sometimes. Those reports aren’t that useful. I also have a contractor who is a contractor because he kept reporting such useful and godawful scary stuff that we wanted him working on things for us reliably.

I’m actually not much of a coder and am more of a middle manager and program manager. I know the basics of a lot of stuff but I could not likely just sit down and take over someone’s machine from remote (unless they were a real idiot). At least one guy who works for me has done that for fun though. It takes all types.

5 Likes

[quote=“Daaksyde, post:83, topic:73565”]are they as extreme as they appear?
[/quote]

Yes!   When they scan my DNS I find out which kind they are.

Bounty program? Are we talking real money here? I could be marginally useful for real money.

3 Likes

There are a lot of bug bounty programs out there now - FB, Paypal, Google, Square, Mozilla, Apple, Twitter, and many others run them. Depending on the severity of your finding and who’s running the program the money varies. If you can pop a shell you can make a lot, though you must follow the program guidelines carefully. If you’ve got free time and can do better than the average pentester they are worth it, though you shouldn’t go into it planning to make anything.

2 Likes

I’m going to have to run this line by the fuzzing team I manage!

1 Like

Google “Mozilla bug bounty” as I’m on my phone and first coffee here so I don’t have the links handy.

Under mozilla.org/security/

@enso, @nemomen, thanks for the tips, but frankly that’s not enough money to be worth the amount of time and effort I’d be expending, at least at Mozilla.org.

The money’s good enough for students and people who’d want to do it anyway, but personally I have the great good luck to be able to reliably make more dough than that by spending my time in other ways.

In the unlikely event that I get the time to do something nice for Mozilla, I think I’d rather write code for an outstanding issue, like for example Firefox’s file URL handling (explanation why I’d want to fix this is here).

Making $5,000 or more on a bug isn’t worth it? Ooookay.

We have reporters that make over $60,000 a year on the program. Of course, they’re finding critical vulnerabilities as well.

In general security is shit fun I just took the annual security training… oh it was painful. I work at an IT company and we have to be told ‘don’t download strange attachments’ apparently.

Your bug is 7 years and 9 months old. I’m going to make a prediction here: it isn’t going to be fixed… Heck, the last duplicate bug in your list is from 7 years ago too. :slight_smile:

1 Like

Is it an especially difficult bug?

(I don’t understand why it wouldn’t get addressed for that long.)

1 Like

Touching how we deal with URLs could be dicey. Without really digging in, I’d say it is more likely that no one sees it as terribly important or valuable (and may debate how much of a “bug” it is versus poor design). Windows specific issue to do with network shares. Traditionally, Mozilla isn’t that concerned with enterprise environments on Windows or edge cases. Don’t quote me there as I spent a total of 120 seconds looking at this bug.

The bug was closed as “won’t fix” if you look at the link.

1 Like

Thanks.

I’d also wonder if Chrome handles it better. I assume IE or Edge probably does because…windows.

Compare that to issues like:

https://bugzilla.mozilla.org/show_bug.cgi?id=1140537

which we paid a bounty on.

and now you know my bugzilla ID if you remember my name. :slight_smile:

1 Like

How could I forget? :wink:

Does Mozilla disclose how much the bounties are, or who they’re paid to?

Payment ranges are disclosed.

https://www.mozilla.org/en-US/security/bug-bounty/
https://www.mozilla.org/en-US/security/client-bug-bounty/
https://www.mozilla.org/en-US/security/web-bug-bounty/

We don’t disclose how much we’re paying various individuals as that would be invading their privacy. They can disclose if they want.

We do have Hall of Fame pages as well:

https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/

2 Likes