Computer security is shit

I did all the backend tracking and reporting for v1 and v1.5 version of the PayPal bug bounty. Most bugs were trash, but there were at least three or four people that treked around Tibet and Nepal, and made enough from the program to keep treking. And several researchers… Well, they were compensated a pretty hefty amount.

5 Likes

The Mozilla bounties I looked at were up to $4000 and payment was contingent on somebody else’s opinion of how important the bug was, with no way to predict what actual payouts will be in advance. Looking again, I see Facebook and Google and Paypal occasionally pay more, but look at those actual payouts - they are few and far between. And traveling to and participating in hacking events that pay requires investments of time and money with no guaranteed return.

So given the number of hours likely required to find a bug, the uncertainty involved in actually getting paid, and my current hourly rate (which pays me whether someone else makes an error or not) it’s just not a good investment of my time. I mean, I’d like to help projects like Mozilla, but this is not at all good money for a person in my position. If I lose my day job, then sure, I could see it, but I am lucky enough to be both well paid and very busy; I turn down work quite frequently.

That’s exactly why I said if I had time to help Mozilla, I’d attack that bug. It’s like Apache’s broken LDAP specification syntax - not considered important by the coders, only by scores of frustrated users. Clearly nobody’s stepping up, and I’m aware of the issue, so I should fix it. But I haven’t done it, so I can hardly throw stones at anybody’s ivory tower (they’d probably break my own window).

I think that if there’s been an outstanding bug with 30 or 40 dupes (that I found in less than 5 minutes of searching; there could be many more) that isn’t fixed in 7+ years, then people are going elsewhere for their browsing needs at this point. And I do know of at least one organization that has standardized on IE specifically because of this. And that’s a shame, because Firefox is the best browser; I run it with SDC, Adblock and NoScript as my primary browser on three different OSes. Chrome requires too much hardware and IE and Safari are too OS-bound.

One possibly correct behavior for a browser encountering a file:// link would be to call out to the local system’s file manager, perhaps with a security warning requiring click-through by the end user. That’s what IE does, for example; I don’t know how Chrome and Safari handle it at this point. The browser doesn’t have to render the page, it just needs to do something. Even if it’s just saying “no, I can’t do that, Dave” in a HAL9000 voice.

I bet you know my bugzilla ID too :smile: (or at least the obvious one :grinning:). I saw at least one other BB forum denizen in that thread too…

3 Likes

The top rate is $10,000+ for a client bug.

Obviously someone has to make the call on severity/importance, and the vendor is the appropriate party for that. Vendors know many security researchers are involved/discussing the programs and bounties and from what I’ve seen (very limited sample) do try to be fair in gauging severity.

If you’re a security researcher/InfoSec person and have the chops you can do pretty well, it can be fun/interesting if that’s your thing, and it can pay, though there’s no guarantee. If you’re doing it as a side thing because you’re into it, it’s cool, the vast majority of security researchers have other income sources besides bounties. If you’re trying to build a reputation in the field, being a reporter has value beyond the immediate payout. But these programs aren’t created with the expectation that everyone under the sun will participate or have enough incentive to, so if you’ve got better things to do with your time then everything’s still working as expected.

If you’re just hitting files on a local filesystem or reading a directory they all do the appropriate thing on my Mac (different behaviors, but all correct). I think you’re thinking of your bug for handling SMB mounts with a file://///server (I think that’s the syntax?). That doesn’t work in any of them on my Mac. IE is going to be the outlier for being integrated with Windows SMB mounts since it’s a Windows thing. I wouldn’t really have high expectations of a cross-platform browser doing much for a very OS-specific use case, though I’m in no position to judge.

1 Like

Well, we’re not going to trust the reporter’s opinion on how much money they think something is worth…

You must have been looking at the bounties for websites.

You should use uBlock Origin. Adblock eats CPUs.

I worked on IE for most of 9 years. It is pretty tightly integrated with the Windows shell, making certain behaviors easier.

2 Likes

Thanks for the tip! I’ll check it out.

I’ve never had any problems with firefox resource utilization, but I do like to save cycles wherever I can.

1 Like

Adblock Plus (which you may not be using) also has a whitelist of ads companies pay to let through. I think there was a Boing Boing article yesterday on this.

2 Likes

So, Linux Mint got their download servers hacked:

Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

Kudos to them for the quick response.

4 Likes

Oh sweet merciful Christ.

Yeah, I hear you. The reason I use it anyway is I think it’s overall very well-conceived; with just a modest bit of clicking around in the firewall setup screens, I can set up a PF rule set which matches what I once used to do with literally days of laboring over PF rules on an OpenBSD box. I used to be partial to setting up the firewall as a transparent filtering bridge, though now that I’m on a single IP from the cable company at home, I don’t bother and just make it the visible gateway.

I also like the package support - rather than shoe-horn everything under the sun into it, a lot of the services beyond the basics are optional packages which you can enable and download if you want them.

As to the PHP GUI, I think it was inherited from its predecessor, monowall (or m0n0wall if you’re real l33t.) The good news about the web UI is:

  1. It’s set up by default to be accessible from the “inside” interface only, and firewalled from the LAN side. Not a panacea, but cuts the risk.
  2. They’ve finally gathered the resources to rewrite it, and in the next version are ditching PHP for something called Bootstrap, so I feel better about that, even if it’s reasoning from ignorance.
2 Likes

I wasn’t trying to be disparaging of the product overall. I’ve been doing the “roll your own” approach with FreeBSD and PF since before monowall was forked, so that’s basically what I draw as my baseline for comparison. At least measured by CVEs for Pfsense, the web interface looks like the biggest weakness. It’s something I leave out of my designs, but I understand the convenience trade-off and it isn’t unreasonable for some.

On the flip-side, if I had to manage an existing product, I’d take Pfsense over something like a damn SonicWALL.

3 Likes

I really can’t disagree with anything you said there.

2 Likes

Didn’t Oracle claim they were going to stop doing that Java installer thing of “We’re going to fuck with your browser settings, change your home page, install some crap toolbars, that’s OK RIGHT?”

STILL TRYING TO FUCK WITH ME, EVERY SECURITY UPGRADE.

Fuck those assholes. There’s a reason I leave Noscript permissions for JavaScript and Firefox permissions to run Java and Java permissions to run Java all disabled for java.com, and its name is Oracle.

5 Likes

Why are you installing Java for your browser (or at all) in 2016?

1 Like

Oracle’s happy to do its part to help increase the spread of malware via Java. Did you see Cantrill’s talk where he talked about Oracle’s acquisition of Sun? It’s one of my favorite things on YouTube.

He did this at a talk sponsored by Oracle, for added entertainment value.

4 Likes

Probably, like most of us, he has no choice.

Even Cisco is shipping product that relies on client-side Java. You’d think they’d know better. :frowning:

1 Like

In the browser? Oracle has announced, as I recall, that they’re ending their browser plugin for Java.

1 Like

Remember when Microsoft said they’d kill ActiveX?

3 Likes

Oh they probably tried. Too many business applications that used it. Still have to use compatability mode in IE for some things. Head>desk.

2 Likes

My point exactly! Kronos uses browser Java. And the fabulous non-java kronos promised these several years now has yet to be unveiled…

Updating, not newly installing, but that is a very good question. Thanks for making me ask it.

You are generous, but - nope, now that I reflect on it, it’s mostly just inertia and the habit of always dutifully doing my security upgrades.

Having had it so long I no longer recall what if anything I might need it for, it’s quite possible I can just get rid of it and have done. If I find there actually is something I use that needs it, then I can evaluate the risk/return.

1 Like