Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:Is there _anybody_ that gets IT security right? (Score 1) 14

It seems they all mess up. Time for real penalties large enough that make it worthwhile hiring actual experts and letting them do it right. Otherwise this crap will continue and it is getting unsustainable.

No, no one get security right, and they never will. Security is hard and even actual experts make mistakes.

The best you can do is to expect companies to make a good effort to avoid vulnerabilities and to run vulnerability reward programs to incentivize researchers to look for and report bugs, then promptly reward the researchers and fix the vulns.

And that's exactly what Google does, and what Google did. Google does hire lots of actual security experts and has lots of review processes intended to check that vulnerabilities are not created... but 100% success will never be achieved, which is why VRPs are crucial. If you read the details of this exploit, it's a fairly sophisticated attack against an obscure legacy API. Should the vulnerability have been proactively prevented? Sure. Is it reasonable that it escaped the engineers' notice? Absolutely. But the VRP program incentivized brutecat to find, verify and report the problem, and Google promptly fixed it, first by implementing preventive mitigations and then by shutting down the legacy API.

This is good, actually. Not that there was a problem, but problems are inevitable. It was good that a researcher was motivated to find and report the problem, and Google responded by fixing it and compensating him for his trouble.

As for your proposal of large penalties, that would be counterproductive. It would encourage companies to obfuscate, deny and attempt to shift blame, rather than being friendly and encouraging toward researchers and fixing problems fast.

Comment Re:A new crisis (Score 3, Insightful) 71

Please stop being stupid and pushing lies. The scientifically sound warnings have been there since about 1980. They got fully ignored and they have turned out to be pretty accurate. Now, more spectacular warnings run the risk of being overstated (by their very nature), but that is not a way to tell they are baseless, like you seem to imply.

Comment Re:FUD (Score 1) 31

Indeed. The problem is insecure systems. In any other engineering discipline that gets resolved with liability and minimal standards and, if needed, people going to prison. (No, that will _not_ kill FOSS. That is just a lie.) IT just has not had its really big catastrophes yet, or rather so far they were too abstract. But the way Microsoft (and others) are going, it is just a question of time.

Comment Re:FUD (Score 1) 31

And, yes, it's more difficult these days. I've been trying to find a reputable company (at a reasonable price) to just do a simple DDoS for me.

No, not for anything illegal. I just want to test some of my own infrastructure. It has gone through a DDoS attack a couple of times and has been just fine. But, those were short-lived (under an hour) and not very impressive as far as the numbers go. I'd like to find the breaking point so that I can work on that.

I think you are lying. A localized simulated DDoS is not hard to do and as good as the real thing. Any competent pen-testing outfit should be capable and willing.

Slashdot Top Deals

10 to the 6th power Bicycles = 2 megacycles

Working...