Personal computing discussed
Moderators: renee, David, mac_h8r1, Nelliesboo
End User wrote:The title of your post is lacking key information.
just brew it! wrote:End User wrote:The title of your post is lacking key information.
That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?
End User wrote:The title of your post is lacking key information.
Waco wrote:I should just go buy a cabin in the woods.
Waco wrote:I should just go buy a cabin in the woods.
Flying Fox wrote:Waco wrote:I should just go buy a cabin in the woods.
Cabin with electricity and running water? Then you are still not completely off grid.
just brew it! wrote:Flying Fox wrote:Waco wrote:I should just go buy a cabin in the woods.
Cabin with electricity and running water? Then you are still not completely off grid.
Solar/wind and your own well?
Flying Fox wrote:just brew it! wrote:Flying Fox wrote:Cabin with electricity and running water? Then you are still not completely off grid.
Solar/wind and your own well?
Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.
just brew it! wrote:End User wrote:The title of your post is lacking key information.
That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?
End User wrote:just brew it! wrote:End User wrote:The title of your post is lacking key information.
That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?
It does apply to ever end user.
DrCR wrote:End User wrote:just brew it! wrote:That could probably be said of 95% of the posts on this forum. Why complain specifically about this one?
It does apply to ever end user.
There's more than one of you?
steelcity_ballin wrote:For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.
JBI wrote:That line about how you don't want to see how laws or sausage get made? It applies to software too. In spades. Closed vs. Open source doesn't make much difference either.
steelcity_ballin wrote:For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.
the wrote:The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.
the wrote:steelcity_ballin wrote:For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.
The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.
just brew it! wrote:the wrote:steelcity_ballin wrote:For something as large as an ecosystem as android, I'm really surprised this wasn't found sooner. You'd think that vendors/partners would be paying hand-over-fist for elite talent to try and find these things.
The elite talent is already employed by the NSA already to do just that. Not sure about this particular example but they have been known to hang on to numerous vulnerabilities they find for years before they are discovered in the public sphere.
...and most of the elite talent that isn't working for the NSA has more interesting things to do than vet old code that someone else wrote for bugs.
steelcity_ballin wrote:I'd argue that this is more of a result of companies not offering fair bounties for smaller bugs, or large enough bounties for potential 0-day vulnerabilities. Bug in a browser that screws up a specific brand of screen reader? Sure, that's going to get a smaller bounty if it's known in the wild and not a real exploit. Known, or Unknown 0-day stuff should be millions of dollars. If you offered 1 million after taxes USD for exploiting some major interface like this, I promise you that **** would get patched so fast (or sold off to a higher bidder, heh)- Then keep the door open for anyone else to do similar and get a similar reward. You probably spend a small fraction of what it's going to cost you when it's exploited in the wild and you have a major class-action lawsuit on your hands. And I'd bet that the NSA doesn't pay their top talent *that* well.
I think that people who are out there today looking to break things in order to sell it off would likely prefer a legal, ethical, and profitable means of reporting/solving this. I think what you have is tight-ass execs who don't want to pay for it, but they will sooner or later. Give good hackers a chance to do good and profit from their work fixing your buggy mess. Lots of people like doing this.
Glorious wrote:http://www.underhanded-c.org/
just brew it! wrote:I think there's some serious potential for abuse there though. If you do that, you'll have people intentionally putting exploitable bugs in released software, then secretly splitting the bug bounty with a co-conspirator who "finds" the exploit.
Glorious wrote:http://www.underhanded-c.org/
steelcity_ballin wrote:Ideally, the enterprise you work for can afford a competent team that enforces source control and code reviews/audits of anything that gets added for merging to production.
steelcity_ballin wrote:If you can't trust your employees to do their job correctly and with integrity, I'd say you have bigger problems.
steelcity_ballin wrote:Code reviews should be mandatory, pair-programming can be a useful tool too early on for jr devs to learn the ropes, but also to switch pairs around to keep the style of code consistent, and the quality high and honest.
steelcity_ballin wrote:Any source control software is going to have a way to track everything anyone has ever done.
Flying Fox wrote:just brew it! wrote:Flying Fox wrote:Cabin with electricity and running water? Then you are still not completely off grid.
Solar/wind and your own well?
Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.
freebird wrote:Flying Fox wrote:just brew it! wrote:Solar/wind and your own well?
Unless you can make your own panels, turbine blades, and generator, you can still be tracked. Not to mention a large enough panel array and/or turbines can be seen by satellites.
What's do you have against WATER power?
http://www.askaprepper.com/homemade-wat ... generator/
As to satellites, what CAN NOT be seen by them? unless you live in an evergreen forest, then they probably would have a hard time seeing you.