Funny, I agree with him because of things like Covid being self-inflicted. We're so unable, as a species, to avoid even known risks (yes, we've known about the risk of new Coronaviruses since SARS), prepare for them, or deal with them when they've actually occurred. Even now, a not insignificant part of the US population thinks Covid is a hoax. Or that climate change is a hoax. We're reaching a point where catastrophic failure is just a stone's throw away, and we're already seeing the system buckle (rise of the Republican's hold over Congress, the rise of Trump, the rise of far right activists across Europe, growing environmental issues causing things like surges of refugees and civil war, unrest across the globe, etc.). It's only going to get worse from here as problems go unsolved and people's suffering grows.
We've banned this account for repeatedly breaking the site guidelines. If you don't want to be banned, you're welcome to read https://news.ycombinator.com/newsguidelines.html and email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.
Respectfully, politicians you don't like gaining power isn't evidence of the system buckling.
The other issues aren't exactly unconcerning, but I think we have to acknowledge that this is a quite peaceful time. For most of history, what we call "unrest" was the status quo, and there were in addition wars of open territorial conquest which are nearly extinct today.
It's hard to determine what our ancestors actually did. I'm sure you could argue any number of solutions they might have used. I'm wondering though what the prevalence is of these afflictions were back then or now in modern hunter-gatherer societies. The latter is not proof of anything, but it would be an indication of what a possibility might be like.
I don't think Biden could do that. It would be as bad as, if not worse, than another 4 years of Trump as president. It would mean that there are no standards by which a president is held accountable, and considering how many lives he has cost and the corrupt things he has done betraying the country, it would make the next Republican presidency that much worse.
Why is there a statute of limitations for government officials? This shouldn't be a thing when you're entrusted with the responsibilities that you are concerning an entire country and its citizens.
Sure, but we've decided that for some crimes (like murder) there is no statute of limitations, and we have a greater interest in prosecuting those crimes than in ensuring it's reasonable for a defendant to defend themself many years later.
I think the same should be true of our civil servants who wield so much power over the populace.
Unless you're on a device that can only be upgraded to 10.13, after which it won't get security updates anymore after 11 is released. Meanwhile, I can still put W10 on 10-12 year old PCs and it'll run fine (if the hardware wasn't particularly terrible even for back then). It might not support some of the latest features, but it works and you're not subject to some arbitrary decision by Microsoft as to whether you're allowed to use W10 or not.
W10 is terrible on traditional hard drives which most PC's were using 10-12 years ago. We are also at the tail end of the core 2 duo era, those devices aren't really up to the job.
I use Windows at work occasionally and I can't get over how much clicking I have to do. Also some basic stuff is missing without convoluted work arounds (such as resetting the default app to open a file type to none). W10 is not in the same league as MacOS despite MacOs getting worse.
My early-2013 (7.5 years old now) will be getting Big Sur and 3-4 years support after that.
And it still works like new - something that I’ve never heard about a similarly aged Win19 device unless it was very recently reinstalled.
You’re likely to have problems finding drivers for your other hardware, though - especially 10-year old printers or scanners (even though they are likely to work out of the box on Modern Mac and Linux)
Currently working part-time as a PC technician. Recently had a 10 year old PC here that had to be upgraded to W10. Did Microsoft complain? Nope. I replaced the HDD with an SSD and it ran fine. I've done this with 10 year old laptops too. I simply prefer a platform that doesn't decide for me whether I'm allowed to install it or not. And any device that runs fine on W10 now will most likely run it fine in the future too. Microsoft isn't going to "drop support" for old devices just because they're tired of supporting it. It's like you Apple guys literally have Stockholm syndrome, rationalizing this crap to yourselves.
And you'd be surprised what kind of old hardware still works on W10.
I’m not an Apple person, I’m a Linux person although I do have one old Mac as well (that will be retired when it stops being useful - likely in 3-4 years).
I’ve tried to help family who were tricked into a win10 upgrade by the dark patterns of the “free upgrade to win 10” window. Some had to buy new printers/scanners because win 10 didn’t support their perfectly-working in XP and win7 ones. (My modern Linux Laptop had no such problems). Also a WinModem of some sort used as a built in fax machine.
As a Linux person, I find it funny that you refer to Windows as “platform that allows me to install or not”. It allows you to install but as of Win10, unless you are on Enterprise or LTSB, it doesn’t let you not install. It’s no longer your machine - you paid for it, but it’s Microsoft’s to manage/brick as they see fit.
Afaik, there's an offline mode. It seems like you're forced to complete an online update before you're allowed to start the game proper though and you might be stuck with the original data on the discs even if you could skip that, which would sort of suck.
The game client is about a 91 gigabyte download which will include all the aircraft and a low-resolution copy of the entire world. This offline data is fully functional.
You only need to be online for multiplayer, live air traffic data, and to stream high-quality versions of the world.
Also, the game has an option to manually add areas of the world to the high quality data cache, so if you know you're going to be without Internet for a while, but still want to be able to fly over certain areas with high-quality imagery, you can do that.
Backblaze only covers the drives they have in production, which is a fairly small variation. Any smaller drives you see in their stats will be older (with more data), which means you might not see any data if you're buying a more recent smaller drive, and they may not have data on the highest end as they want to hit a good price to size/performance value for what they buy.
It's more "here's a review of what we have" and less a "here's a survey of what exists to buy", although you might be able to make some educated guesses about the latter from the former (but I would consider those low accuracy).
Unfortunately, we live in a world governed by money as a motivator. While you might not be in it for the money, many people are, to a certain degree (you know, to make a living and to be able to afford a decent life). If companies are unwilling to pay anything remotely close to what researchers' time is worth, then they shouldn't wonder when people prefer to sell the exploits that they find to those who do value their work appropriately.
And frankly, we shouldn't be giving companies a pass for being cheap because "reporting it responsibly" is the right thing to do. These companies are benefiting to a great degree by offloading vital security research onto unaffiliated and unknown third-parties. Your time, as well as the time of any other hacker or researcher, is valuable and needs to be compensated. I don't see why it's fair to any of us that we should have to work for free or for low pay-outs just because we might be doing the right thing. Same goes for any other career that is badly paid just because "they're helping people".
I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose.
However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
I consider bug bounties like competitions. The 'prize money' is defined beforehand. You don't have to compete if you don't want it. You can also compete for the 'notoriety'. Knowing the stakes, do you complain after getting 'first place'?
Everything you own or do is only worth as much as someone is willing to pay for it, everything else is just speculation.
In my country there is a sort of obligation to get 10% of value in case you find something valuable but is more applied to found money. Many times people just return what they have found without taking any reward. This could be extrapolated to bug bounties as well. How much would Slack or its clients potentially loose, if this bug was exploited? I think that everybody could agree on some sum, lets say 200k USD. In that case 20k should be paid.
Another approach is to take invoice for last security audit and simply pay the whole amount of that invoice to the researcher. If none was ever done (good God!), just some usual quote for pen testing the targeted application could be applied.
HackerOne could also enforce minimum payouts per exploit category.
What you do, though, is objectively more valuable to Slack than you were paid. They have reframed security as the competition you mention, but the stakes are much higher and they're sidestepping with this issue of "responsible reporting".
> What you do, though, is objectively more valuable to Slack than you were paid.
This is a meaningless statement.
Obviously all work is more valuable to the company than what they pay you to do the work... otherwise they wouldn't pay you would they? Because they'd get nothing out of it.
If your work generates £5 for a company, then why would they pay you £5 or £6 for it? What's in it for them?
Payments from a company are subjective not objective. There is a single purchaser, in this case Slack, and the researcher already said that he wouldn't engage in unethical behaviour to make more money. Just sell the vulnerability to Slack, and be done with it.
Business owners of failing businesses, when they go to sell, many times think, "I've put in a million hours for this, so I need a million dollars." But, that will never happen.
> However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass' in the future :) It's great people are discussing this and surely it will improve things for future researchers.
Shouldn't people like you be able to do this for a living if you want to? It's valuable work. It has real market value. It seems like you're doing this for fun and genuine interest and I do admire that. Maybe you don't want to taint your motivation with the idea of "how much money can I get for this?" I get that too. But as an outsider, I see this low pay-out and I see exploitation under the guise of "doing the right thing". I genuinely want you to be paid more. You deserve it.
I feel like the only way this kind of thing will change is if people are more vocal about how inappropriate the low compensation is for a company like Slack. Public criticism is necessary and, unfortunately, the only tool we have nowadays to effect change. I understand if this isn't a hill you want to die on, but I hope that other people (particularly people who aren't in bug hunting) are willing to pressure Slack to reconsider its policies.
The problem with "others will ignore it in the future and ultimately they lose" is that it's a passive signal that is too easily overlooked and ignored. It never reaches anybody with any kind of influence who can make changes. If a big exploit happens and somebody does a root cause analysis, it's never going to lead to the conclusion that "well, it's because we haven't been paying enough in our bug bounty program, we need to change that", if only because there's no data about how many people passed on helping them out because of the low payouts.
Yes they should and I think I could. This exploit was more of a fun challenge.
I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between corporations and reporters, but it exists.. by design. How do you imagine a researcher can 'demand' more money in this situation? They can choose the amounts arbitrarily and there is nothing legal or ethical you can do about it.
I haven't seen any proposals for real solutions - how would you ask this? How do you decide the amount for each company? Solutions, which do not bypass ethics or laws. I hope that 'the market' will solve this eventually and I think I at least raised awareness.
Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation.
In other cases maybe yes, maybe no - for some nonprofit, maybe someone needs help? are they a business and can they afford to compensate this kind of work? maybe it is some prominent product? there is no simple answer
There are western vulnerability brokers that sell advance warning of exploits to clients like large corporations and governments so they can protect themselves, then presumably handle notifying the company in question so the bug can get fixed. Of course, one problem is that their clients are free to abuse the exploits, and another problem is there's no guarantee they'll make sure the exploits get fixed... but that's certainly an option for you if you aren't comfortable using HackerOne.
Another option is to just disclose it to the public a set number of days after notifying them, like Project Zero.
I think the key thing is that there's a wide range in the amount of effort someone will put into looking for bugs/exploits, guided by a number of factors, like how fun the bug is to work on, the monetary reward, and any prestige from being the one to find it.
If an obvious vuln appears, obviously report it. But, these reports require a lot of work. It'd also be perfectly ok if the researcher reported whatever obscure behaviour they found initially, and went to go look at other targets with better bounties, played with their dog, etc.
This might be unpopular, but if you don't feel like the compensation adequately reflects your effort, then you're free to do whatever you think is fair. It's your work. Slack isn't entitled to that work. Ideally, you'd check beforehand what a bug bounty program usually pays out and then decide whether to work on some other company's product that pays better. But you're always going to have people who are interested in doing this stuff and you're always going to have people who will look for the best pay-out for the work they've done.
The problem with starting with the baseline of "the right thing to do is always to disclose the vulnerability to Slack regardless of how little they pay" is that it perpetuates the exploitation of legitimate and important work by skilled workers. The onus should be on Slack to provide fair compensation, not on people doing this important work to "do it out of the good of their hearts".
Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked. I don’t disagree with your other points but I don’t think selling an exploit on the black market is the right solution.
Perhaps the best compromise, as I think about it, is to just make the exploit public with no prior warning to the vendor. That’s not great for users either, but at least they’re informed, and the vendor will be left scrambling. But in that case, the researcher gets paid nothing at all.
> Sure, but that isn’t the user’s fault, and they’re the ones who are going to get attacked.
This is true, but the responsibility to protect these users is ultimately on Slack, not the researcher. If Slack's bounties are nowhere near competitive with black market prices, they are failing to protect their users and should be called out on it.
If someone spends 100 hours coming up with, say a clickjacking vuln, it does not magically make it worth $5000. If someone spends 6 minutes coming up with zero-click sandbox bypass in chrome, its not just worth $5.
Severity matters not time, especially in a bug bounty. If you want the stability (and assurance) of actually getting paid reasonsbly and consistently for this you should get a job as a pentester.
That's kind bad - first of all 50$ can be really low depending on the region, but more importantly this disregards the time spend on looking for exploits that don't pan out.
So I would multiply that 50$ by at least 4.
But still like the other said bugs should pay by severity not by time spent.
