Enough people have voiced their opinion on this tool but I just tried it.
The results were underwhelming. It fails to find obvious links between sites, makes completely incorrect correlations while claiming 100% matches, and has no way of figuring out if it's the same person. The "useful" features seem to be username generator based on your original input, e.g. you input "john doe" and it suggests usernames like "jdoe", "johndoe", etc.
To be clear to everyone: Electron and React Native are not alike. Electron is a big web browser. React Native work completely differently: It neither renders, computes, or runs the same. React Native uses the Hermes engine, puppeteering native components.
localStorage and cookies are the same in terms of GDPR. It encompasses all local storage mechanisms such as IndexedDB, cookies, localStorage, sessionStorage, etc.
(source: I read the directive way back when it came out, and also skimmed large sectoins of GDPR)
A story from one of my startups: A student reached out to us regarding a security vulnerability on the website, demanding money for it. He refused to say what it was or provide evidence at first, so we couldn't assess it. He said he'd disclose it to others if we didn't.
I definitely felt blackmailed. I am not a lawyer but it felt illegal. Maybe someone can chime in to say if it is?
Rather than the exploiter setting an arbitrary price (which would be closer to blackmail), I think parent comment was saying that the fair market value of disclosing such a bug was worth closer to $75k given the unique skill set required.
Skilled engineers turn to cybercrime when white-hat bounties are insufficiently rewarding, so it is in everyone's interest to pay competitive rates for finding security vulnerabilities.
The fair market price of an entire app pentest of that legal dashboard application, one which would almost certainly find that bug† if run by a competent, reputable firm, along with many other bugs, run by consultants with bios and concluded with a deliverable that Facebook can file away, is probably somewhere between $20,000 and $35,000, so the idea that the fair market value of a single finding of that engagement is $75,000 is pretty hard to take seriously.
From my perspective, people weird ideas (in both directions!) about how much this stuff costs.
† It's a little tricky to say because the blog post is cagey about what the vulnerability actually is, but I'm thinking about all of the password-reset-flow bugs I've ever seen that fit the rest of the pattern of the post and I'm pretty sure this is low-hanging fruit for a serious app pentest.
Fair enough. I could imagine that if the work were billed by the hour or said research firm hired multiple people it would be easy for costs of the work to run up to $75k - it's within O(20k). I'm not qualified to price these though - I certainly would abhor having to pay that cost if I were a small company.
Which is essentially market driven blackmail as far as I can see. Once I meet my new neighbours (one of whom is a moral philosopher by trade) I might ask about how to assess if that's ok. Personally it feels somewhat ok to me, speaking as someone who's built industrial espionage for money.
>> Which is essentially market driven blackmail as far as I can see.
Modern medicine can also be like blackmail. Nobody has to actually threaten you, but nature will kill you unless you pay whatever the price of treatment. That's why we need competition, and why pharma companies like monopolies.
It differs from blackmail because you the sick person are the one requiring others to perform a service for your benefit. With blackmail (and generally extortion) you are threatening to take an action unless someone pays you not to.
Oh I completely agree, that's why I said "can also be like blackmail". Key word "like" because it does differ in the exact way you describe.
So in this threads context, "hey I found a vulnerability in your infrastructure, you could pay me for it" does not actually constitute blackmail unless they actually follow it with "I'm selling to the highest bidder which may not be you".
And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.
> And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.
The blackmail version is actually "Refuse, and we'll produce a generic version locally and perhaps even export it to any country that wants it."
I don't think state funded healthcare works the way you think it does. The american system is the most economically inefficient system out there, to the extent that people without experience of other systems likely end up with highly distorted perception.
Note that a mixed economy (combined public/private funding, like the french and australian systems) are probably for the most part the most economically efficient. A big problem in australia is over-provision of services, especially ending up getting more pathology tests than strictly necessary.
The thing to remember is that the universe does not care, and nobody owes us anything. That's what's really terrifying until you come to terms with it.
So, what is your proposed solution for people who find security vulnerabilities in systems?
Keep in mind these vulns are worth money in the black market.
If the gov't stops prosecuting the security experts for selling the vulnerability on the black market (but instead, only prosecute those who use it for illegal purposes), then the security expert can find out the true value of a vulnerability.
This makes the company with said vulnerability pay the true price for it - may be even just purchase it on the black market and outbid the "bad guys". Or pay someone to fix it asap before it's sold.
I suspect that decent bug bounties, and therefore engendering more competition between white hat and black hat activities is probably the best way to go.
employed (by a university) as a moral philosopher. Interestingly the institute they work for is ethically dubuous (because of how it's funded, not the teaching content)
It's a rather small field, but IIRC, I had a philosophy professor in college whose specialty was the Ethics, and he had a sideline consulting with hospitals as a medical ethicist. He was also brilliant-- In the course I took with him we covered scientific ethics, one of the more memorable of my academic experiences.
I suppose the illegal part would be the student threatening to disclose the vulnerability to others if you didn't pay. That seems like crossing the line into blackmail and being an accomplice of whoever he discloses to. But the student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay. I can see the difficulty though, I guess you'd need to have his identity so you could legally pursue him if there was no vulnerability and he ran away with the money. Or maybe you could write up some sort of contract requiring an in-person demonstration...
>> student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay.
Which leads to a very interesting situation in negotiating. It's not the first time someone tried to sell information or an idea without getting ripped off. But how can one agree the value of information without knowing it. Is there a standard word or phrase to describe that situation?
Those things already exist but ultimately bugs and exploits are too niche. A trusted third party cannot rule by themselves but is always required to ask both sides about the bug's impact. Since both sides try to frame it as both high and low impact at the same time, you make both parties unhappy in the most cases and become untrusted.
Not quite. Let's say I know you're cheating on your partner: I can tell the partner, and that's legally fine. But if I say "I'm going to tell the partner if you don't pay me $7500" then that is not fine, even though the first action is legitimate. Coercion really is quite a bit about the second part as well.
I'm not sure if this rule would cover all coercion/blackmail, but a rule like the following is probably a good guideline: If the first part negatively impacts the "victim" while the second part positively impacts the other person, it's might be getting close to coercion territory.
Let's take your cake example: The person with the cake isn't really negatively impacted. If they don't like the cake, they aren't materially harmed by someone else eating it. Although even there, context matters: Let's say you're a baker, and you sell cakes, even ones that you don't like yourself (maybe you hate buttercream icing). Taking your cake and eating it when you might otherwise have sold the cake and made money would be a problem.
Unless litigating students is something your startup is interested in, I’d recommend ignoring that line of thinking and just hiring a good pen tester for a few months.
It’s really hard to say what something is worth if you are only allowed to sell it to one buyer. No competition between buyers. The only leverage is releasing the info and screwing a lot of people.
(Also sucks that you can release it anyway. But you do want to source these vulnerabilities from the world at large.)
Yet another reason why open source and collaboration may be better than capitalism and competition. Many hands make light work, with enough eyes all bugs are shallow, and all that.
(To be fair, open source lacks security by obscurity so a project becomes secure after many years and developers join it.)
What you experienced may be a baseline change when using noise cancellation. It happens with all noise cancelling headphones after long use (for me). I am NOT an authoritative source on it but what I heard was that the brain makes a baseline for the background / silence and when that noise is removed (active noise cancelled) then the brain recalibrates which may cause the same symptom as tinnitus as the brain tries to cancel it out but supposedly without the permanent damage. I consider it "possible" but I haven't seen hard science on it.
VPN clients traditionally virtualizes your network interface entirely. Everything acts as if your are actually physically present because it's virtualized nicely. It's great because it "just works".
These "non-VPN" solution seem to use a client on your machine that change any DNS lookup through the OS layer by hooking into gethostaddr() and returning the same IP for all domains if they are in the list of hosts that should be virtualized. Then only the traffic to domains that are needed is virtualized, anything else is untouched. YouTube and Netflix won't get piped over your company network, as an example.
Disclaimer: I don't really know that this is how it works but this is how other providers do it.
Yes, but does GDPR require the delivery format to be practical? Over time, if not happening already, you could probably see companies trying to introduce randomness / changing the format every so often for the sake of blocking this.
Agreed. Their reviews are usually to the point, objective statements with tasteful opinions. This article was unlike others and his opinions were in the way of actually hearing about how it was. I am not even in the market for one yet I do not feel informed after that review.
To straight up answer your question: Yes, I have friends who really like the iPad so much and wants to do development on it. Will it practically work? I really don't know. Until I see Xcode and/or Docker on iOS/iPadOS I am not very hopeful.
The results were underwhelming. It fails to find obvious links between sites, makes completely incorrect correlations while claiming 100% matches, and has no way of figuring out if it's the same person. The "useful" features seem to be username generator based on your original input, e.g. you input "john doe" and it suggests usernames like "jdoe", "johndoe", etc.