undefined | Better HN

0 pointsembik9y ago0 comments

So you don't believe there are blackhats out there? Because somebody has to be breaching online services and it's rather unlikely it's a godly entity doing that.

Felonies exist and people still commit them. Should they? God no. But people with a lower moral code exist and they can be flipped to do "good work" if there's enough money for them (and I think you should get more money in general for your important work anyway). I find the notion of your profession only consisting of good people highly offending to the rest of the world.

0 comments

tedunangst9y ago

The people who are not the majority of researchers would be... Wait for it... A minority of researchers.

estefan9y ago

So... a minority of people aren't capable of causing trouble? I don't see your point.

tptacek9y ago

This is a crazy argument. HN is a community populated in large part by software developers, most of whom will at many different times in their careers ship vulnerable code they wrote. You're saying that if you start a new company, you should either (a) get your code absolutely perfect, which nobody ever manages to do, including people who go to great expense to try, or (b) be held hostage by extortion schemes to pay greater sums for vulnerabilities lest the discoverers exploit them to cause the most possible damage to your company.

You know who does fine in a world where that's the norm? Facebook. No matter where vulnerabilities get valued at, they will be a rounding error expense to Facebook.

You know who does not do fine in that world? Anyone smaller than Facebook.

Thankfully, that's not the norm in the real world. Unfortunately, the real norm is: if you pay a bounty at all, random people on Twitter and message boards will claim you're being negligent by not paying more for them. The lesson then is: don't offer a bug bounty. All you're doing is attracting negative attention.

You know who does fine in the real world where that's the norm? Apple and Cisco. Really, so does Facebook, despite the bullshit flak they take for their bounties.

You know who does not do fine in the real world? End-users.

tedunangst9y ago

Nothing in tptacek's comment implied that blackhats don't exist.

j / k navigate · click thread line to collapse

0 pointsembik9y ago0 comments

So you don't believe there are blackhats out there? Because somebody has to be breaching online services and it's rather unlikely it's a godly entity doing that.

0 comments

tedunangst9y ago

The people who are not the majority of researchers would be... Wait for it... A minority of researchers.

estefan9y ago

So... a minority of people aren't capable of causing trouble? I don't see your point.

tptacek9y ago

You know who does fine in a world where that's the norm? Facebook. No matter where vulnerabilities get valued at, they will be a rounding error expense to Facebook.

You know who does not do fine in that world? Anyone smaller than Facebook.

You know who does fine in the real world where that's the norm? Apple and Cisco. Really, so does Facebook, despite the bullshit flak they take for their bounties.

You know who does not do fine in the real world? End-users.

tedunangst9y ago

Nothing in tptacek's comment implied that blackhats don't exist.

j / k navigate · click thread line to collapse