| «« Looks Aren't Everything... | Superstar DJ ... Here We Go! »» |
|
About
I'm Ryan Lowe, a Software Engineering graduate living in Ottawa, Canada. I like agile software development and Ruby on Rails.
I write this blog in Canadian English and don't use a spell checker. Typos happen.
Projects
» Full-time Ruby on Rails freelancer
» Full-time with Rails since May 2005 » Former committer for RadRails (now Aptana) » I also have a few Rails side-projects in development: 1. wheretogoinTO.com Toronto nightlife 2. Hey Heads Up! TODO list and sharing 3. Layered Genealogy family history research 4. foos for foosball scoring 5. fanconcert for music fans (on hold) Hiring Rails developers? I can telecommute by the hour from Ottawa, Canada »» Email: rails AT ryanlowe DOT ca
BulletBlog
Now hosted on Hey! Heads Up -- check it out!
Syndication
Pings
Recent
Derek Lowe's (Ryan's older brother) words at Ryan's funeral
blog@ryanlowe.ca no more Forging Email Headers: Good, Bad or Ugly? Sarcastic Dictionary (Part 1 of Many) Tags Hierarchies Twisting Rails is Risky Business Risky Business? My Take on Early Alphas Whoa, it's August 2007 Closing Comments A Postscript to "Growth at the grassroots" »» All Blog Posts
Linkage
del.icio.us/ryanlowe
technorati/ryanlowe.ca/blog Aurora Roy Jim Andrew Trasker Travis Kibbee Karen Dr. Unk Ayana Van Bloggers Joel Spolsky Robert Scoble Tim Bray Dave Winer Raymond Chen James Robertson Ruby/Rails Bloggers rubyonrails.org weblog David Heinemeier Hansson Dave Thomas James Duncan Davidson Mike Clark Jamis Buck Signal vs. Noise Tobias Luetke Amy Hoy: (24)slash7 Jeremy Voorhis Eclipse Bloggers Planet Eclipse EclipseZone Luis de la Rosa Eclipse Foundation Kim Horne Billy Biggs Ian Skerrett Mike Milinkovich Bjorn Freeman-Benson Denis Roy
Archives
  
|
Rewarding Negative Feedback
I just finished writing a comment on Scoble's blog and wanted to expand on it here. Scoble linked to an article regarding Microsoft's bounty on virus writers. While I do agree that this is a pretty cool thing to do I wondered why they aren't giving reward money to eliminate the vulerabilities that allowed these viruses to exist in the first place. By offering a cash reward to people that find vulnerabilities, Microsoft could potentially find a lot more security defects in its code -- and for a much lower price. Instead of people finding vulnerabilities in Microsoft code just because of the nature of the target they'll actually be making money. In my comment I compared this to the open source world where hackers find bugs in other people's code for prestige and also to improve a product they may have a vested interest in. With a reward as motivation people would be more likely to try to break Microsoft's code AND (more importantly) report the breakage to Microsoft, improving the products instead of constantly cursing about them or writing exploits. In my hypothetical 'contest', to be given a reward the contributor would have to agree not to publicly disclose the exploit to anyone for a period of 30 days (arbitrary) to give time for Microsoft to patch it. Public exploits would be disqualified. A lot of people have a vested interest in Microsoft software but cannot see the closed source code. This makes testing more difficult but not entirely impossible. I think all commercial software could benefit from a program where people are rewarded for negative feedback, especially when it comes to security exploits. Posted at November 05, 2003 at 06:00 PM ESTLast updated November 05, 2003 at 06:00 PM EST Comments
They have to make it easy to report these problems, whether they give out cash or just put the person on a reward and maybe just give them free stuff... I read once about a person that found a serious exploit, and tried to report it but it just got bounced around, and they had a hard time reporting it. No one paid attention to the one person. The problem did not get fixed. 6 months later a virus was made and took down many computers. (I wish that I could remember which virus... grrr...) I think that with open source there is an easy way to report bugs. They *want* you to find problems with it. They don't in Microsoft because the pointy haired boss wants the marketing people to be able to say "this is great software because it's closed and has professionals working on it". The marketing people have to sell this as great, solid software that has been written without mistakes. You and I know that's impossible, but marketing monkey's don't understand that... they think that software engineering is Word macro's and "anyone can make a website" because they think that you just click "save as html". Ya, that's exactly what Yahoo! and eBay do. Long story short, I think that in many cases the decision has been in the past a business one, not a software engineering one. » Posted by: Jim at November 5, 2003 11:48 PMOh for sure Jim. This kind of thing could happen under the regular consumer radar though, where the geeks live. Marketing departments and the general public don't care about under the radar but that's where you get geek respect for security, robustness and reliability ... then the geeks bug their bosses. Bottom up instead of top down == less resistence from the people maintaining the systems. » Posted by: Ryan at November 6, 2003 12:59 AMThat sounds like a great idea, but I have two concerns. First, in order to find bugs or vulnerabilities in the code, the code has to be available. This basically limits something like this to the open-source community. Unless we start to see a trend of companies paying developers to work on code, which they then make 'publicly viewable and usable, but not distributable' then I don't think this would take off. Second, it's all fine to talk about restricting things to the 'Geek world', but the second you say 'bug' to a marketting person, they're not going to have any idea what it means (or how severe it is). There's also the problem of reporting. You wouldn't be able to just throw bugzilla on a server an let people submit bugs that way. You'd have to restrict everyone's access solely to the bugs that they're working on (otherwise the bug tracking software basically becomes a hands-on vulnerability guide). » Posted by: peter at November 6, 2003 10:36 PMYeah, I pretty much meant no code access at all. You can still find defects with no code by punishing the software, ie. buffer overflows ... As for the tracking, the first person to accurately report the defect would get the credit and the cash. The defect submission process would be private, of course, to give the company time to fix the bug before it's exploited. » Posted by: Ryan at November 7, 2003 03:06 AMThis is a great idea! The frequency of public exploits to Microsoft software suggests that there are people out there who are discovering vulnerabilities and using their discoveries to get props the only way they can; assume a pseudonym and publish the 'sploit. With a 'bug bounty' in place there would be an alternative forum to take your exploits to which would get you recognition and cash. That said, I would be curious to know what percentage of the recent exploits for Microsoft software were for vulnerabilities with existing patches. In other words, the exploit found in the wild was the result of translating Bugtraq (or similar) information into code or reverse engineering the existing patch. I suspect this is the common case, implying that finding the vulnerabilities is not the security bottleneck. » Posted by: Brandon at November 12, 2003 12:41 PM |
