Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Bug Bounties Are Like Rat Farming

timothy posted more than 2 years ago | from the first-we-hypothesize-a-problem dept.

Security 140

Gunkerty Jeb writes "In a keynote speech at the United Security Summit, Stephen Dubner, co-author of Freakonomics, drew parallels between the increasingly popular (and successful) practice of software vendors offering bug bounties and a new industry springing up in Johannesburg, South Africa, where the population has recently found itself beset with a growing rat problem. In order to help mitigate their rodent problem, officials in Johannesburg began offering a small monetary rewards for each dead rat turned in. It was wildly successful, and it didn't take long for fresh batch of entrepreneurs to pop up and exploit the situation. Of course, I'm talking about rat farming. Evidently, business minded individuals have taken to breeding rats, only to kill them and turn them in for rewards. Obviously, rat farming is somewhat unscrupulous, but security researchers are doing the same thing: breeding bugs in the lab, then leading them to the slaughter for a nice payday. And it's a good thing."

cancel ×

140 comments

Sorry! There are no comments related to the filter you selected.

What the hell (5, Insightful)

Anrego (830717) | more than 2 years ago | (#37456042)

Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

But it turns out that he knows more about security than one would think. Maybe even more than he might think.

Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

Re:What the hell (1)

Anonymous Coward | more than 2 years ago | (#37456084)

I don't know but the article's last sentence is the only one that asserts that bugs are manufactured. It's argument is "Yes, yes they are!" Solid, totally solid, line of reasoning I'll use the next time I need to conjure a phantom.

Re:What the hell (1)

Stellian (673475) | more than 2 years ago | (#37456590)

The analogy is rock solid - let me rephrase it cars. Suppose you are a car manufacturer who wants to sell more cars. Well, you could do that by offering a free lifetime supply of gas for every purchased car. Pretty soon people will queue up to buy your cars. And it's a good thing !

Re:What the hell (1)

rwa2 (4391) | more than 2 years ago | (#37456840)

Where is BadAnalogyGuy when you need him?

I think the point is that with the bug bounties, researchers are busy creating new classes of bugs and 'sploits, and turning them in for the bounty. Instead of being lazy and not creating new types of 'sploits, or worse, stumbling across bugs and selling them to the botnets instead.

The point is, it's better that the security researchers are finding and disclosing more new types of attacks thanks to the bug bounties. If they weren't finding new 'sploits, it doesn't mean they're not there.

The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something. Unless they have some sort of awesome recipe for rats. But that wasn't the intent of the rat bounty.

Re:What the hell (1)

vlm (69642) | more than 2 years ago | (#37457146)

The rat analogy breaks down, since it's not really better for them to be breeding rats, than, say, digging deeper to find underground breeding colonies in sewers or something.

This whole situation always reminds me of the UniSys RATS game on the BTOS operating system, on big green minicomputers in the late 80s early 90s, where the "easiest" way to get the high score was to camp on the rat generating colony deep within the maze, rather than sniping individual rats while running the corridors.

Re:What the hell (1)

ceoyoyo (59147) | more than 2 years ago | (#37457646)

Let me rephrase it in the context of Star Wars. This is Chewbacca. He's a Wookie....

Re:What the hell (1)

Daniel_Staal (609844) | more than 2 years ago | (#37456592)

Impressively, the Slashdot summary manages to be more informative than the article itself, while only quoting the article!

Re:What the hell (1)

waives (1257650) | more than 2 years ago | (#37457264)

Behold the power of the ancient magic known as 'editing'.

Re:What the hell (1)

Jmc23 (2353706) | more than 2 years ago | (#37456090)

Well, it was posted by timothy. What did you expect?

Re:What the hell (1)

David Gerard (12369) | more than 2 years ago | (#37456102)

No, the analogy makes no sense at all. It would only make sense if the developers were adding bugs to the code to collect the bounties. This is not what's being described.

The article is there to fill space and get ad clicks. Like most of the IT press.

Re:What the hell (1)

swanzilla (1458281) | more than 2 years ago | (#37456402)

I heard the devs are finding the bugs on iPhone killers and the bounties are paid in Bitcoins...

Re:What the hell (1)

meerling (1487879) | more than 2 years ago | (#37456886)

Exactly! The bug bounties are doing exactly what they are supposed to, give people other than the devs an incentive to find and report bugs. Something that previously usually only happened if it actually inconvenienced the user. Just because they are finding more bugs and glitches than expected in no way means they are somehow generating them for profit. That's why the analogy usually used it regarding bounty hunting. You are finding the unwanted elements and turning them in for profit, as opposed to the rat farming scam (or snake farming scam in the USA) where you are actually creating/supplying the unwanted element so you can turn them in for profit. There is a big difference between finding and creating, too bad the patent examiners that handle gene patents can't seem to understand that.

Re:What the hell (1)

rs1n (1867908) | more than 2 years ago | (#37457368)

I didn't read the article, but from the quote in the summary, you're mixing up developers with external security analysts (citizens vs entrepreneurs from another place trying to score a buck). But, to get to your point -- you're right, the analysts aren't injecting bugs into the software. However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.

Re:What the hell (1)

slim (1652) | more than 2 years ago | (#37457514)

However, they are very similar to the rat farmers in the sense that they might not care about the software being bug-free (or the city being clear of rats) and are only interested in the monetary gains.

But that part isn't notable or interesting.

The whole point of the rat bounty is to coax people into hunting wild rats, who wouldn't be doing it without the monetary incentive. Just like an external security analyst, the legitimate vermin killer is only doing it for the money.

What makes the rat farming anecdote notable, is that people would exploit the scheme by claiming the money while actually making the problem worse. But the bug bounty story has no parallel for that interesting part -- unless someone actually is deliberately injecting bugs, so they can claim credit for fixing them later.

As an aside, I've worked in a couple of places were you get a lot of visibility and credit for fixing serious production issues, and little recognition for maintaining a code base that never goes wrong. We often joke that it's an incentive to put time bombs in the code, but as far as I know, nobody's ever gone through with it.

Re:What the hell (2)

The Mighty Buzzard (878441) | more than 2 years ago | (#37456106)

Yep, bloody stupid article by a bloody stupid journalist. No two ways about it.

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37456116)

Glad I'm not the only one that found this "article" completely stupid.

Re:What the hell (1)

Aladrin (926209) | more than 2 years ago | (#37456134)

My thoughts exactly on bugs vs rats.

Re:What the hell (1)

Red Flayer (890720) | more than 2 years ago | (#37456856)

Writing bugs into code, even if on purpose, is *nothing* like rat farming.

If you want to farm rats (which I strongly advise against, as it's a waste of turns -- better to farm wolves or spiders at a higher level), first you need to make sure you're on a level with minimal corruption. Then you need to get a wererat onto the level somehow (making it follow you from an adjacent level is usually the best way). Put yourself in a corner (or along a wall), and hack away at the summoned rats. This should be sufficient for some good shield and weapon training. Make sure you don't accidentally kill off the wererat!

But at any rate, writing bugs into code usually doesn't involve any of that.

Re:What the hell (1)

dzfoo (772245) | more than 2 years ago | (#37456934)

I saw Bugs vs. Rats, it was pretty cool. I'm still waiting for the sequel, Rock, Paper, Scissors vs. The World, with Nicholas Cage as Spock. That one's going to r0xx0rz!

          -dZ.

Re:What the hell (1)

Anonymous Coward | more than 2 years ago | (#37456148)

Yea, WTF happened here? The last line of TFS sounded like a pretty interesting last line to the first paragraph of an article. Except it turned out to be the last line of the article, where it made even less fucking sense than it did in TFS. I honestly don't understand how this got published, much less why the fuck someone read it, thought "this is interesting" and then submitted it to slashdot. I do however, fully understand how it made the front page, since it's quite obvious that no editor bothered to click the link, and thus they thought exactly the same thing I thought when reading the summary.

His point (1)

Anonymous Coward | more than 2 years ago | (#37456298)

I think he's trying to claim that a bug that's discovered by a security researcher before it can be (A) reported by a user or (B) exploited in a 0-day is an artificially created bug, not a "real" bug.

Which is, of course, idiotic; that's the whole point of paying researchers to find bugs.

Re:His point (3, Insightful)

slim (1652) | more than 2 years ago | (#37456414)

It's correct to observe that an incentive scheme could, conceivably, tempt developers into deliberately inserting bugs.

This would happen if you:

  • offer incentives for discovering bugs
  • offer incentives for closing off bugs
  • *don't* offer incentives for clean code

What the article doesn't do is point at real-world instances of this happening, or explain why "that's a good thing".

Re:His point (1)

ceoyoyo (59147) | more than 2 years ago | (#37457662)

Presumably nobody is dumb enough to pay bounties to contributors who find bugs in their own code.

Re:His point (1)

slim (1652) | more than 2 years ago | (#37457850)

1. I think you underestimate how dumb people can be
2. It's trivial to work around that obstacle with a little collusion.

Re:What the hell (1)

slim (1652) | more than 2 years ago | (#37456300)

Stephen Dubner is a smart guy, and I'm sure he had a solid point to make.

I can only imagine that this reporter has failed to relay it correctly.

What confuses me most is the "and that's a good thing" at the end. Mystifying.

Re:What the hell (1)

Anonymous Coward | more than 2 years ago | (#37456418)

Unless I missed something in the article, the analogy here makes absolutely no sense.

Maybe they meant something like:
1) researchers find bugs in lab
2) they breed/multiply them, i.e. cut them into pieces and submit each sub-bug/symptom separately instead of the root cause that's responsible for all those sub-bugs
3) profit by way of quasi-redundant bug reports
4) ??? (read: I'm just guessing how you could maximise your profit in a way similarily malicious to the rat-breeding issue)

Re:What the hell (1)

gilleain (1310105) | more than 2 years ago | (#37456596)

Unless I missed something in the article, the analogy here makes absolutely no sense.

Maybe they meant something like: 1) researchers find bugs in lab 2) they breed/multiply them, i.e. cut them into pieces and submit each sub-bug/symptom separately instead of the root cause that's responsible for all those sub-bugs 3) profit by way of quasi-redundant bug reports 4) ??? (read: I'm just guessing how you could maximise your profit in a way similarily malicious to the rat-breeding issue)

Ahhh. Well done : this at least makes some sense. I realise this is all speculation at this point, but the theory is that bug bounties make for bug reports that are too 'fine grained' because that's more profitable. Like, instead of "Bug : Language translation is broken in latest build" you get : "Bug : French translation broken..", "Bug : German Translation broken...", etc?

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37456764)

Like, instead of "Bug : Language translation is broken in latest build" you get : "Bug : French translation broken..", "Bug : German Translation broken...", etc?

I guess that could be an example.

I thought more along the lines of:
There's a buffer overflow (or whatever) bug in a library X. X is used by modules A, B and C. Instead of submitting the bug in X, you find where the bug manifests (i.e. in A, B and C) and only submit these symptoms. Of course you'd have to obfuscate your findings enough so the bug-fixer doesn't actually find the bug in X too early. Thus you end up with 3 bug-reports (4 once you've fully exploited the real bug) instead of just the 1.

Re:What the hell (1)

ThatsMyNick (2004126) | more than 2 years ago | (#37457494)

X is used by modules A, B and C. Instead of submitting the bug in X, you find where the bug manifests (i.e. in A, B and C) and only submit these symptoms. Of course you'd have to obfuscate your findings enough so the bug-fixer doesn't actually find the bug in X too early. Thus you end up with 3 bug-reports (4 once you've fully exploited the real bug) instead of just the 1.

This is more likely to happen if X, A, B & C are managed by different independent bounty programs. If managed by a single company, I doubt the submitters would be successful.

Re:What the hell (2)

StikyPad (445176) | more than 2 years ago | (#37456440)

this whole article is mostly pointless (besides the interesting story about rat farming).

Which itself seems to be a fabrication (unless this is the one story unavailable anywhere else on the internet). Johannesburg certainly has a rat problem, but there's no reports of the city paying bounties.

http://www.news24.com/SouthAfrica/News/Johannesburg-waging-war-against-rats-20110801 [news24.com]
http://www.news24.com/SouthAfrica/News/Anti-rat-campaign-moves-to-Soweto-20110812 [news24.com]

Re:What the hell (1)

Toze (1668155) | more than 2 years ago | (#37457038)

I was going to say we had them in the Canadian prairies, but I find that there's no mention of it in the official history. My father and grandfather did mention hunting rats in rural Saskatchewan, though, and they have mentioned knowing or hearing about neighbors farming rats. However, this is 3rd-hand knowledge at best.

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37457524)

My brothers used to hunt gophers and moles for bounty in Alberta. This was probably in the 1960's and 1970's. $.05 for a gopher and either $.10 or $.25 for a mole. There weren't any rats in Alberta at the time. There still are very few rats (next to none?).

Re:What the hell (1)

ceoyoyo (59147) | more than 2 years ago | (#37457716)

Are you sure they were rats? The Canadian prairies don't have a lot of rats (Alberta has none). They DO have prairie dogs and Richardson's ground squirrels though, and there have been various bounties at various times on those. Apparently in Saskatchewan once the bounty only required turning in the tail so you'd catch the little guy, whirl him around by the tail until it tore off, and let him go.

A stronger citation for rat farming (1)

tepples (727027) | more than 2 years ago | (#37457268)

I used Google rat farming site:wikipedia.org to find a citation in the Wikipedia article about perverse incentives [wikipedia.org] . I didn't read the original source [jhu.edu] because it appears to be paywalled and in French, and I am not affiliated with any of these subscribing institutions [jhu.edu] .

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37456600)

Researchers don't manufacture bugs themselves, but they do manufacture exploits of existing bugs. If you substitute exploits for about half the references to bugs themselves, then the analogy almost works.

But where it breaks down is, every time you turn in a rat, the farm where you grew it gets destroyed (i.e. the exploit's bug is fixed).

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37456810)

Or maybe he is saying that exploit code for a bug is the rat in the analogy.

If a report of a bug is accompanied with a demonstration exploit then it will earn a bigger reward than if the bug has no security implications or only speculative ones. That would motivate people to spend their time writing exploits for bugs. Which may indeed be a good thing.

Re:What the hell (1)

Anrego (830717) | more than 2 years ago | (#37457026)

Kind of a stretch from what was actually said in the article, but I can see that point.

Re:What the hell (1)

rs1n (1867908) | more than 2 years ago | (#37457318)

Unless I missed something in the article, the analogy here makes absolutely no sense. Security researchers aren’t injecting the bugs into software and then “discovering” them. I can’t “breed” a bug into firefox only to turn it in for a profit. Unless they are claiming inside devs are introducing bugs for outside researchers to find and then splitting the profit, which isn’t how I read it (and probably wouldn’t work for too long anyway).

But it turns out that he knows more about security than one would think. Maybe even more than he might think.

Or perhaps not? This comes across as exactly the kind of outsider without a clue looking in type perspective that is described at the start of the article. Sometimes outside perspectives are useful, but this whole article is mostly pointless (besides the interesting story about rat farming).

The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

You did miss something. The researchers are not injecting bugs. Instead, they are "farming for bugs" in the sense that they (presumably) put the software through a battery of tests (the "breeding" process). His point was that the bounty system was originally to motivate USERS to submit reports (like in S.A. where the point was to encourage citizens turn in rat bodies). Instead, you've now got security researchers who may have absolutely no interest in using the software itself but have a monetary incentive to report bugs. Similarly, the rat farmers have no interest in getting rid of the infestation problem, they're just there to cash in on the rewards. The difference, however, is that the rat farmers breed the rats, whereas the analysts merely look for bugs (more akin to someone from another geographical region relocating to S.A. so they too can catch rats and turn them in).

Re:What the hell (1)

ceoyoyo (59147) | more than 2 years ago | (#37457586)

I love the article. It starts with a snarky paragraph about outsiders who don't know anything about security drawing (presumably) flawed analogies to things in their own area of expertise, says Dubner is different, then goes on to credulously relate a flawed analogy Dubner made between computer security and rat farming (which is presumably in his area of expertise).

The irony is strong with this one. Unless he was serious....

Another example of an economist talking without a complete understanding of a subject and a journalist with an incomplete understanding of everything.

Re:What the hell (1)

sgt scrub (869860) | more than 2 years ago | (#37457592)

The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. And, here is the line in TFA that states that out right. It is called headline sensationalism, pure and simple.

Re:What the hell (1)

bgat (123664) | more than 2 years ago | (#37457616)

The only potential point I can see (which they didn’t try to make, so I’m probably imagining it) is that by having these bounty programs, bugs are discovered that otherwise might not have been looked for. Very thin.

No, that's EXACTLY the point he is making. He even says in the article that researchers aren't creating bugs, they are merely looking closely at the software with the purpose of finding those bugs. His analogy with rat farming isn't a very good one, but the main thrust of the article is that bug bounties ARE working--- and that commercial companies are recognizing that.

The rat farming analogy works if you think about the tools researchers create purely for detecting bugs in the target code. Programs that send bogus ping packets or attempt buffer overflows, for example.

Re:What the hell (0)

Anonymous Coward | more than 2 years ago | (#37457710)

Well, I thing the implication is that there's no such thing as perfect software (no matter what claims you'd like to make about mathematical proofs etc, etc, etc).

Given that these systems are GOING to be imperfect, and that any given product is bound to be EVENTUALLY exploitable in some capacity, would this not provide all the makings for a bottomless money-pit?

The alternative being miserable life of uncertainty filled with malicious hackers inflicting users with massive zero day ambushes, and intimidating them with coercive scareware phishing and "ad campaign" spam.

I think the real question being posed is:
"Are bug bounties really a facade for what is really a protection racket?"

Dumb article. (3, Informative)

tomhudson (43916) | more than 2 years ago | (#37456092)

The conclusion is false:

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

There is ZERO evidence that the people writing the software cited in the article are intentionally introducing bugs. This guy should either produce a smidgen of evidence or FOADIAF.

Re:Dumb article. (1)

gameboyhippo (827141) | more than 2 years ago | (#37456408)

FOADIAF

Fly on a dinosaur in a forest?

Re:Dumb article. (1)

HopefulIntern (1759406) | more than 2 years ago | (#37456550)

F off and die in a fire (is what that acronyms means, a combination of the more common FOAD and DIAF)

Re:Dumb article. (0)

Anonymous Coward | more than 2 years ago | (#37456580)

FOADIAF

Obviously it means "Found On A Desk In A Forest". Yours just sounds stupid. Pfft.

No incomplete summary (1)

jopsen (885607) | more than 2 years ago | (#37456968)

If you read the article (I didn't at first either), it's says that researcher are finding bugs in a lab that would never have been found otherwise (not by hackers either), but concludes that this is a good thing. It's a happy story about how bug bounties are good for everybody, and leads to better software...
- It's not a dumb article, it's just a happy one :)
We're just confused because articles are always expected to be negative, this one isn't, now smile :)

Re:No incomplete summary (1)

slim (1652) | more than 2 years ago | (#37457552)

No, we're confused because the rat farming analogy has no bearing on the good news you noticed.

Rat farming: Incentive scheme leads to unintended, unexpected, undesirable outcome
Bug bounty: Incentive scheme leads to intended, expected, desirable outcome

Re:Dumb article. (1)

rs1n (1867908) | more than 2 years ago | (#37457408)

People writing the software and researchers aren't necessarily the same group. In fact, I think they're more likely to be two sets with no intersection.

Don't RTFA (1)

MarkvW (1037596) | more than 2 years ago | (#37456100)

It doesn't say anything more than the Slashdot topic.

Half an article? (0)

Anonymous Coward | more than 2 years ago | (#37456156)

So we have 2 paragraphs of self advertisement, two on rat farming and then they mention bugs and the article ends. Okay, people are 'farming' bugs for cash. How, why and who cares?

Re:Half an article? (1)

Anthony Mouse (1927662) | more than 2 years ago | (#37456460)

The only farming going on is for ad impressions. That's why it says "and it's a good thing" at the end -- a good thing from his perspective that the story's author is getting paid, because he certainly hasn't done any work.

you can not breed the same bug again (1)

Gunstick (312804) | more than 2 years ago | (#37456158)

you can breed rats, and they are rats. If you would get paid for a grey rat only once and not for every one, then you need to turn in brown, striped, checkered, white, blue, greeN, yellow rats. that would make the farming task way more complicated. Especially as there are other rat farmers out there doing the same.
And once all colors of rats have been done, it's over. no more rats...

stupid analogy (0)

Anonymous Coward | more than 2 years ago | (#37456160)

how exactly the researchers create bug in their lab? they maybe find them but only the developpers can create a bug no?

That's the worst analogy I've ever seen (3, Insightful)

nedlohs (1335013) | more than 2 years ago | (#37456170)

And that includes slashdot car and pizza analogies.

Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).

But he isn't. So the anology is complete and utter garbage.

Re:That's the worst analogy I've ever seen (1)

Ambiguous Coward (205751) | more than 2 years ago | (#37456480)

Maybe I can explain it a little better...

Okay, picture a car.

Does the analogy make any more sense now?

Re:That's the worst analogy I've ever seen (0)

Anonymous Coward | more than 2 years ago | (#37456538)

And that includes slashdot car and pizza analogies.

To anyone confused over that statement, let me explain: The analogy given here is like a busted fourth- or fifth-hand Chevy stationwagon. Nobody really wants it and it doesn't really work, but it does fill space AND it benefits the person who owns it just barely more than not having any car would.

Re:That's the worst analogy I've ever seen (1)

gilleain (1310105) | more than 2 years ago | (#37456676)

And that includes slashdot car and pizza analogies.

To anyone confused over that statement, let me explain: The analogy given here is like a busted fourth- or fifth-hand Chevy stationwagon. Nobody really wants it and it doesn't really work, but it does fill space AND it benefits the person who owns it just barely more than not having any car would.

No meta-analogies!

Re:That's the worst analogy I've ever seen (1)

gilleain (1310105) | more than 2 years ago | (#37456628)

And that includes slashdot car and pizza analogies.

Unless he is claiming researchers are contributing code to said products that they know contains security bugs and then when it is released reporting it and claiming a bug bounty (and hiding the fact they contributed it since the rules say you can't do that of course).

But he isn't. So the anology is complete and utter garbage.

Where's BadAnalogyGuy when you need him? Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

Re:That's the worst analogy I've ever seen (1)

slim (1652) | more than 2 years ago | (#37456750)

Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

They're a lot like stone soup analogies.

Re:That's the worst analogy I've ever seen (0)

Anonymous Coward | more than 2 years ago | (#37456852)

Re:That's the worst analogy I've ever seen (0)

Anonymous Coward | more than 2 years ago | (#37456880)

Also : I've never seen a pizza analogy on slashdot. I'm curious - what are they like?

They are like a pizza.

"Tax the rat farms." - Vetinari (4, Informative)

Verteiron (224042) | more than 2 years ago | (#37456176)

Okay, so who came up with this idea first? South Africa? Or Terry Pratchett?

Re:"Tax the rat farms." - Vetinari (0)

Anonymous Coward | more than 2 years ago | (#37456502)

I was hoping someone was going to post this, I thought at first the article was misplaced from April Fools Day!

Re:"Tax the rat farms." - Vetinari (0)

Anonymous Coward | more than 2 years ago | (#37456786)

The rat farming is much like the original fire service in Ankh-Morpork (Although it is only mentioned never actually seen).

They are paid for each fire they put out, and.... you can see where it goes from there.

Rat farming (1)

tinkerton (199273) | more than 2 years ago | (#37456212)

I heard about the rat farming story as a kid - and that is many years ago. The idea of relocating the story from 19th century US to South Africa strikes me as odd. But who knows, maybe the SA story has been verified.

the analogy (1)

Anonymous Coward | more than 2 years ago | (#37456268)

The analogy isn't completely bogus. Think of it a slightly different way, a rat != a bug, a wild rat == a bug that would affect a user.

The farmed rats are then equivalent to the "could only really happen in a controlled lab environment" bug. They are still bugs, its good to get rid of them, but they aren't really (or at least shouldn't be) the primary concern.

Re:the analogy (0)

Anonymous Coward | more than 2 years ago | (#37456492)

It still ignores the fact that the researchers are finding existing bugs and not creating the bugs themselves. It also assumes that all of the bugs the researchers are finding could not survive in the wild, which seems unlikely.

Re:the analogy (0)

Anonymous Coward | more than 2 years ago | (#37456632)

Kind of makes sense. Still, wouldn't that be more akin to hunting moles to turn them in for a rat bounty?

Either way, I think the original analogy should never have seen the light of day.

Bad analogy, bad article (2)

athe!st (1782368) | more than 2 years ago | (#37456276)

Unless people are putting bugs in open source software, then claiming the bounties for finding them, the analogy is just plain wrong.

Re:Bad analogy, bad article (1)

tinkerton (199273) | more than 2 years ago | (#37456714)

That's a very inflexible interpretation. Here's how to coax the analogy into making sense. The general theme is how rewards can be counterproductive by shifting the aim of those being rewarded. I'll take an old story about chimpansees, art and bananas. The chimpansees were given paint and paper to play with, and they had a lot of fun, making nice things. Then rewards were introduced: make a painting, get a banana. This changed the character of the game for the chimpansees. Paintings became just a means for getting the banana and the paintings weren't interesting anymore - not interesting to make and not interesting to look at.

This is a well known problem in organisations. I recall a big manager( 3M Germany) who was acutely aware of this problem, and who illustrated how powerful it was with another story. There was an old man in his street who was always being harassed by a group of youngsters. The manager decided to give the group of youngsters a reward of some euros for harassing the old man - which they readily accepted. He gave them this reward again and again, but he soon started to decrease the reward, and he decreased it more and more. Very soon the youngsters lost all motivation for harassing the old man and that solved the problem.

Now apply this model to finding bugs and it will make sense. Not necessarily the crude case of creating bugs, but for example, lots of minor bugs will be reported that cause a lot of overhead , ergo, they're counterproductive.

Re:Bad analogy, bad article (1)

slim (1652) | more than 2 years ago | (#37456842)

I think what you're saying is, it's not a direct analogy.

"Here's an example of an incentive scheme that has an unexpected and undesirable outcome".

"Bug bounties can also have unexpected outcomes" -- but with a quite different mechanism.

I don't think Dubner would have done that. Freakonomics (the book) contains loads of examples of unexpected outcomes due to skewed incentives. He could have found one that fitted better.

No, I'm pretty sure this is just a reporter failing to convey what was actually said.

(Favourite Freakonomics story: the city that decided to pay its rubbish collectors bonuses based on the weight of what they brought in. Rubbish brought in increases, by weight: success! But their incinerator's efficiency measurements fall dramatically. What's going on? Much of the rubbish is now soaking wet. )

My eyes are rolling at 7200rpm... (1)

Alex Belits (437) | more than 2 years ago | (#37456282)

...and I don't even have to explain why, because every commend before me did it already.

Reminds me of the article from thedailywtf (2)

h5inz (1284916) | more than 2 years ago | (#37456312)

Re:Reminds me of the article from thedailywtf (1)

Gonzo The Gr8 (952908) | more than 2 years ago | (#37456762)

Ok, see, that's rat farming

Horrible, crappy, Half an article (1)

gurps_npc (621217) | more than 2 years ago | (#37456398)

1. It talks a lot about the illegal rat farm business.

2. It just says it is similar to the bug hunting business - with NO explanation. No real discussion of the bug hunting business, no explanation why they are similar. It just assumes you will believe they are similar, with no reason. I don't see any connection.

3. It concludes with "and that's a good thing" with no explanation of why it is a good thing. Bull.

If I saw this in a blog, I would call it a bad blog. As an article, it is at best half of an article. It needs to to be doubled, if not tripled in size, to make any sense.

It also is not in any way convincing. I came away thinking the author may have an idea, but appears to be too clueless to express it to us.

Re:Horrible, crappy, Half an article (2)

gurps_npc (621217) | more than 2 years ago | (#37456438)

Correction. The author did not have a good idea. He was reporting on a speech given by someone else (author of Freakonomics.).

The author basically gave a review of that speech, and left out all the important stuff, just because he was obsessed with the stupid rat farming example.

I will have to go looking for the real speech, it might actually be interesting

isn't it ironic? (1)

carpefishus (1515573) | more than 2 years ago | (#37456514)

If it is not a good analogy then isn't it ironic?

I'll just quote the first comment from TFA (1)

arielCo (995647) | more than 2 years ago | (#37456516)

WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus

Ditto

Re:I'll just quote the first comment from TFA (0)

Anonymous Coward | more than 2 years ago | (#37457242)

Obviously you've never worked in Software QA. When I find bugs and report them, the Project manger treats me as if I intentionally added it to the code.

Shoot the Messenger!

Better analogy: imported rats, not farmed (1)

ejtttje (673126) | more than 2 years ago | (#37456542)

I think the point he's getting at is that a lot of the bugs are not the ones that would trouble users (i.e. they only appear "in the lab"). So although it's still good to fix them, they are low priority.

The farming analogy is bad because it implies people are creating these bugs just to turn them in, which as everyone is pointing out, doesn't make sense and would reflect poorly on the buggy developer, so it would be self-limiting. Instead, I propose he should have said "imported" rats instead of "farmed" rats: instead of killing the rats in the city (the "high priority" ones), people are going out into the country and killing rats that weren't really bothering anyone. Eventually they or their descendants might make it to the city and cause a problem, so we're certainly not sad to see them go (environmental concerns breaking the analogy here :)), but the point is those rats/bugs aren't really the ones we care about.

I could have sworn there was an article/blog post a little while back with statistics from a bug bounty program where most of the bugs were relatively trivial (found by automated methods, style consistency, etc.) or else quite obscure, with only a couple 'interesting' ones. But all I can find is this slashdot article [slashdot.org] , which I don't think is the one I'm thinking of. But I remember the author's summary was also that he still appreciated the peace-of-mind that others had looked through his code and that was all they had come up with, so still a net positive.

Re:Better analogy: imported rats, not farmed (1)

ejtttje (673126) | more than 2 years ago | (#37456622)

Aha, found it:
What does $1265 of bugs look like [daemonology.net]
Looks like this wasn't a slashdot article, maybe it should be :)

Re:Better analogy: imported rats, not farmed (1)

slim (1652) | more than 2 years ago | (#37457824)

As I've already said, Dubner's a clever bloke. If he was trying to make the point you've made, then he'd have found a suitable analogy. He has at least two bookfuls.

No, this is a reporter getting the wrong end of the stick.

But let's think about your observations.

The rat farming thing is fairly interesting. You can imagine the rat bounty seeming like a good idea. People subverting it by farming rats would come as a surprise to a lot of people. Freakonomics is full of stories like that.

Your observation, that a bug hunt will reveal lots of inconsequential bugs, but the few significant ones make it worthwhile -- well, that's entirely the expected result, surely?

badanalogyguy writes security articles now? (1)

ilsaloving (1534307) | more than 2 years ago | (#37456608)

How exactly do researches 'plant' bugs into code released by another party?

Researcher: "Look look! We found a bug!"

Company: "Why yes you did! Wait... this isn't even our code! GTFO and stop wasting our time."

Re:badanalogyguy writes security articles now? (1)

slim (1652) | more than 2 years ago | (#37456678)

Business model!

1. Note missing feature in Firefox
2. Write missing functionality; include carefully obfuscated security bug
3. Donate code to Mozilla
4. "Find" and fix bug. Claim bounty.
5. Collapse, cackling, into your bed of dollar bills.

A better analogy would be.. (1)

Going_Digital (1485615) | more than 2 years ago | (#37456624)

It would be better to say that because the government is paying for dead rats that an industry has developed around it. Now rather than just taking in urban rats that are causing a nuisance rat catchers are breaking into peoples homes to steal pet rats and taking trips in to the country with dogs to flush or rats in the wild.

How Freakanomics is like the real world... (1)

AlterEager (1803124) | more than 2 years ago | (#37456656)

... oh, that's right, it isn't.

So they've got another thing wrong. Big suprise.

(And not knowing the Ankh-Morpork precedent - that'll lose them fanboy cred).

"Bugs for cash" scams can work - except... (1)

Captain Sarcastic (109765) | more than 2 years ago | (#37456720)

... when a company happens to track who is the person responsible for a bug.

If there's no accountability, then a coder could generate bugs for a confederate on the outside to cash in on. Mind you, you'd need to make sure:

  • that the bugs weren't so easily found that the wrong person discovers them,
  • that the "bug bounty" was high enough to justify this kind of skullduggery,
  • and that there was nothing to track the bug back to the original developer, who would most likely become unemployed if enough bugs were laid at his/her feet.

But, hey - who said scamsmanship was easy?

The actual analogy... (2)

Gonzo The Gr8 (952908) | more than 2 years ago | (#37456752)

One of the commenters from TFA finally explained it, the problem is it's still a very bad analogy. Farmed rats !=manufactured bugs. The actual analogy is wild rats == significant bugs and farmed rats == insignificant bugs. He's not saying the "bug farmers" are manufacturing the bugs, just that they're finding new and creative ways to break the software that would in all likelihood never occur outside of a lab setting.

So, like I said, a very bad analogy.

Any info on what Dubner actually said? (0)

Anonymous Coward | more than 2 years ago | (#37456848)

Boy, do we need some information on what Dubner actually said. Here's the only thing I've found from the conference organizers:
http://www.unitedsummit.org/speakers.jsp?speaker=stephen-dubner

There is a live stream of whatever talk is going on now, but I can't find any information about the content yesterday's talks.

Nothing like rat farming (1)

AC-x (735297) | more than 2 years ago | (#37456954)

The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances.

So it's actually nothing like rat farming.

Two paragraphs added to post (1)

slim (1652) | more than 2 years ago | (#37457064)

The (current) last two paragraphs of the article were added after many of the /. comments were posted.

Previous final sentences:

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

Added paragraphs:

The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could.

The idea of people raising rats for the express purpose of killing them likely isn't what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors' bug bounty programs. As they've continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.

Seems like an attempt to rescue the article from terminal idiocy. But it's just digging a deeper hole.

It's just like rat farming! Except that nobody's manufacturing defects deliberately.
Rat farming had unintended consequences! Bug bounties have exactly the consequences that their designers were aiming for: lots of people detecting bugs.

I just hope Dubner is BadAnalogyGuy (1)

Wannabe Code Monkey (638617) | more than 2 years ago | (#37457246)

Okay, so in South Africa, bounties for dead rats had the unintended consequence of creating rat farmers which is 180 degrees counter to what the creators of the bounty wanted. It's a classic case of perverse incentives. On the other hand, the software bug bounties are resulting in more software bugs being found and fixed. Exactly what the creators of the software bug bounties wanted. And, no one, not even the bad-analogy-maker, is suggesting that the security researchers are introducing software bugs only to 'fix' them later. So these two situations are really pretty much exact opposites... This is probably the worst analogy I've ever encountered.

I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.

Re:I just hope Dubner is BadAnalogyGuy (1)

slim (1652) | more than 2 years ago | (#37457288)

I had always kind of figured the Freakonomics guys were more pop-pseudo-science than actual hard science. But I'm not an expert in any of the other fields they've discussed. Now I guess I know for sure that they're full of it.

Freakonomics is fine. This seems like a chinese whispers in the retelling.

Oh that's funny (0)

Anonymous Coward | more than 2 years ago | (#37457290)

I actually thought once that having an unlimited open season on trapping rats in DC would be a good idea. That's not a joke--DC has a serious rate problem. I concluded that imported and/or bred rats would be an insurmountable problem. It's nice to know that I can still think ahead of the guys who run countries in Africa.

BTW, the best way we have so far to control rats is to STOP FEEDING THEM. If you enforce laws against unsecure garbage, then you don't have to enforce laws against breeding rats to get the bounty. In DC the city itself violates basic sanitation by having most sidewalk receptacles with open tops, and by not emptying them fast enough.

They poison rats, but when rats have leftover prime rib from the garbage they don't eat uniformly sized pellets of poison. Rats are smart, and street rats are smarter than lab rats. What happens is that the bait stations end up being used as shelters by the rats. That particular wrinkle of the problem led me to a "modest proposal":

Instead of trying to poison the rats and feed the homeless, DC should try it the other way around. In short order, poisoning centers for the homeless would be built but would not be stocked with sufficient poison or attended. They would provide excellent shelter.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>