Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook's Biggest Bounty Yet To Hacker Who Found "Keys To the Kingdom"

timothy posted about 6 months ago | from the yeah-let's-talk dept.

Facebook 111

mask.of.sanity writes "Facebook has paid out its largest bug bounty of $33,500 for a serious remote code execution vulnerability which also returned Facebook's etc/passwd. The researcher could change Facebook's use of Gmail as an OpenID provider to a URL he controlled, and then sent a request carrying malicious XML code. The Facebook response included its etc/passwd which contained essential login information such as system administrator data and user IDs. The company quickly patched the flaw and awarded him for the proof of concept remote code execution which he quietly disclosed to them."

cancel ×

111 comments

Sorry! There are no comments related to the filter you selected.

Wow (5, Insightful)

Anonymous Coward | about 6 months ago | (#46045739)

Stingy reward. That would have fetched quite a bit more on the black/open market.

Re:Wow (1)

jovius (974690) | about 6 months ago | (#46046655)

Maybe he also sold on the black market. The data and its structure itself may be interesting.

Re:Wow (0)

Anonymous Coward | about 6 months ago | (#46047031)

Depends on the risk/reward analysis. Would you take a "double your lottery win or go to prison for 3 years" gamble? I wouldn't.

when i read the headline... (1)

schlachter (862210) | about 6 months ago | (#46047165)

I expected something like $100K. Would be trivial for them. The could build a whole ecosystem of people trying to report bugs to them.

Re:Wow (1)

nhat11 (1608159) | about 6 months ago | (#46048137)

Hey stealing from a bank or selling drugs is profitable too you know.

Re:Wow (1)

Wootery (1087023) | about 6 months ago | (#46048491)

Granted, but the analogy only works if we assume that he found drugs/a bank in his bedroom.

To make money dealing drugs/breaking into banks, one has to go out and buy drugs/break into banks. In this case, Reginaldo Silva (why his name isn't mentioned anywhere in the summary, or indeed the comments, I don't know) found the weakness, and was only then faced with the choice.

Ultimately of course you're right. Doubtless one can often make more money by breaking the law. Nothing new there. Still though, there's an argument that it would make good sense for Facebook to up the reward money.

Crime does pay (2)

TheNastyInThePasty (2382648) | about 6 months ago | (#46045755)

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

Re:Crime does pay (5, Insightful)

sandytaru (1158959) | about 6 months ago | (#46045787)

Yes, but now he's got a couple of white hat security firms considering offering him more than whatever he's making now, without the risk of jail time to boot.

Re:Crime does pay (0)

Anonymous Coward | about 6 months ago | (#46045855)

Why choose ? He could have sold the sploit on thr black market (taking the usual precautions to hide his identity) AND gone to facebook.

Re:Crime does pay (3, Funny)

bobbied (2522392) | about 6 months ago | (#46045919)

Who says he didn't sell it twice? Of course the black market might put a hit on him for it if they had enough bitcoin...

Re:Crime does pay (1)

PRMan (959735) | about 6 months ago | (#46048119)

Documenting your hit payment with bitcoin is an incredibly stupid thing to do. It's only anonymous until they look though your PC.

I'm curious (1)

nobuddy (952985) | about 6 months ago | (#46048255)

Why would you keep your bitcoin after you spent them? Especially on such a thing.

"time to pay off this hitman. better photocopy the cash before I do."

Re:I'm curious (1)

bobbied (2522392) | about 6 months ago | (#46048313)

It's not the coin really, it's the wallet keys. The Transaction will be hashed in the coin for life and tied to the wallet that spent it.

Having a stash of bitcoins on your computer doesn't mean they where ever yours. You could have been mining or something.

Re:Crime does pay (1)

Wootery (1087023) | about 6 months ago | (#46048519)

the black market might put a hit on him

If he sold it without taking proper steps to hide his identity, sure. The man's a security expert, though, so...

Re:Crime does pay (1)

Xacid (560407) | about 6 months ago | (#46046003)

And this is why we can't have nice things.

Re:Crime does pay (0)

sl4shd0rk (755837) | about 6 months ago | (#46045997)

without the risk of jail time to boot.

That's no guarantee that the next cracker reporting an exploit will be treated the same way. Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

Re:Crime does pay (1)

kasperd (592156) | about 6 months ago | (#46046181)

Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears. If you make more noise about it, it you'll most likely end labeled with some malicious tag that the courts love to use to prosecute helpful people for putting a company in a bad light for their lax security.

This has indeed happened multiple times in the past. But none of the cases I know of were from a company, which was offering a bug-bounty. Has any company made such a dirty move after publicly announcing a bug-bounty program?

Re:Crime does pay (2)

CastrTroy (595695) | about 6 months ago | (#46046331)

I don't know if anybody has been taken to court, but it's not guaranteed that the company with the bug bounty program will pay out. If you want something specific, here's an example involving Facebook [theverge.com] .

like planes "usually" crash. 99.9% of the time, no (1)

Anonymous Coward | about 6 months ago | (#46048205)

> Historically speaking, discreetly reporting a vulnerability usually lands on deaf ears.

It might look that way if the only information you were familiar with on the topic was news reports.
The thing is, newsworthy events are by definition NOT the usual events. Based on looking
at airplane flights in the news, you might conclude that plane flights usually end in a crash.

In reality, planes usually don't crash, so you don't see them on the news. 99.98% of flights go well.
In reality, security issues usually aren't ignored, so you don't see them on the news. 99.98% of reported issues are handled.

http://cve.mitre.org/ tracks the resolution of about 20 security issues per day.
For example, I found one could have easily taken down wikipedia and many other top sites, CVE 2012-0206. http://securitytracker.com/id?1026729 . You'll note 2012-0206 was one reported on January 10th. Ten days into the year, over 200 issues were in the resolution pipeline. MOST issues are handled the same way as CVE 2012-0206. Out of the ~8000 issues publicly tracked each year, two or three are grossly mishandled and make the news. What's not in the news are the other 7,998 issues that are timely resolved through the normal process.

PS I'm the reporter, AC to preserve moderation (1)

Anonymous Coward | about 6 months ago | (#46048337)

My post above may be slightly unclear, especially not knowing who it's from. I had already moderated the thread so I posted AC.
CVE 2012-0206 is an example of a security issue I discovered and reported. I'm familiar with the usual process because I'm part of the usual process.

CVE 2012-0206 is typical - I reported the issue to the security@ contact. Within a few hours they responded.
They asked if I had further information, if I would hold off on further disclosure for 48 hours so they could test a patch and ship it to their largest users (wikipedia, etc.), and they asked how I'd like to be credited in the CVE and any other public postings.

I told them no problem waiting 48 hours or more, let's get wikipedia and the big hosting companies patched before releasing details, and I asked that they include my web site in posts "Ray Morris from bettercgi.com discovered ...".

24 hours later, servers responsible for several thousand domains had been quietly patched.
46 hours after the report, the fix was on the web site. Two hours after that, the CVE was posted on the security lists.
Over the next few days, distributions released new packages. I think Debian was first. Gentoo was on it within 24 hours, though they needed to discuss the fix https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-0206

That's what USUALLY happens.

Re:Crime does pay (4, Insightful)

HoldmyCauls (239328) | about 6 months ago | (#46047291)

This. Not everyone worth their salt in security sees financial gain as the sole objective, or there would be no honest work left in the world. Would the GP recommend to a factory worker that if he just stole 10 of the devices on the conveyor a day, or drove the forklift full of pallets to his house, he could make his yearly wage in a week? If you work on the wrong side of the law (in this case, the laws being entirely ethical as so much is at stake), you are not guaranteed to not get caught, nor are you guaranteed a working wage after finding and selling a flaw. Jailtime and honest work in this case are carrot/stick factors deciding how finding the exploit is to the benefit of the discoverer.

Re:Crime does pay (1)

akinliat (1771190) | about 6 months ago | (#46050447)

That's not really the point. This sort of security breach could have cost Facebook millions in stock value alone, to say nothing of potential losses in revenue. Paying such a niggardly amount is not only insulting to the value that the man has provided to the company, but it also says a great deal about how Facebook views its own investors, who would bear the burden of a sudden drop in stock value.

Re:Crime does pay (0)

Anonymous Coward | about 6 months ago | (#46045885)

One can go on your resume... the other, not so much.

Re:Crime does pay (5, Insightful)

vux984 (928602) | about 6 months ago | (#46046889)

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

  I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Re:Crime does pay (4, Funny)

SmlFreshwaterBuffalo (608664) | about 6 months ago | (#46047335)

$33,500? He probably could have gotten WAY more on the black market. This is ultimately the problem with stingy bug bounties.

How is it a problem?

Its a fact of life that we are daily confronted between the choice to do the right thing and the choice to screw someone over for money.

My neighbor went on vacation, they gave me the keys to the house to water the plants, and bring in her mail. I could turn a tidy profit passing the information that the house is empty to a ring of thieves, steal her identity, and strip her car.

Or I can just water the plants and usually receive a bottle of wine or other small thank you gift.

I had the 'keys to her kingdom', and she repaid my responsible behaviour with a token. Should I complain she's being stingy, and call it a huge problem too?

Giving you the 'keys to her kingdom' sounds like a pretty generous repayment for watching over her house, assuming she's at least somewhat attractive.

Re:Crime does pay (2)

vux984 (928602) | about 6 months ago | (#46047889)

The 'keys to the kingdom' phrasing was in reference to the article summary which claimed the hacker had the keys to kingdom for facebook... I, perhaps naively, presumed he didn't get into Zuckerberg's pants.

Re:Crime does pay (1)

morgauxo (974071) | about 6 months ago | (#46047659)

Maybe but that's $33,500 in the clear with no worry about getting caught and consequences.

That's cheap (0)

Anonymous Coward | about 6 months ago | (#46045777)

Should've made an app and sold it to them for 3 billion.

NSA's response: (1)

Anonymous Coward | about 6 months ago | (#46045781)

Bummer!

We all know about it. (0)

Anonymous Coward | about 6 months ago | (#46045803)

...awarded him for the proof of concept remote code execution which he quietly disclosed to them."

We all know about it, so it's not that quiet.

Or did they mean he didn't go, "HERE YOU GO! HERE'S THE REMOTE CODE!"

Re:We all know about it. (2)

Stewie241 (1035724) | about 6 months ago | (#46046225)

What is meant by that is that the quietly disclosed it to Facebook, so that Facebook could fix the problem before it was exploited, rather than going public with it first and putting the pressure on Facebook to fix it quicker.

These things generally get announced after the fact especially if it was disclosed in a bug bounty program because part of the deal is the recognition that the security researcher gets (which is a big deal in the security world from what I can tell).

tl;dr - the quietly refers to the fact that we heard about it after it was fixed and not before.

why must /. be a corepirate nazi censor too? (-1)

Anonymous Coward | about 6 months ago | (#46045813)

better than no job?

a pittance in ayn rands america. (1, Interesting)

nimbius (983462) | about 6 months ago | (#46045881)

as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

Re:a pittance in ayn rands america. (3, Insightful)

fast turtle (1118037) | about 6 months ago | (#46046015)

The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

The Empire State Building has a Bounty called Rent and it's still collecting.

The problem with both of these examples is that they're commercial projects, built for a Commercial Reason. Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

Bounty (1)

Anonymous Coward | about 6 months ago | (#46046131)

The Hoover damn did have a bounty that continues to pay out called Electricity that's being sold.

The Empire State Building has a Bounty called Rent and it's still collecting.

Bounty. You keep using the word. I don't think it means what you think it means.

The problem with both of these examples is that they're commercial projects, built for a Commercial Reason.

Absolutely! Facebook is a non-commercial project. They have ads; not commercials!

So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

I can't respond to that because I'm snickering too much.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046201)

Considering the amount of annual damage to infrastructure and use-costs associated with trucks (Seriously, it's 99+% [ku.edu] of the total), they pay far, far less than their "fair share" in taxes to use the interstate highway system.

Tax them at a fair rate; I'd have no problem with manufacturers and shippers adding the additional cost to the price of their products, since it would be a far more equitable way of spreading out the costs to the average American for actual costs generated by their consumption than by individual taxes on motorists.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046843)

Tax them at a fair rate; I'd have no problem with manufacturers and shippers adding the additional cost to the price of their products, since it would be a far more equitable way of spreading out the costs to the average American for actual costs generated by their consumption than by individual taxes on motorists.

Ha ha. Yep, YOU might not. The rest of the country, though? Go ahead, try. Raise prices of certain goods. Raise them a truly marginal amount. Maybe, say, 0.2%. Hell, 0.05% should do the trick. It'll be worth watching. Shit will be flipped. Lots of shit. Flipped REAL fast. Shit will be flipped faster and in greater quantities than the entire national pancake output of a more unpleasant shit-themed IHOP chain. The pursuit and love of the zero price asymptote is what led to Wal-Mart dominate American commerce with an iron fist. People will flip their shit if price A now is higher than price A from last year with no concern for long-term benefits or detriments. That'll happen with zero tolerance, too. And you're invoking the evil, evil, hateful, liberal, horrible, liberal, ugly, liberally LIBERAL spectre of taxes to do so? Man, you'd be lucky to live a week without being torn limb from limb and processed into dog food by the idiots that make up this country. Processed into dog food which would then be sold cheaper than last year's dog food.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046661)

Even the Golden Gate Bridge is a commercial project that's still collecting it's fucking bounty of Tolls every god damn day.

[...]

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

So get back in your kenel runt and go back to school beforethe school of hard knocks gets you.

Bitter much, old man?

Sorry my reply is so short, I had a hard time holding back my derisive laughter long enough to write anything more substantial.

Re:a pittance in ayn rands america. (2, Insightful)

Bill_the_Engineer (772575) | about 6 months ago | (#46046827)

You confused bounty with revenue. Bounty is an outgoing expense while revenue is incoming wealth.

The Hoover Dam generates revenue by producing electricity. The Empire State Building generates revenue by renting space. Facebook generates revenue by selling ads and they paid a bounty to a person who found an exploit.

Nimbius seems confused since Facebook pays a salary to their development and maintenance staff and supplements their security practice by paying out bounties for any exploits found in the wild. It's not like Facebook just sits back and depends solely on bounties to keep their infrastructure working. He seems upset that paid staff don't get bonuses for fixing their own mistakes. Somehow he mistakenly believes that by paying bounties, Facebook is slighting their staff.

I agree he has a lot to learn.

Re:a pittance in ayn rands america. (1)

weilawei (897823) | about 6 months ago | (#46049881)

As to the Interstate Highway system, that was built for Military Troop Movements and Commerce, it wasn't built for every god damn yahoo that thinks they're a great driver to get out and play with the trucks. Yes I used to drive and averaged over 120,000 miles a year w/o an accident for a decade and the funniest thing is, those trucks everyone screams about pay their share of taxes between fuel and highway (miles driven) to every state they drive in.

Not sure which states you drive (drove?) through, but I really don't mind truckers. They're usually the most polite drivers on the Interstate around here. It's the assholes in their BMWs doing 20+ MPH faster than the flow of traffic, weaving in and out, when it's busy, that are the most obnoxious.

Re:a pittance in ayn rands america. (2, Informative)

Anonymous Coward | about 6 months ago | (#46046029)

as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046159)

I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Same question for you: Where do you get the idea that there is anyone buried in the concrete of the Hoover Dam? That would likely weaken the structure, so the engineers would never have allowed it. Anyway, the concrete was poured so slowly that anyone who had fallen in would have been able to get out fairly easily.

Re:a pittance in ayn rands america. (2)

weilawei (897823) | about 6 months ago | (#46049979)

Good point. Urban myth [nevadaculture.org] .

In 1986, Tom King, Director of the University of Nevada Oral History Program, interviewed several men who had labored on the construction of Hoover Dam that told him a number of bodies lie buried in it. "These stories were made somewhat plausible by the authority of the tellers, themselves dam workers, and by our knowledge that building the dam was indeed an extremely hazardous enterprise," according to King, "however, further questioning revealed that none of the storytellers had actually witnessed such a tragedy or knew the identity of any of the victims. This was not surprising: the tellers believed what they were saying, but their stories were folklore--there are no bodies in the dam."

Actually, the dam was poured in relatively small sections, so about all a fallen worker had to do to get his face clear of the rising concrete was to stand up. Officially, 96 dam workers died of various causes, and 112 persons unofficially, but none were permanently buried in concrete.

The closest any worker came to being buried was on November 8, 1933 when the wall of a form collapsed sending hundreds of tons of recently-poured concrete tumbling down the face of the dam. One worker below narrowly escaped with his life, however W.A. Jameson was not so lucky and was covered by the rain of debris. Jameson was the only man ever buried in Hoover Dam, and he was interred for just 16 hours before his body was recovered. His remains were shipped to Rock Hill, South Carolina, where a brother and sister lived.

A structural engineer interviewed for a Discovery Channel documentary on Hoover Dam argued that it would be sheer folly to leave a worker buried in the dam. A decomposing body would jeopardize the dam's structural integrity and risk the multi-million dollar project including property and lives downstream on the Colorado River.

Re:a pittance in ayn rands america. (1, Interesting)

Antipater (2053064) | about 6 months ago | (#46046171)

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Many workers died constructing the dam, yes. But none of them drowned in the concrete pours (they may have drowned in the mixing buckets; I don't know about that), and nobody is entombed in the blockwork. A human body is much weaker than concrete - a body in the mix would have compromised the structural integrity of that area. Even if someone had drowned in a pour, which would have been very difficult given that each pour only raised the concrete level by about an inch, the body would have been pulled out as an unacceptable structural risk.

http://en.wikipedia.org/wiki/Hoover_Dam#Concrete [wikipedia.org]

Re:a pittance in ayn rands america. (2, Funny)

Stewie241 (1035724) | about 6 months ago | (#46046869)

What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

Re:a pittance in ayn rands america. (1)

cellocgw (617879) | about 6 months ago | (#46047853)

What you say makes sense, but it is far more interesting to think that there are people encased in the concrete, thus that is what I choose to believe.

Naaah, what's *really* interesting is breaking down an old parking garage concrete floor and discovering a skeleton [wikipedia.org] of a dragon-like beast which never existed on Earth in the first place.

Re:a pittance in ayn rands america. (1)

ustolemyname (1301665) | about 6 months ago | (#46046205)

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

Apparently that is a myth: http://nsla.nevadaculture.org/... [nevadaculture.org]

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046213)

>More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.
Wow. You are kinda retarded, aren't you?
http://www.usbr.gov/lc/hooverdam/History/essays/fatal.html

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046535)

as an american bounties piss me off. There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct. You hired talented individuals to do a job and feel rewarded and engaged in that job.

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business. They do this to save money on health, dental, vision, and live insurance and to decrease expenditures on their #1 overhead, employees. they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working. in turn it doesnt give you the right to commoditize the effort when your competitor in this market would easily base his expenditures on triple your measly reward. employmen should not be a tap that can be turned on and off at the whim of some jackboot in platinum cuffs.

I don't know what alternate history you've been reading but in no way did the builders of the Hoover Dam or the Empire State Building consider the welfare of their employees sacrosanct. Pull your head out of your ass and go read up about the conditions the labourers on both of those projects suffered through, and the number of deaths involved.

More than one worker drowned in concrete during the construction of the Hoover Dam, and there are bodies entombed in the blockwork.

I can't speak for the Empire State Building, but I've read a bit on the Hoover dam. Aside from drowning in concrete a dam worker also enjoyed a high risk of falling to his death or being crushed by falling construction debris. I don't know where the gp found that idealized version of construction labor in that era, but I'm pretty sure those jobs sucked only slightly less than starving to death. Workers weren't valued; if one was lost there were a thousand others eagerly waiting for a chance to take the opening.

Re: a pittance in ayn rands america. (1)

Anonymous Coward | about 6 months ago | (#46046053)

Finding code bugs and potential vulnerabilities that can be exploited is really hard, even with top notch security-aware developers and in-house security engineers. Why not hire bright minds and offer a bounty, too? They're acknowledging reality, which is more than you can say for a lot of conglomerates.

I like Rand. Don't use her philosophes to make an ill supported point.

Re: a pittance in ayn rands america. (0, Insightful)

Anonymous Coward | about 6 months ago | (#46046141)

I like Rand.

Oh, to be 15 again...

Re: a pittance in ayn rands america. (1)

cellocgw (617879) | about 6 months ago | (#46047917)

I like Rand.

Oh, to be 15 again...

Me, I prefer int(rand)

Re:a pittance in ayn rands america. (3, Interesting)

Chameleon Man (1304729) | about 6 months ago | (#46046133)

So? I just don't understand how comments like yours that bash bug bounties get modded up...Bug bounties are a great thing to happen to the industry, at least for huge internet-based companies like Google and Facebook. No matter how many security engineers or developers you hire, your application will not hit the same level of testing as when it is released to the public. Google and Facebook realize this. Bug bounty programs offer legal incentives for ANYONE to make money, deterring blackhats from exploiting vulnerabilities for malicious purposes. If this guy didn't report this vulnerability to Facebook, a shitstorm comparable to the Target fiasco could have ensued if he had sold it to some other medium.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046155)

...Empire State building...

These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct.

Ahahahahahahahahahahahahaha, nice troll.

The only company which considers "the welfare of their employees sacrosanct" is a cooperative. To a capitalist business, whether it's the Soviet Union's state capitalism - everything belongs to Government Inc. - or the modern Western version of capitalism where a couple dozen companies control almost everything - your fate is the same. Thank goodness for the union movement to give workers just an inch of protection, though.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046173)

There was no bounty for the golden gate bridge, the interstate highway system, or the exploration of the moon. the empire state building had no bounty for successful construction and neither did the hoover dam. These works were constructed by private companies that paid a living wage and considered the welfare of their employees sacrosanct.

Let me just link this [forbes.com] for your consideration:

But, Hoover Dam’s construction had its ugly aspects. “Racial and ethnic discrimination, profiteering at the company store, and the flouting of health and safety regulations” all existed. Blacks workers were segregated while Asian labor was banned. Poor safety standards led to appalling deaths from heat stroke, badly executed detonations, and carbon monoxide poisoning among others.

The response from Crowe and his underbosses was merciless. Strikes were crushed, the exhausting pace of work continued, and injury compensation was denied. Indeed, fraud was not uncommon. The medical staff, at management’s behest, sometimes intentionally misdiagnosed men suffering from carbon monoxide poisoning (contracted from truck exhaust while blasting out tunnels) with illnesses. As Hiltzik notes, diseases such as tuberculosis or pneumonia were “all conditions for which the men were ineligible to claim injury compensation.”

Re:a pittance in ayn rands america. (4, Informative)

joe545 (871599) | about 6 months ago | (#46046209)

That is complete and utter rubbish. One of the examples you mention, the Hoover dam, had intolerable conditions for the workers on it. They were promised modern homes to live in with their families whilst they worked in a desert in the middle of nowhere. What they got was a shanty town, nicknamed Ragtown, with little to no amenities and very little protection from the heat with vague promises of that the buildings were coming - that lasted years! 16 people died on one day alone from the heat. Can you imagine what the conditions were like on the work site if people were dying in the town? Imagine carrying heavy loads, working in tunnels with no air and no respite from the heat for months on end. The workers went on strike for better conditions, in response they had their meagre pay cut and when they weren't happy with that they were fired en-masse. There were further strikes by their replacements. 112 people died in total on the dam, 42 of which died of suspected carbon monoxide poisoning from working in tunnels with no ventilation which were conveniently listed as pneumonia.

Your description that they "paid a living wage and considered the welfare of their employees sacrosanct" could not be further from the truth.

Re:a pittance in ayn rands america. (0)

bill_mcgonigle (4333) | about 6 months ago | (#46047069)

And the lives of the dozen+ people who died building the Empire State Building and Golden Gate Bridge apparently mean nothing to him.

When did the mods start +5'ing psychopaths?

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46048429)

When did the mods start +5'ing psychopaths?

Around time the latter wised up and started calling themselves "libertarians".

Re:a pittance in ayn rands america. (1)

bill_mcgonigle (4333) | about 6 months ago | (#46049267)

Around time the latter wised up and started calling themselves "libertarians".

Beautiful Orwellian Doublespeak, when those who eschew violence are the psychopaths and the bombers of cities are the peacemakers.

Oh, no, you're just a fool.

Re:a pittance in ayn rands america. (1)

khellendros1984 (792761) | about 6 months ago | (#46048933)

It sounds more like ignorance than malevolence. If it makes you feel better, the post wasn't at +5 anymore when I read it.

Apples and oranges (2)

Zontar_Thing_From_Ve (949321) | about 6 months ago | (#46046217)

You're comparing apples and oranges by suggesting that all paid jobs are equivalent. First of all, I have no idea what the workers on those jobs were paid and I suspect neither do you. So you may have no way to know if the pay was average, above average, or less than average. Since the Hoover Dam was constructed in the middle of the depression, I suspect that the pay was good only in relative terms as getting paid for any job beat getting nothing to not work. 11 people died in the construction of the Golden Gate Bridge. As best I can tell, as much as could be done for safety was done. Only 5 people died in building the Empire State Building. But 112 people died in building the Hoover Dam. Does that fit the bill of "considering the welfare of their employees sacrosanct"? I'm not thinking that it does. I've come to the conclusion that even with the absolute best practices, it is impossible to write any sizable code that can not be exploited, and the bigger the project, the more likely it can be exploited. You are right that Facebook does indeed try to be cheap in some ways with regards to employees (Zuckerberg is a very loud voice in the "We can't function without more H1-B visa employees!" argument) but the problem is that when you are a big website, some guy with time on his hands may try to crack your security for giggles. It's kind of like having a dozen people every day trying to take down and destroy the Golden Gate Bridge than what you imply, which is that Facebook is just too cheap and maybe too stupid to write good code.

Re:a pittance in ayn rands america. (2, Interesting)

KingOfBLASH (620432) | about 6 months ago | (#46046287)

You should reread Ayn Rand. In Atlas Shrugged, where she creates her "perfect society" people pay each other for everything. When Dagny stays over at John Galt's house and needed to use the stove, she gave him $0.05.

So Ayn would, I think, be happier to see bounties than Facebook saying, hey, give me this info for free.

And while they probably do have a security team, by crowdsourcing something like this you allow many, many, many more people to look at Facebook and fix it.

Grading your rant paragraph by paragraph. (0)

Anonymous Coward | about 6 months ago | (#46046347)

Completely false, completely true, complete non-sequitur.

Re:a pittance in ayn rands america. (1)

The Mighty Buzzard (878441) | about 6 months ago | (#46046353)

You're an idiot. No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it. Paying for bug reports instead of the standard of ignoring them or prosecuting the reporter is the right way to do things.

Re:a pittance in ayn rands america. (1)

tlhIngan (30335) | about 6 months ago | (#46046733)

No group of devs, no matter how good they were or how many were hired, ever wrote a single piece of software more complicated than Hello World without bugs in it.

And most "Hello World" programs have bugs in them! There are error conditions that they don't handle and many assumptions few people realize. (Here's a simple one - what happens if there's no stdout? How do you handle that case?)

Sure the failure of Hello World doesn't really amount to much, but doing it properly takes a lot of extra work.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046411)

you stupid? all the projects mentioned had bounties for successful completion.

Re:a pittance in ayn rands america. (1)

operagost (62405) | about 6 months ago | (#46046439)

instead of hiring more security engineers and challenging developers to write safer stronger code

The fact that someone outside Facebook found a security flaw does not mean that Facebook is deliberately not investing in sufficient personnel. Everyone makes mistakes.

they get away with this because unscrupulous conglomerates headed by sociopathic billionaires have plunged this economy so far into an intractable recession that any critical analysis of their low wage cubicle farm mentality is tantamount to anticapitalism.

I can't help but notice that government meddling in the economy wasn't part of your straw man.

code bugs and exploits are constant. However, just because your team doesnt find a new one every hour doesnt mean they arent working.

Right. And just because Facebook's team didn't find this one doesn't mean that they are too small. Do you even have a clue of the daily, weekly, and monthly processes required to maintain security compliance? This has to be done, along with vetting new code and detecting breaches and circumventions of policy.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046603)

If you think that Facebook does not pay a living wage then you have not been paying attention to all the very recent news related to gentrification in SF.

Re:a pittance in ayn rands america. (2)

bender647 (705126) | about 6 months ago | (#46046609)

This is my problem in general with a lot of what we call software "engineering". It isn't engineering. When the price of fixing a problem is just recompiling, as opposed to having a building fall down, it seems nothing is planned well or constructed right the first time.

Re:a pittance in ayn rands america. (1)

khellendros1984 (792761) | about 6 months ago | (#46049189)

The price of a customer encountering a serious bug can be the loss of that customer to a competitor, schedules for new development slipping to make time to fix the bug, lawsuits over loss of customer data, etc. The rule of thumb that we use is that a bug found by QA might cost 10x as much as if the developer didn't produce buggy code (due to delays in testing, the developer having to diagnose the problem, abandoning their current work to re-immerse themselves in the buggy section of code, etc). A bug found by a customer will be at least 10x the cost of a bug found by QA, once you consider support time, the escalation process, the same costs of a QA-found bug, impact on development schedules, the potential for lawsuits, time spent by the release engineering group in packaging and deploying a hotfix, etc.

The price of fixing a problem varies, depending on when and where the problem is found, and the price of fixing it is only "just recompiling" if the developer finds the problem in the course of the preliminary testing done prior to checking the code in. Granted, most devs aren't going to have to worry about fatal consequences in their bugs, and it's not like we have to buy more physical materials when there's a mistake, but saying that it's not engineering and that the cost of a problem is near-zero is just goofy.

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46046757)

They usually give completion bonuses for finishing early and a late fee for late completions. No idea if that was in place back then, but certainly could.

Re:a pittance in ayn rands america. (1)

SQLGuru (980662) | about 6 months ago | (#46047089)

But a bounty gets multiple people to fill the role of the single hired expert. There is also nothing that precludes the bounty participant from holding another job (potentially as an expert for a company that DOES pay a living wage) and participating in the bounty program. Even if FB does hire experts, having the bounty program allows you to tap the knowledge of far more experts......and we've already seen that even the best can't foresee every possible avenue of attack. The hive mind is smarter than a single expert.

Re:a pittance in ayn rands america. (1)

necro81 (917438) | about 6 months ago | (#46047635)

instead of hiring more security engineers and challenging developers to write safer stronger code, Facebook has decided to award scraps of cash to talented people who find flaws in their code that could conceivably end their business

I'm not going to debate whether Facebook, et al., exploits its employees - it's a different discussion for another day. I will point out that, even if Facebook tripled its security staff, and tripled the salary and benefits of that staff, vulnerabilities and bugs large and small will still exist. Fewer of them, one would hope, but they'd exist in some fashion. What should Facebook do to reward those white hats out there that find these vulnerabilities and report them?

Re:a pittance in ayn rands america. (0)

Anonymous Coward | about 6 months ago | (#46047835)

Nimbius got a schooling, fucking idiot.

Re:a pittance in ayn rands america. (1)

Salgat (1098063) | about 6 months ago | (#46049199)

Bounties are important because you distribute risk substantially. Instead of relying on your employees to catch every single bug (which is near impossible to be perfect), you make the entire world a potential employee with a reward for anyone who comes across the flaw.

Re:a pittance in ayn rands america. (1)

RightSaidFred99 (874576) | about 6 months ago | (#46050871)

God, shut the fuck up. Next time you go on a meandering, bewildering rant like that try to at least make some sort of valid point, you idiot.

Props to this guy (4, Insightful)

thedillybar (677116) | about 6 months ago | (#46045889)

Nice to associate the term "hacker" with "honest" once in a while

Re:Props to this guy (0)

Anonymous Coward | about 6 months ago | (#46046179)

If you associate "hacker" with "honest" only "once in a while" you don't belong on this website

Re:Props to this guy (0)

Anonymous Coward | about 6 months ago | (#46046231)

BEFORE ANYTHING:

Who is the hacker who determined him as being a hacker, so I can worry that I'm dealing with a hacker, before wasting my time against a simple dishonest person?

Nice (1)

mahmudl4480 (3483059) | about 6 months ago | (#46045915)

nice!!

Bounty? Meh! (-1, Redundant)

Jody Bruchon (3404363) | about 6 months ago | (#46045937)

I would have preferred that they take the opportunity and destroy Facebook completely. Then maybe people would get the hell off the computer once in a while and, say, sit around a campfire with marshmallows. You know, "the original social network." [theorigina...etwork.com]

Re:Bounty? Meh! (1)

sudden.zero (981475) | about 6 months ago | (#46046081)

I'm with you; down with Facebook! I never see my family any more, but their entire lives are broadcast on Facebook.

Re:Bounty? Meh! (1)

Anonymous Coward | about 6 months ago | (#46046149)

This coming from someone who has their G+ linked to Slashdot.

If only he shut it down (1)

0xdeaddead (797696) | about 6 months ago | (#46046091)

for good. :(

Still... Endure... Die. (-1)

Anonymous Coward | about 6 months ago | (#46046185)

Fuck Facebook.

Words to not type into a Google search at work... (0)

Anonymous Coward | about 6 months ago | (#46046621)

NT

mode doWn (-1)

Anonymous Coward | about 6 months ago | (#46046271)

play par7ie5 the could sink your

/etc/password or /etc/shadow? (5, Informative)

Nimey (114278) | about 6 months ago | (#46046301)

All /etc/password contains on a properly configured modern system is userid, login name, login shell, and home directory. /etc/shadow is where the hashed passwords are stored, readable only by privileged accounts.

About all /etc/passwd gains an attacker is a list of good login names.

/etc/password, not /etc/shadow! (4, Insightful)

Anonymous Coward | about 6 months ago | (#46046481)

It's a demonstration of file system traversal vulnerability. Most likely the application is run as under an unprivileged user account which surely does not have access rights to read /etc/shadow, however it has access to own configuration files that may reveal much more information than the hashes of passwords of root. And if Facebook admins have some clue then their own user accounts are not even in the system but on a central authentication server along with the passwords. Anyway, content of /etc/password is more than enough for the demonstration.

Re:/etc/password, not /etc/shadow! (5, Interesting)

Nimey (114278) | about 6 months ago | (#46046589)

And, let's be honest, /etc/password sounds scary, and is probably the most attention-getting thing this guy could have said to the average person.

XML Injection not remote code exec (2, Informative)

Anonymous Coward | about 6 months ago | (#46046929)

That is XML injection not remote code execution.

You send XML with an include this file and the XML parser reads the chosen file.

Re:XML Injection not remote code exec (0)

Anonymous Coward | about 6 months ago | (#46048061)

He used the XML injection to get a RCE. RTFA

uhhh (0)

Anonymous Coward | about 6 months ago | (#46049913)

if passing some xml to facebook servers gets one root, then their shit is highly insecure

Slashdot is of poor taste/gone to the trolls (1)

228e2 (934443) | about 6 months ago | (#46047513)

A white hat does exactly what he is supposed to do (allegedly) and a company takes the proper route and doesnt sue him into oblivion, takes the proper steps to make a timely fix and gives him a reward. And yet everyone here swings and misses on the topic.

Congrats. This place is the officially one rung above 4chan.

Do the right thing, get screwed over (0)

Anonymous Coward | about 6 months ago | (#46047751)

This guy should have hired a lawyer and found out if it was permissible to send Google their passwords as "proof of life" and then announce you are willing to negotiate a reasonable compensation based on the value of the bug uncovered. No threats to release it, but just remind them that if you found it, so could somebody else and that the clock is ticking. As long as there was no threat involved, it would not be extortion. If they would not negotiate, then either accept the stupidly stingy offer or move on to something else.

Re:Do the right thing, get screwed over (0)

Anonymous Coward | about 6 months ago | (#46047791)

I meant Facebook. But you all knew what I meant.

This bounties make me feel even MORE INSECURE (0)

Anonymous Coward | about 6 months ago | (#46048747)

Now, he not only got MY ID no doubt, since they admit he got the /etc/passwd, he also got a encrypted form of my password, if its not shadowed which I hope it is. Now somebody out there has my Facebook ID.

The problem is they ENCOURAGE and PAY for hackers to hack MY ACCOUNT SERVICE.

What kinda idiot does that.

Honestly, encouraging people to attack services MY ACCOUNTS are on, is a personal attack on ME.

Ripped off (0)

Anonymous Coward | about 6 months ago | (#46048849)

33,500? He would have made 100x that or more on the bm. You'd think a billionaire company could at least pay what the bug was worth.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>