Jeff Atwood on security (blog post)
-
Pretty good article overall, like most codinghorror stuff.
But also, a few parts that could be particularly interesting for the folk here:
I first noticed this trend when one or two people reported minor security bugs in Discourse, and then seemed to hold out their hand, expectantly. (At least, as much as you can do something like that in email.) It felt really odd, and it made me uncomfortable.
Am I now obligated, on top of providing a completely free open source project to the world, to pay people for contributing information about security bugs that make this open source project better? Believe me, I was very appreciative of the security bug reporting, and I sent them whatever I could, stickers, t-shirts, effusive thank you emails, callouts in the code and checkins. But open source isn't supposed to be about the money… is it?
...
We've gotten too many "serious" security bug reports that were extremely low value. And we have to follow up on these, because they are "serious", right? Unfortunately, many of them are a waste of time, because …
- The submitter is more interested in scaring you about the massive, critical security implications of this bug than actually providing a decent explanation of the bug, so you'll end up doing all the work.
- The submitter doesn't understand what is and isn't an exploit, but knows there is value in anything resembling an exploit, so submits everything they can find.
- The submitter can't share notes with other security researchers to verify that the bug is indeed an exploit, because they might "steal" their exploit and get paid for it before they do.
- The submitter needs to convince you that this is an exploit in order to get paid, so they will argue with you about this. At length.
-
I first noticed this trend when one or two people reported minor security bugs in Discourse, and then seemed to hold out their hand, expectantly.
Yes, we were asking for patches.
Believe me, I was very appreciative of the security bug reporting, and I sent them whatever I could, stickers, t-shirts, effusive thank you emails, callouts in the code and checkins.
We never asked for that here, he offered it.
The submitter is more interested in scaring you about the massive, critical security implications of this bug than actually providing a decent explanation of the bug, so you'll end up doing all the work.
Ok, not us then, at least not any public reports any of us made. We always provided a good repro. No, we did not go trolling through source code most of the time. Mainly because it caused us headache when we tried.
The submitter doesn't understand what is and isn't an exploit, but knows there is value in anything resembling an exploit, so submits everything they can find.
Is it broken? Yes? Fix it! I don't care if it's an exploit or "just" a bug. It's broken. Fix it.
The submitter can't share notes with other security researchers to verify that the bug is indeed an exploit, because they might "steal" their exploit and get paid for it before they do.
Never happened here unless there were privacy concerns AFAIK.
The submitter needs to convince you that this is an exploit in order to get paid, so they will argue with you about this. At length.
Just because you don't see a way for me to steal your shit using XSS it doesn't mean it's impossible. Should I go pretty much break the law just to prove to you that I can?
Overall, I can't decide how much TDWTF members fall into the whole, or parts of, this post. I see some connections, but I wouldn't say it fits what we have been doing here concerning the overall extortion story. I never expected anything more than shit getting fixed, and I'm pretty sure that at least 90% of other members of this forum share that sentiment.
-
I report bugs so they can be fixed; anything else is a bonus
-
If he's talking about us, he's delusional, and I don't mean the usual Jeff-colored glasses delusional, but straight up "have you talked to someone about medication" delusional, as he's inventing entire exchanges that never happened.
Therefore, probably he's talking about someone else.
-
Therefore, probably he's talking about someone else.
My thought too, but there are parts that are just... "Wait, is he? ... he couldn't.... could he?"
-
He maybe conflated two clients (us and someone else) to make one better story?
-
Therefore, probably he's talking about someone else.
Most likely. There are some parts that I find interesting. Mostly the bit about arguing about what is an exploit, because I do remember some denial about some of the stuff we found.
-
He maybe conflated two clients (us and someone else) to make one better story?
Now what sort of site embellishes stories to make them more interesting?
-
Now what sort of site embellishes stories to make them more interesting?
And what kind of person could ever write articles for it? Scum of the Earth, no doubt. I bet they even hate cupcakes, that lot.
-
I also don't think he talks about us.
The whole money aspect doesn't make much sense here:
The only one I remember openly asking about money here was blakeyrat. But he didn't go "I have a security hole and will only tell you if you give me money", but actually said stuff like "If you want me to test your stuff, pay me for it". That is a completely different story in my eyes.We reported the bugs that bothered us:
We didn't submit bug-reports (or COMPLAINed about them) because we smelled money in the distance. We didn't even do it because we wanted to give back or whatever. We wanted things to change to the better without actually touching the (huge and complicated?) codebase.All payment was on Jeffs on accord:
I know this has been stated here before but it bears repeating. The stickers and the (money for the) mugs were his idea. And afaict it was after we did a lot of stuff and did not really change anybodys willingness to find bugs. We do what we do because we want to, not because we get something from it.So: once again: I don't think he means us specifically.
One thing I don't agree with is how he judges the quality of the reports he gets (or those websites he mentions get).
If you ask random people to contribute, you will get random contributions. Such is the life of an OpenSource application.
If you want real security experts to look over your code, it's not enough to just publish the code for free. If you were to build a house where people could live for free, don't expect the builders and architects to work for free. The best you can hope for is a small subset of helpers who know what they are doing.Filed Under: Just my opinion
PS: Let's ask @codinghorror directly: How much of that blog entry was tailored towards us? Tell us, we can take it. We are (mostly) big kids in here :D
-
The stickers and the (money for the) mugs were his idea.
I wonder if it was his idea because someone else was hitting him up for money and he was glad we didn't do that and wanted to throw things at us to stop us from becoming like that other client as we grew increasingly disgruntled?
-
PS: Let's ask @codinghorror directly
But that will disperse most of the conspiracy theory talk! I already had aluminium foil ready and everything!
Filed under: Did you know: you can make popcorn in aluminium foil before making the hat
-
But open source isn't supposed to be about the money… is it?
You fucking benefit from the stuff! It's "not about the money" when people fix your shit and try to improve it, but that somehow doesn't stop you from holding out your hand and asking ridiculous prices for hosted installs?
but actually said stuff like "If you want me to test your stuff, pay me for it". That is a completely different story in my eyes.
I wouldn't be surprised if it wasn't for Jeff.
And Blakey's right on that one. People expect a good product from them. They don't care about "open source" and "improving" - they pay for a product (or hell, even install it for free), and expect their shit to work. If it doesn't, there are tens of forum software packages that do and are just as free.
You want QA? Hire the team, pay them, and don't rely on the community to solve problems you're too cheap to solve yourself.
-
I personally like to be positive about stuff like this, so I hope he woke up one day and though to himself "Meh, these guys have been doing a lot, let's give them some nice things".
I think the whole "Let's try to improve our relationship"-idea is the most likely, though.
I mean, the DiscoDevs and this comunity clashed quite violently at times...Did you know: you can make popcorn in aluminium foil before making the hat
LFT!You want QA? Hire the team, pay them
ALFT!Addendum: Filed Under: Oh no, I forgot to file this post
-
I personally like to be positive about stuff like this, so I hope he woke up one day and though to himself "Meh, these guys have been doing a lot, let's give them some nice things".I think the whole "Let's try to improve our relationship"-idea is the most likely, though.
Aren't those two things essentially equivalent?
-
About as equivalent as f(x)=x => f(2) and 1+1 . The result is the same, the context might differ.
The idea of Jeff waking up and wanting to do something nice results in people getting stickers / mugs and thats it.
The idea of him thinking he needs to better the relationship also gets us the stickers and mugs but adds the expectation that we behave different afterwards!Filed Under: About as equavalent as a +1 or a like!
-
I found his pitch
Encourage larger orgs to fund bug bounties for common open source projects, not just their own closed source apps and websites. At Stack Exchange, we donated to open source projects we used every year. Donating a bug bounty could be a big bump in eyeballs on that code.
-
I wonder if it was his idea because someone else was hitting him up for money and he was glad we didn't do that and wanted to throw things at us to stop us from becoming like that other client as we grew increasingly disgruntled?
Possibly. They've always said that they appreciate our reports (if not always our tone). He explicitly talked about security researchers, which doesn't really fit my perception of the people reporting stuff from here.
I think it's just a consequence of the big guys (especially google) having programs to pay for security discoveries. I imagine researchers are looking for new targets where not a lot of others are going.
-
The order of magnitude is something he doesn't address though.
If an exploit is found in Chrome, it affects about 40..50 percent of Web users. That's more than heartbleed ever dreamed of affecting. A serious flaw in that code impacts every site the user visits. Paying for top quality talent to be on your side breaking things for money prevents those same users breaking it maliciously.
Money attracts top talent, but it ensures you recieve the security results instead of having it sold to the highest bidder.
-
The order of magnitude is something he doesn't address though.
I think he's implicitly addressing it by wondering why they're trying to hit up his mickey mouse operation. I think thousands of dollars for a bug that affects millions of users (and possibly lead to infected machines, stolen bank credentials, etc) is good policy.
-
@Atwood said:
But open source isn't supposed to be about the money… is it?
Jesus Christ I hate this shit.
HE IS SELLING THE SOFTWARE.
-
Jesus Christ I hate this shit.
HE IS SELLING THE SOFTWARE.
Eh, technically no. He's selling a service. Arguably it's marked up, but it is a service.
-
HE IS SELLING THE SOFTWARE.
The software that's on GitHub and downloadable at zero cost?
-
You fucking benefit from the stuff! It's "not about the money" when people fix your shit and try to improve it, but that somehow doesn't stop you from holding out your hand and asking ridiculous prices for hosted installs?
IT'S INSANE!
Like literally insane!!!!!
It reminds me when whatsisass on BoingBoing (who wrote the Creative Commons Non-Commercial license) got all pissy when an artist complained he was using a Non-Commercial image on BoingBoing, a commercial site that pulled in $$$millions$$$ in ad revenue. And remember, the guy who stole the image was the guy who WROTE the license.
Do these people learn some secret rule that if you just RUN YOUR MOUTH about being non-commercial, it magically happens? Because no. That is not the case.
Open source or not, he's charging for the software and thus is no different than, say, Microsoft.
-
Open source or not, he's charging for the software and thus is no different than, say, Microsoft.
Stop lying. That's not what's going on at all.
-
Yes it is. It's called "software as a service", it's been around for some time now.
The reason he made it open source is so he could get free labor from suckers, like the people here who submit bug reports, or people like Ben who write importers for free.
I don't believe for one millisecond that the product's open source because some fluffy teddy-bear bullshit charity reason.
And Atwood knows as well as anybody (assuming he's not delusional) that open source software is generally lower-quality than closed-source, so if his end-goal was to write a quality piece of software he'd have never gone this route.
-
I'm pretty sure boom just trolled you for a free rant.
-
Maybe; but Sluicecannon and RaceProGayK were genuine idiots who needed a dose of reality.
-
Yes it is. It's called "software as a service", it's been around for some time now.
But the software is also free for anyone to download and use. There are even (or were, I haven't kept up) competing providers who aren't discodevs.
I don't believe for one millisecond that the product's open source because some fluffy teddy-bear bullshit charity reason.
I don't care what the motives are. They don't change your lies.
-
But the software is also free for anyone to download and use. There are even (or were, I haven't kept up) competing providers who aren't discodevs.
And that magically means, via fairy dust, that Atwood isn't running a business! It's a charity! The fairy dust has spoken!
"Hey Ford is selling cars." "That's impossible!" "Why?" "Chevy is selling cars!" "MIND BLOWN!"
-
But the software is also free for anyone to download and use. There are even (or were, I haven't kept up) competing providers who aren't discodevs.
So? Microsoft has a lot of free - and recently even open-sourced like ASP.NET - stuff, but I'd love to see them try pulling the "we won't be paying people to do QA, it's open source!" stunt.
-
Maybe; but Sluicecannon and RaceProGayK were genuine idiots who needed a dose of reality.
I have a Discourse test installation set up. I payed exactly $0 for it. Therefore,
BLAKEY_REALITY_NOT_FOUND
-
open source software is generally lower-quality than closed-source
I believe that's an impossible generalization to make, so...
CITE YOUR SHIT
-
All quiet and then suddenly 17 reply notifications.
Look at the clock.
"Sigh. Right. Blakey woke up."
-
Maybe; but Sluicecannon and RaceProUK were genuine idiots who needed a dose of reality.
I have a clone of the Discourse repo on my GitHub. Total monetary cost: £0.00 a month for ∞ months.
-
And that magically means, via fairy dust, that Atwood isn't running a business! It's a charity! The fairy dust has spoken!
It's kind of like the razor or printer model. You get the stuff for cheap (or free in the case of software). But then, once you've committed, you realize you need a ton of toners / blades / support. And the people who gave you the cheap / free thing are the ones most qualified / the only ones able to provide you that stuff.
So software is free. But they still run their business around it.
-
And that magically means, via fairy dust, that Atwood isn't running a business! It's a charity! The fairy dust has spoken!
Why are you still lying?
-
I have a Discourse test installation set up. I payed exactly $0 for it. Therefore, BLAKEY_REALITY_NOT_FOUND
Ok?
I have a lot of free software from commercial companies. At the moment (due to podcasting) I have iTunes installed. I "payed" exactly $0 for it. Therefore Apple is open source charity! ... right? Is that how the logic works in your brain?
-
...but I'd love to see them try pulling the "we won't be paying people to do QA, it's open source!" stunt.
I'm not sure why you said that in response to me, and I think it makes some bad assumption anyways, or at least is really making a different argument than it appears to be (i.e., they have people doing QA stuff, but no dedicated people that I'm aware of, and we can all say that's stupid, but you're just catching the @blakeyrat lying virus if you say that they don't pay people to do QA).
-
No, what makes it open source is the fact that the source is open and available on GitHub, and (depending on definition) is available under an open source license. Which applies entirely to Discourse.
-
Therefore Apple is open source charity! ... right? Is that how the logic works in your brain?
TDEMSYR. Do you have the iTunes source code? Are you still confused between freeware and open source? Enquiring shoulder aliens want to know.
-
GitHub
It's only open source if you put it on THIS COMMERCIAL WEBSITE guyz!!! This website created FOR COMMERCIAL PURPOSES is what makes it open source!!!!!
Goddamned, this gets dumber and dumber.
Do you have the iTunes source code?
No, but who cares? I have a copy of it, for free, therefore Apple isn't running a business based on it. That's how the logic works! Apparently!
-
You know the worst thing is that I wake up at like fucking 5:30 AM and you guys somehow have posted like a billion threads overnight.
-
It's only open source if you put it on THIS COMMERCIAL WEBSITE guyz!!! This website created FOR COMMERCIAL PURPOSES is what makes it open source!!!!!
Goddamned, this gets dumber and dumber.
Or you have no idea how open source works, and you're talking out of your arse.Again.
-
Or you have no idea how open source works, and you're talking out of your arse.
I'm pretty sure I have a better idea than sluicecannon since he seems to think GitHub is integral to the process... that's what I was making fun of, in case you didn't notice. Which you didn't. Because you're dumb.
-
I'm pretty sure I have a better idea than sluicecannon since he seems to think GitHub is integral to the process... that's what I was making fun of, in case you didn't notice.
No, you took one word completely out of context, and did what you normally do: spout total bullshit.
-
It's only open source if you put it on THIS COMMERCIAL WEBSITE guyz!!! This website created FOR COMMERCIAL PURPOSES is what makes it open source!!!!!
Goddamned, this gets dumber and dumber.
I... what? Somehow I knew you would stick on that point, and yet I failed to pre-pendant it. Do you even comprehend how open source works? I think not, if you misunderstood what I said.
I'll spell it out for you.Software is free and open source if:
- The source is publicly available. Github allows you to host things on its site for free.
- It costs no money to get a copy.
- (Depending on how pendantic you want to get) If the license is one of the FOSS licenses.
Note that this says nothing about selling SERVICES with your product integrated. You can still be free and open source and sell your software as a service. Because you're selling the service, not the product
-
In my experience, in an Atwood article there's at least one major thing overlooked.
In this case, it's that writing code that deals with security protocols is much harder to write than most other kinds of codes. If you make the slightest mistake, it will come back to bite someone later.
With OpenSSL, the Debian fiasco from a few years back should have been a warning sign. Why? Because OpenSSL is deliberately reading uninitialized memory to initialize its PRNG when creating security keys rather than a standard source of entropy. That and the process ID (which will always be between 2 and 32,767 on Linux).
But no one bothered to audit it back then. 8 years later, Heartbleed rolled around...
-
So the outrage is about people making money from open source? Hold on, now the problem is that open source projects can and do function in capitalistic society?
Ok guys, everyone here using Linux get your hammers and sickles. We're not allowed here any more, back to CCCP with us...
-
Note that this says nothing about selling SERVICES with your product integrated. You can still be free and open source and sell your software as a service. Because you're selling the service, not the product
Yes I get all of this, obviously.
What I don't get is how this explanation magically makes it so Atwood isn't running a business based on Discourse.
I'm asking why the sky is blue, and you guys can't stop explaining how TVs work. Ok, I get how TV works, now answer my fucking question about the sky.
Given Enough Money, All Bugs Are Shallow
