back to article PSA: If your security starts and ends with bug bounties, you're gonna have a bad time

Remember when Uber tried to cover up the fact its AWS datastore containing records on 57 million riders and drivers had been hacked? And that it bunged the hackers $100,000 to shut them up, and then disguised the expense as a bug bounty payout? Who could forget? Certainly not shocked US lawmakers, who held a hearing in …

  1. Pascal Monett Silver badge

    "Uber has learned something from the public ignominy"

    Yeah, it has learned it has to get better at hiding its activities.

    I'm sorry but I do not, for one second, believe that an Uber exec can be "contrite". Just looking at the picture I am convinced that he just went through the motions, mouthed the words and scurried back to HQ to harass a secretary in order to wind down.

    The fact that the guy looks like a creep is hardly surprising, he's CTO at Uber, the creepiest Internet scam outfit there is.

  2. Anonymous Coward
    Anonymous Coward

    What the bloody hell is Moran doing on a subcommittee for consumer protection? That man has done NOTHING that benefits consumers in his entire career! He's all about helping big business screw whoever the hell they want to regardless of who it hurts. And sadly folks around here are gullible enough to keep electing him. Bah.


  3. EnviableOne Silver badge

    Easy way to stop people extorting you:

    learn to program properly and STOP MAKING Bloated and buggy code.

    if the so called "web developers" new what a never condition was and actually sanitised their inputs, we might just get some code that was secure and see a reduction in the number of bugs identified and CVEs issued.

    if these so called experts stopped bloating there programs with unused library code and actually understood what their programs were doing, then speculative execution wouldnt have been needed, and we wouldnt be sitting here with vulnerable machines.....


    1. sisk

      if these so called experts stopped bloating there programs with unused library code...

      To be fair, there's a REASON we use libraries that contain features we don't necessarily use. Using JQuery as an example, I can do literally anything possible in JQuery using plain old Javascript, but doing so would take a whole hell of a lot longer, as much as 10 or 20 times as long for some things. As we all know, code that takes longer to write means apps (or websites, since we're using JQuery as our example) that cost more to make, and apps and websites that cost more to make mean smaller bottom lines for companies (because realistically consumers are already paying as much as they're willing to for apps).

      It all comes down to costs.

      1. Michael Wojcik Silver badge

        To be fair, there's a REASON we use libraries that contain features we don't necessarily use.

        Fair? How about "to be even modestly rational"?

        I don't know why these "so-called experts" aren't tapping out their own silicon, then writing their own assemblers, compilers, OSes, network stacks, HTTP servers, TLS implementations, DBMSes, web browers... Why, those things are just chock full of features most applications don't need.

        Yes, there's much to be said against bloated, poorly-written libraries.[1] Anyone who pays the slightest attention to information security understands the problem of a broad attack surface. But "write everything yourself" is not a good answer.

        I've written my own Javascript library, with just the functionality I require. It's a useful exercise but hardly appropriate for every web development team. I've written two HTTP servers that appear in commercial products, and I don't recommend it as a general practice. Security is about economics, and sisk points out, so is software development. An app that never ships is relatively secure, but it's not improving the overall state of the software ecosystem.

        [1] And that does describe jQuery for at least the first half of its existence. I haven't looked at the jQuery source in years, but for a long time it primarily displayed a grotesque ignorance of the actual ECMAScript specification and behavior of the language. There are famous examples - the expectation that the typeof operator could ever evaluate to the string "array", the assumption that properties would be returned in some particular order - but beyond those the code was rife with amateur foolishness. It was a standing joke on comp.programming.javascript.

  4. Randy Hudson

    What does Jimmy Fallon know about security?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020