Profile picture
, 24 tweets, 4 min read
My Authors
Read all threads
You entrust digital products with a lot: from your thermostat to your car's informatics to your pacemaker to your email and financial data, defects in computers can expose you to potentially enormous risk.

1/
The only thing worse than using a defective product is UNKNOWINGLY using a defective product (having faulty brakes is bad, discovering your brakes are faulty on the highway is much, much worse).

2/
Tech companies have long asserted that they alone have the right to decide who can disclose true facts about defects in their products...for safety. If randos who discover their mistakes make disclosures without warning companies, then "bad guys" will exploit the bugs.

3/
There's a legitimate ethical debate about the best way to make bug disclosures, but even if you believe that someone should be the official, legal custodian of Bad News About a Company's Products, it's commonsense that the company itself should not be that custodian.

4/
It seems obvious that, in the US, the First Amendment protects your right to make truthful disclosures about defective products.

5/
Yet, corporations (led by @Oracle) have stretched the disastrously vague, Reagan-era Computer Fraud and Abuse Act to threaten (and, sometimes, imprison) researchers who make these disclosures without permission.

6/
It's not just CFAA. Sec 1201 of the Digital Millennium Copyright Act provides 5 years prison/$500k fine for first offenses to anyone who "trafficks" in a "circumvention device". So publishing proof-of-concept code demonstrating vulns in systems with DRM is a potential felony.

7/
Enter the Vulnerability Disclosure Program and its freespending cousin, the Bug Bounty Program. Under these "managed disclosure" systems, companies invite security researchers to reveal their findings.

8/
In theory, this is how we want things to work: rather than coercing researchers into silence, companies entice them into cooperation, say, by promising to publish all reported bugs themselves after a suitable period to investigate and fix them.

9/
Maybe they even pay researchers for going the managed disclosure route.

In practice, though, criminal and civil threats loom large over these programs. Companies offer cash and immunity to researchers as a carrot, but they hold out fines and prison as a stick.

10/
And it turns out that, yup, companies are really shitty stewards of bad news about their own products. When companies get to set terms on which hackers talk to them first, they set terms that bind researchers to long periods (sometimes indefinite) of silence.

11/
And the companies also reserve the right to decide whether THEY will ever reveal the bugs to us poor suckers trusting their products with our money, privacy and lives, whether they'll ever patch those products, etc.

12/
But a few years back, some people had an idea to turn this bug into a feature: they'd start VC-backed companies that would manage bug bounties and disclosure programs for companies. They'd organize researchers, validate findings, manage thorny comms with the companies...

13/
They'd build platforms where researchers could flock and socialize and collaborate and become millionaires (!) by working WITH companies, instead of against them.

14/
That didn't work out so great. Because the hackers that the companies were supposed to protect weren't these companies' customers - the tech companies whose products they were testing were the customers.

15/
So the companies whose worst impulses the bug-management platforms were supposed to be blunting ended up running the show, and the reporting platforms became a catch-and-kill system for vulns.

csoonline.com/article/353588…

16/
Hackers who join these platforms to earn big by doing the right thing instead find that they are required to sign indefinite, one-sided NDAs that prevent them from disclosing ANYTHING, even the fact that they signed an NDA.

17/
And the companies don't have to make any promises (apart from payment...sometimes) to do anything about the bugs that are brought to them by researchers.

18/
In @toholdaquill's excellent piece on this for CSO Magazine, he describes how the VC-backed, growth-oriented bug-bounty platforms are incentivized to, uh, overstate how much money hackers can make from using them, and what kind of results they can expect.

19/
Reading between the lines, and talking with former Hackerone exec @k8em0, Porup makes a pretty good case that apart from statistically insignificant outliers, there's not much money to be made by using these platforms, and the price of admission is silence and inaction.

20/
Porup also makes the case that bug bounty platforms are potentially violating California's employment law, AND the GDPR. He also debunks claims that their operations follow the ISO standards for bug disclosure (which Moussouris co-authored).

21/
I think that the outcome here was entirely predictable. The bug bounty platforms have tacitly endorsed the idea that it is/should be illegal to tell the truth about defective products without permission from the products' manufacturers.

22/
Inevitably, deputizing companies to decide who can warn their customers that their products can't be trusted ends with those companies abusing that power. Period. To imagine otherwise is to engage in fantasy.

23/
It's the kind of motivated reasoning that looks great in a VC pitch but is a disaster in the world.

eof/
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Bernie Beats Trump

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @doctorow see all

Profile picture
Bernie Beats Trump
@doctorow
During a 2007 trip to NYC, while taking long walks from one indie bookstore to the next, lugging increasingly heavy bags of pressed vegetable matter, I stumbled on Simon Lovell's HOW TO CHEAT AT EVERYTHING at the St Mark's Bookshop.

runningpress.com/titles/simon-l…

1/
Despite the title, its really about about NOT getting cheated: anatomical dissections of scams that show you how they work. One thing that stuck with me from all that is how to spot a dirty "proposition" bet, a variable-odds bet on a specific outcome from a range of outcomes.

2/
Lovell's rule of thumb is the more complicated a bet is, the scammier it is. If it pays 2:1 for one outcome, 5:1 for another, and 100:1 for a third, it's probably a scam. Complexity confounds your ability to match odds to payouts - to intuit whether it's a good bet.

3/
Read 29 tweets
Profile picture
Bernie Beats Trump
@doctorow
Today's Twitter threads! (a Twitter thread).

Inside: The Public Domain Review Coloring Book, Amazon's leaked anti-worker smear plan, Wikipedia vs patent troll, and more!

Archived at: pluralistic.net/2020/04/03/soc…

#Pluralistic

1/
The Public Domain Review Coloring Book: Hokusai, Albrecht Dürer, Harry Clarke, Virginia Frances Sterrett, etc.



2/
Amazon's leaked anti-worker smear plan: They put it in writing.



3/
Read 15 tweets
Profile picture
Bernie Beats Trump
@doctorow
What's stupider than firing the warehouse manager who organized an Amazon warehouse walkout over covid contamination?

pluralistic.net/2020/03/31/rea…

1/
Writing a memo explaining how you plan to smear that organizer to neutralize your own workers' demands for a safe work environment, assuming, incorrectly, that it won't leak.

(NARRATOR: IT LEAKED)

vice.com/en_us/article/…

2/
Amazon General Counsel David Zapolsky's leaked memo said that the fired warehouse worker, Christian Smalls was "not smart or articulate" and suggested that the company make him "the face of the entire union/organizing movement."

3/
Read 7 tweets

Related threads

Profile picture
Scott McGrath
@SMcGrathPhd
Let's try this again, for those of you who were looking for how to get involved from an #informatics perspective on #COVID19 here are the links from @nicktatonetti COVID-19 talk:

Helping researchers crowdsouce against COVID-19

crowdfightcovid19.org

#IS20 #TBIYIR20
1/15
Another crowdsourcing effort where people can join projects based off their skills

data-against-covid.org

#IS20 #TBIYIR20 #COVID19
2/15
GitHub repository for manuscripts on the development of diagnostics and therapeutics, looking for contributors

github.com/greenelab/covi…

#IS20 #TBIYIR20 #COVID19
3/15
Read 15 tweets
Profile picture
Beckham Cottage
@beckhamcottage
For the record, thread about Devon County Council (DCC) scrutiny committee held on 26th September, at which #libraries were discussed.
Presenting report from Libraries Unlimited were Libraries Unlimited CEO, Alex Kittow; DCC Commissioner Simon Kitchen; and the councillor whose portfolio includes libraries, Cllr Roger Croad.
1. Last year scrutiny asked that going forward Libraries Unlimited should provide Key Performance Indicator of children's issues, and also provide the number of professional staff employed in Devon Libraries...
Read 12 tweets
Profile picture
Jae S Um
@jaesunum
A #data informed look at how the #human experience of #lawyering has changed over time.

Just as #clients need better #value propositions, #law firms need better business models. Meaningful #legal #transformation will occur where the two intersect.

legalevolution.org/2019/02/pay-ho…
H/T to @augierakow @robsaccone for the post #inspirelegal 🤓 email chain that #inspired this tweetable.

(Bc I’m a tweetable factory. 🤷🏻‍♀️)
Another reaction to this @wihender post: we NEED to deal with #automation anxiety in #legal.

Legacy models of law practice aren’t built for the pace of #business and volume of #information of the #digital age.

More #hours from more #lawyers can’t be the default answer.
Read 12 tweets
Profile picture
Jay Perdue
@jayperdue
Want to love WHAT you do and WHY you do it? The fundraising org in support of @StJude Children's Research Hospital is growing our #Digital team. Check out these #media, #data, #personalization, #analytics and #martech #jobs in the comments below:
Wanted: Manager, Digital Media Optimizations -- alsacstjude.wd1.myworkdayjobs.com/en-US/careersa…
Digital Media Strategist -- alsacstjude.wd1.myworkdayjobs.com/en-US/careersa…
Read 9 tweets
Profile picture
Dave Vellante
@dvellante
Takeaways from @Dell financial call today... Dell is taking share across the board...will do $90-$92B in revenue this fy. Setting up for tough compare for next year. Dell citing favorable spending environment, assumptions are 2X GDP for IT spend...
Dell citing attractiveness of 1-stop shopping (end-to-end - edge->core->cloud) I surmise their cloud is VMware with AWS...Since EMC transaction, Dell is posturing as a much more strategic supplier than either Dell or EMC was as an independent company.
new sales comp plans implemented by Dell - @JClarkeatDell fingerprints seen on the enterprise storage biz which he took over about 1 yr ago. Storage was sucking wind post EMC transaction & is now gaining share. I think IDC numbers coming out soon showing Dell EMC gains
Read 16 tweets
Profile picture
UCCat20
@UCC_Official
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets

Trending hashtags

#SmartCities #Philippines #COVID19usa #noarchivelog #Nigeria #gaji #Henan #African #Chinese #optimism #WARCRIMINALS #fortress #WhiteHats #TFSA #dissident #variable #Seattle #weaponized #bequeath #Steel #Monday #Total #Death #bomb #SNA

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!