Unless you work in a pharmacy. Or you’re a ‘mall-cop’. Or literally any employee anywhere who is suspected of fraud or embezzlement or any “incident that resulted in a specific economic loss to the employer”.
You are correct. The Employee Polygraph Protection Act of 1988, which otherwise prohibits the use of putative lie detectors by employees, provides exemptions for such cases.
Unfortunately, that doesn't really prevent companies from doing things being illegal if they turn out to be profitable enough. You could use a multispectral hidden camera and an mmwave radar fed into 'AI' to simulate a lie detector - you can definitely get pulse and breathing rate out of it, probably also perspiration..
Love the idea and hope you are successful. I really think there is a lot of value to be unlocked in sharing/renting tools. In my area we have a tool library which is handy.
Some ideas:
- I would focus a lot of effort on making it incredibly easy and intuitive to list things. This is one of the primary barriers to me when using these types of apps.
- maybe future idea would be to list things from Home Depot or other stores to expand the number of rentals that are available.
Thanks a lot for the feedback—really appreciate it! Totally agree that ease of listing is key. We're actively working on making the process super simple with AI-powered automation, and also improving how people search and discover listings. Love the idea of integrating store rentals too—that's on our radar!
We have one near my place that I'm a member of, it's run by volunteers. They have stuff outside of tools too (camping/cooking gear). You can view the stuff their inventory before you join: https://toolsnthingslibraryperthwa.myturn.com/library/
The main downside for me is returning the items in the window they're open.
Great question! Patio isn't a traditional tool library—it’s a peer-to-peer platform where anyone can list and rent tools directly from people nearby, similar way to Airbnb. So instead of being run by an organization, it’s the community itself that powers it. We're just making it easy, safe, and fast to share tools locally.
I wonder which is more efficient: to manage tools or manage the need. Rather than putting up a yard sign for "I have a hammer, guys", one that says "hey guys, I need a hammer"
Great point — and thanks for sharing it. We’re actually exploring ways to let people post requests, not just listings, so it's easy to say “I need a hammer” and connect with someone nearby. It’s all about making those timely, local connections simple.
I agree, and it's sad to feel the need to say this, but it's so important in this inflammatory era to respond positively to ideas and opinions despite not agreeing 100% or even 80%, because too often the baby is thrown out with the bathwater (especially online)
Ransomware becomes a death sentence to the business if this were to apply, which the US has no appetite for. We even let critical infra out from improving their cybersecurity [1] [2] [3], because it is expensive and hard. The asymmetry of cybersecurity makes effective defense challenging for even the most resourced orgs [4]. You have to win every single day, against social, phishing, auth/identity, and vulnerability attacks throughout the stack. They only need to win once.
(head of infosec, holds tabletop exercises with legal counsel on a cadence as part of ransomware insurance requirements)
Doesn’t the existence of a ransom “out” put a cap on how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?
If ransom was off the table, maybe they’d be motivated to actually secure their data? I don’t know—I’m not in infosec. It’s probably not that simple.
Correct. You calibrate your budget to your risk appetite (board/C-level tolerance, industry specific compliance requirements, civil considerations, etc). Every company puts a budget on how much they're willing to spend, as resources are finite. Even the US DoD has a budget, there are limits. We risk accept what we deem within our risk tolerance, or too expensive to derisk.
I think on HN, there is this belief that you can use incentives to force organizations to have perfect security, which does not exist. Employees are human, people make mistakes, budgets constrain staffing as well as control implementations and operations; there are simply limits to what you can do. You can use policy and incentives to encourage good/best behavior, but failures will still occur. The goal is attempts at desired outcomes, measuring those outcomes, and iterating; not 100% success (as that is impossible).
> how much money/seriousness a company willingly puts into infosec? Why would a company invest $22M into security if they can just pay criminals when they get owned?
Because it's not a one-time cost. If attackers know you have weak security and deep pockets they will persist.
“Historical evidence from Colombia and Italy shows that outlawing ransom payment has various adverse consequences.
Where ransom payments are illegal, victims’ families have no state support, while reporting of the kidnapping goes down and understanding of its prevalence is diminished.”
It's a crime in Japan to pay protection money to Yakuza. It seems to be working. They are a shadow of their former selves.
You can mitigate adverse consequences. Punishments for child kidnapping used to be severe, but then abductors would just kill the hostage since they had little more to lose. Today's sentences are next to nothing to encourage surrender.
Or simply make exchanging bitcoin for anything of value illegal. It makes extortion of all kinds too easy, and company data is just the tip of the iceberg.
I was in Italy recently, and saw articles about the epidemic of kidnappings there in the 70s. It won't be long before organised crime figures out how to use crypto to bring back the glory days.
Killing bitcoin would shut down an enormous illegal economy overnight. And stop the crazy electricity consumption at the same time. Maybe you can help me here, but I'm having difficulty thinking of a single real downside.
> shut down an enormous illegal economy overnight.
Despite not owning any Bitcoin, I find it quite comforting to know that there is a currency that exists outside of the purview of a central bank or a government that can devalue or outright take the accruement of my labor on a whim.
Then what's stopping the criminals from going back to good ol' wire fraud like in the 90s and 2000s?
PS. All of the smart ransomware groups are not demanding payments with Bitcoin anymore, they are using another cryptocurrency called Monero. It turns out that Bitcoin is actually traceable by governments via its public ledger, but Monero is a private currency that can't be traced, hence why the IRS posted bounties some time back to encourage people to break Monero's obfuscation.
The only gangs that are still demanding Bitcoin are the less-educated and savvy ones.
The stories I've read about these ransomware companies are wild. They have whole customer service departments to help you easily pay your ransom. They operate like a legit business.
My wire cutter disagreement is their flashlight recommendation. They recommend a AA battery flashlight from Amazon that in my opinion is terrible (https://www.nytimes.com/wirecutter/reviews/best-flashlight/). This article indicates that maybe the referral money is a factor. I wonder how much influence that has.
I guess I wonder about the opposite side of this. While I hate the beg bounty people as well, I don't think security researchers should work for free. I have found several security vulnerabilities that I have never reported to the company because their security policy was basically "send us everything you found for free and we won't give you any credit".
I agree. But there are advantages to be gained beyond mere payment. Assuming the work is somewhat more that just "I fed your name into ssllabs")
Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.
You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.
You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.
Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.
> I don't think security researchers should work for free
I agree. The OP comes across a bit gatekeepy to me. Not everyone has made a big name for themselves yet.
How are you supposed to find customers in the first place? Gotta start somewhere.
Quality of the findings is orthogonal to asking for compensation.
There will always be people asking for money without providing value. But I don’t think we should throw the baby out with the bath water because of it.
There are thousands of established bug bounty programs on the web. Ones in which companies actually solicit these messages. The reason these beg bounty hunters are sending unsolicited emails instead is because these programs explicitly descope all these stupid and irrelevant findings. If you want to establish your bonafides, this is a terrible way to go about it, especially given the legitimate alternatives.
Hard, hard disagree. I'm glad this "beg bounty" behavior has a name for it, because it's so f'ing obnoxious, and so common, and all it really does is make it that much harder when a serious researcher does need to report a real vulnerability.
Let's not pretend there is some sort of gray line between what responsible disclosure looks like, and what bullshit beg bounty disclosure looks like - after all, Hunt does an excellent job showing the difference. He showed an email he wrote that identifies where he's from, and gives clear verifiable evidence of a serious breach. That is night-and-day different from the "I found something naughty on your website, will you pay me??" example from the beg bountier.
Point being, if you are a serious researcher and you have actually found a high-value vulnerability, there are proper ways to message that even when you feel compensation is warranted. These beg bounties never look like that because they all have the same achilles heel: the "vulnerability" is such an eye roller that they can't actually give evidence of it before asking for money precisely because they know it's so low value.
This behavior never rose above "mildly annoying". There are a lot of people out there who will check your website for the issues that they know how to find and fire off a form report letting you know.
They are really, really, easy to deal with. There are two major relevant strategies:
- Many programs put it explicitly in their bounty policy that they won't consider the output of an automated tool. This automatically blocks the lowest-effort submissions.
- All programs specify in their policy what they consider a vulnerability and what they don't. "SPF configuration" is a common exclusion.
So if you get a low-value report, it takes maybe one minute to respond with a pointer to the part of your policy that explains why you won't even bother considering the report. If flyby reports are a major issue for you - publish a policy!
(As a third consideration, for me personally, these reports were especially easy to handle because you'd see the same guy filing more or less identical reports to several programs, and after the first time, you'd already have a good understanding of exactly what the report was saying.)
The people filing these reports are doing valuable work. Some programs really do care about some of the issues they find. Most programs don't care about most of the issues - but you can hardly blame the researcher for finding out whether the issue they already have in their hand might be worth something.
When I saw the headline, I thought of a different phenomenon that bothered me more. Many researchers are very ...anxious... about the status of their reports. I saw one guy, apparently from Egypt, who regularly found real vulnerabilities in a major website and earned thousands of dollars a month in bounties. If a report came in from him, it got taken seriously.
But he was constantly asking for status updates and commitments on when a report might get paid out. This was unpleasant to deal with. On the other hand, I did also see a handful of reports fall through the cracks and go untouched for months at a time, so again it's hard to blame the guy too much.
> Quality of the findings is orthogonal to asking for compensation
This is a terrible take. Orthogonal to having a reputation, sure. Orthogonal to having a particular certification or credential, absolutely. But quality is absolutely non-negotiable. If your work is bad and nobody asked you to do it then you’re not a professional, you’re a charity.
The issue here is that these people aren't providing value. Further, engaging with them as serious and sincere costs in time and energy. That's expensive when there's no payoff. From my own experiences, beg bounties reliably do not have findings of a useful quality and the begging approach is a very strong signal that the juice will not be worth the squeeze.
The piece is gatekeeping in the same way the spam filters we all use are gatekeeping. There's always stuff we want to keep on the far side of our filters. Beg bounties are among them for many.
What does provably correct mean here? I think you mean that the code doesn’t have any memory corruption vulnerabilities. However, that is only one class of vulnerability, so more techniques then just relying on a memory safe language are required for secure software.
It means that the type system can prove certain properties for you. For example, in languages with dependent type systems like Agda, you can construct a sorted list type that the compiler will prove it sorted at all times, otherwise it won’t compile. Or a complex tree type that is always balanced. Or a set of only even numbers, and again it won’t compile otherwise…
(Sadly, if you go that far, it isn’t generally Turing complete anymore. Though in some cases that’s a good thing.)
The only publicly posted price list that I know of is zerodium’s (evil people). http://zerodium.com/program.html They currently offer 2.5 million for an android zero click with persistence. This doesn’t give you the persistence piece without another bug so maybe 2m. Of course, they are only willing to offer that price if they could sell it for much more.
That makes sense. I feel like a federal government policy making it illegal to pay a ransom would go a long way towards making this type of thing less profitable.
