Its run in both self-service (output to developers), guided (output to product security oncall of security engineers) and used ad-hoc to power up manual security reviews. Depending on the accuracy of each rule and the impact of the pattern of security flaw the rule finds it is promoted to ultimately output to developers directly.
It finds about a third of the security vulns we unearth each year.
That’s been my approach as well. An astonishingly large number of companies think they can buy an off the shelf static analysis tool and pipe the default output to developers. That’s counterproductive. A very small percentage of developers will understand the output, be able to assess the exploitability/severity, and care about fixing it. One might think you could then just have them take the “better safe than sorry” approach and fix everything, but FP rates for all of the commercial tools make that completely untenable. At the same time, you can’t expect to convince small teams of developers to model everything out and define sources/sinks using some obscure DSL that they have to learn. But, there are classes of issues that are extremely high impact, but only low accuracy static analysis rules can find the candidates. It’s that part in the middle that you don’t want to throw out, but you need security experts to vet. Other cases with high confidence checks are appropriate to short circuit straight to the devs, but it’s a bad first step.
https://www.facebook.com/data-abuse - as mentioned in the article this scenario (non-fb companies mishandling fb user data) is exactly the reason Facebooks data abuse bounty program exists. Hopefully the finders of this submitted to the program.
Facebook, microsoft, github, etc all pay $$ and our time into a pool that is used to incentivize the finding, vetting and fixing of security flaws in major software running the internet.
I used to work at facebook and I disagree. Even prior to the recent scandals, there are plenty of employees who have decided to leave facebook due to ethical concerns (myself included). However, most keep this to themselves as Facebook fosters an environment where dissent is not tolerated.
Of course, it's unclear from this article whether negative sentiments have increased substantially this year compared to previous years.
And to clarify, I'm not saying that I am innocent or that I have taken some sort of ethical high-road. I gladly spent many years cashing out my pre-IPO stock grants while turning a blind eye to numerous immoral business practices. But soon after going public, there wasn't much benefit working at Facebook compared to any other large silicon valley tech companies. Without the financial motivation, the ethical concerns made it hard to be excited about remaining.
I am well-connected to Facebook and I have no impression that employees are transferring or worried in any way. The media's exaggerations of employees' reactions is almost as bad as their exaggerations of what Facebook is doing with data.
The two people interviewed were fired for cause from this same program, of course they will have a negative opinion. One even fired for the same thing this safety driver failed to do.
>Both Kelley and the former driver in Tempe were dismissed from their jobs with Uber earlier this year for safety infractions: Kelley said he was let go after rolling through a stop sign while he was operating the car, which he disputes; the individual in Tempe said he was dismissed for using his phone while the vehicle was in motion.
The bit about level 3 considered harmful makes a lot of sense and isn't something that I would have intuitively thought of
If trained and well disciplined airline pilots and railway engineers have problems staying alert in situations like this you can bet that your average Uber 'backup driver' (what a job title) isn't going to be any better.
I guess you missed the point of TFA. It is impossible for humans to perform the tasks these two persons were hired to do. 100% of people who attempt to do that job will eventually fail, likely sooner rather than later.
And they will continue to handle it with ease right up to the moment when they hit another cyclist.
What makes you so confident that the mere two years of running the program is enough to reliably calculate that number, when drivers like the one in the article managed to last more than a year until they got fired?
I remain interested in why the lidar didn't work in this case and I hope more details emerge so we can learn what happened.
But it seems logical that Uber would disable the onboard built-in volvo crash detection feature, it would be adding another variable for a car that is intended to test one thing at a time. Its hard to see this solely as the "uber is being reckless" narrative instead of "maybe this is just how all self-driving cars are tested".
If the Volvo crash avoidance system actually took action then things have obviously already gone very very wrong and it's not like braking when that happens would ever be a bad thing. That's like saying we should remove safety nets from underneath tightropes lest it get in the gymnast's way.
Why do you think the LIDAR did not work? The LIDAR might have worked just fine but what the system taking the output of the sensor did with the data is the question.
If you want to know what we would expect the LIDAR to have seen in such a situation we did a simple simulation of such a scene here [1]
If the LIDAR was defective the system processing the sensor output should detect that there is no data coming in and the problem should change the cars behavior accordingly not just drive on as if nothing is wrong.
> Why do you think the LIDAR did not work? The LIDAR might have worked just fine but what the system taking the output of the sensor did with the data is the question.
>I don’t understand ... why aren’t the default settings of an account more secure and private?
They are (for the most relevant definition of your question).
Specifically a Facebook app you choose to install can no longer see any of your friends information. That was done in 2014 before any of this happened, more details and timeline here: https://www.facebook.com/boz/posts/10104702799873151
