cablej's comments

cablej | 6 years ago | on: Firefox to Warn When Saved Logins Are Found in Data Breaches

There are fundamental privacy risks to using the HIBP Pwned Passwords service which should be considered when implementing it. See my writeup here — https://cablej.io/blog/k-anonymity/. In short, despite claims of protecting privacy, a malicious server can recover user passwords in some cases even if they haven’t previously been compromised.

cablej | 7 years ago | on: Life as a bug bounty hunter

As a bug bounty hunter, this is nowhere near normal. The average payout for a single vulnerability is over $500, so even finding just one vulnerability a month would be more than mentioned in the article. Full-time bug bounty hunters often earn thousands to tens-of-thousands per month, making it far from a "struggling" profession.

cablej | 8 years ago | on: Once seniors are too old to drive, our transportation system fails them

I've got my 96-year-old grandmother using Uber - https://www.gosmartride.com :)

cablej | 8 years ago | on: Uber’s Payment to a Hacker, and the Fallout

Being involved in bug bounties, don't be fooled by what happened here. This is exactly a case of extortion: the hacker had downloaded user data from Uber, and was paid off in order to delete the files. This differs from an actual bug bounty payout, where a hacker would be disqualified for extracting user information.

cablej | 8 years ago | on: Uber paid 20-year-old Florida man to keep data breach secret

As someone involved in bug bounties, this was completely different from a traditional bug bounty reward. Uber disguised this payment as a "bug bounty" to hide what it actually was -- a ransom payment to get the hacker to destroy the data. If this were truly under the realm of bug bounties, the hacker would have violated Uber's policies for exploiting the flaw and extracting information (the reward also exceeded Uber's top payout tenfold).

In short, the issue people are taking with Uber is that they tried to pass off a security breach as having taken proactive measures, while this was a case of ransom.