It actually works well in most places. Look up the term “common carrier”.
The trick is that the entity that owns the wires has to provide/upgrade the network at cost, and anyone has the right to run a telco on top of the network.
This creates competition for things like pricing plans, and financial incentives for the companies operating in the space to compete on their ability to build out / upgrade the network (or to not do that, but provide cheaper service).
Your second and third paragraph are contradictory.
Common carriers become the barrier to network upgrades. Always. Without fail. Monopolies are a bad idea, whether state or privately owned.
Let me give you 2 examples.
In australia we had Telstra (Formerly Telecom, Formerly Auspost). Testra would resell carriers ADSL services, and they stank. The carriers couldn't justify price increases to upgrade their networks and the whole thing stagnated.
We had a market review, and Telstra was legislatively forced to sell ULL instead. So the non monopolist is now placing their own hardware in Telstra exchanges, which they can upgrade. Which they did. Once they could sell an upgrade (ADSL2+) they could also price in the cost of upgrading peering and transit. We had a huge increase in network speeds. We later forgot this lesson and created the NBN. NBNCo does not sell ULL, and the pennies that ISPs can charge on top of it are causing stagnation again.
ULL works way better than common carrier. In singapore the government just runs glass. They have competition between carriers to provide faster GPON. 2gig 10gig 100gig whatever. Its just a hardware upgrade away.
10 years from now Australia will realise it screwed up with NBNCo. Again. But they wont as easily be able to go to ULL as they did in the past. NBN's fibre isn't built for it. We will have to tear out splitters and install glass.
The actual result is worse than you suggest. A carrier had to take the government/NBNCo to court to get permission to build residential fibre in apartment buildings over the monopoly. We have NBNCo strategically overbuilding other fibre providers and shutting them down (Its an offence to compete with the NBN on the order of importing a couple million bucks of cocaine). Its an absolute handbrake on competition and network upgrades. Innovation is only happening in the gaps left behind by the common carrier.
Common carriers have some upsides, but one downside is that it sometimes removes the incentive for ISPs to deploy their own networks.
I was stuck with a common carrier for years. I could pick different ISPs, which offered different prices and types of support, but they all used the same connection... which was only stable at lower speeds.
The companies on top provide end user customer support, varied pricing models ("unlimited" data vs pay by the GB, etc), and so on. It allows the common carrier to focus solely on the network hardware.
They also sometimes own the machines in the field closets. So, anyone can rent 1U + a bunch of fiber endpoints for the same price. What you do with the slots is up to you. If there's a problem with the power or actual fiber optics, the common carrier fixes it. (Like a colo, sort of.)
It also makes it more vulnerable to legal, bureaucratic and technical threats.
Doesn't make much sense to me to abstract away most of the parts where an entity could build up its competitive advantage and then to pretend like healthy competition could be build on top.
Imagine if one entity did all the t-shirt manufacturing globally but then you congratulated yourself for creating a market based on altered colors and what is printed on top of these t-shirts.
This was a common way to do things before the telcos in the USA were deregulated in the 2000s and 2010s. At the time it was both internet and telephone but due to the timing of de regulation, it never really took off with real high speed internet, only dsl and dialup.
I used to work at a place that did both on top of the various telcos. We offered ‘premium service’ with 24 hour customer support and a low customer to modem and bandwidth ratio.
Most of our competitors beat us in price but would only offer customers support 9-5 and you may get a busy signal/ lower bandwidth in the back haul during peak hours.
There was a single company that owned the wires and poles, because it’s expensive and complex to build physical infrastructure and hard to compete, but they were bared from selling actual services or undercutting providers because of their position. (Which depended on jurisdiction).
It solved the problem we have now of everyone complaining about their ISP but only having one option in their area.
We have that problem now specifically because we deregulated common carriers for internet right as it took over the role of telephone service.
And private companies don't even have to be vulnerable, they can just do nasty things nilly willy, because it might be profitable and they might get away with it. Yeah, there could be ones that don't suck, and then customers could pick those, but when there aren't, when they all collude to be equally shitty and raise prices whenever they can -- which they do -- people have no recourse. They do have recourse when it comes to the government.
And for some things it's just too much duplicated effort and wasted resources, T-shirts are one thing, because we don't really need those, but train lines and utilities etc. are another. I can't tell you where the "boundary" is, but if every electric company had to lay their own cables, there would only be one or two.
And in the opinion of many including mine, for example the Deutsche Bundesbahn got worse when it got privatized. They kinda exploited the fact that after reunification, there were two state railroad systems obviously, and instead of merging them into one state railroad system, it was privatized, but because it made more money for some, but not because it benefits the public, the customers. Of course the reasoning was the usual neoliberal spiel, "saving money" and "smaller government" but then that money just ends up not really making things better to the degree privatization made them worse.
Obviously not everything should be state run, far from it. But privatizing everything is a cure actually even worse than the disease, since state-run sinks and swims with how much say the people have, whereas a 100% privatized world just sinks into the abyss.
the in world practice seems to have this worked out. I am working for such provider right now and it is neither cash starved not suffocating under undue bureaucracy
Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
If we apply your analysis to other things, we’ll find that the upper bound price for a new car stereo or bike is ~ $100, and the price of any copyrighted good is bounded by the cost of transferring it over the network.
I think it is more useful to divide the amount Google paid by the number of hours spent on this and any unsuccessful exploit attempts since the last bounty was paid.
I’d guess that the vast majority of people in this space are making less than US minimum wage for their efforts, with a six figure per year opportunity cost.
That tells you exactly how much Google values the security and preserving the privacy of its end users. The number is significantly lower than what they pay other engineers orders of magnitude more to steal personal information from the same group of people.
> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
> If we apply your analysis to other things
This analysis doesn't work for a few reasons:
* For physical goods, used items always fetch a lower price than new items due to unrelated effects. And if we're only looking at the used price, we do find that the black market price is just about equal to the used item's value minus the risk associated with dealing with stolen goods (unless the buyer is unaware of the theft, in which case the black market value is the same as the used value).
* For both physical and digital goods, there are millions of potential customers for whom breaking the law isn't an option, creating a large market for the legal good that can serve to counter the effect of the black market price. This isn't true of exploits, where the legal market is tiny relative to the black market. We should expect to see the legal market prices track the black market prices more closely when the legal market is basically "the company who built the service and maybe a few other agencies".
Bug bounty programs are not the only (or even primary) way that security researchers get paid. Google pays employees salaries to find vulns. Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
If security researchers want to have stable employment doing this sort of work, there's oodles of job applications they can send out.
> Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
So, the value to the researcher of having a found bug has a floor of the black market value.
The value to Google is whatever the costs of exploitation are: reputational, cleanup, etc.
A sane value is somewhere between these two, depending on bargaining power, of course. Now, Google has all the bargaining power. On the other hand, at some point there's the point where you feel like you're being cheated and you'd rather just deal with the bad guys instead.
That's not true because there is an economic cost for most people to committing crimes. "Hey you could make more money selling that on the black market" is not going to convince me to sell something on the black market.
Bounty programs are very much not trying to compete with crime.
The reputation angle shouldn't be dismissed: Google paying so little for this bug is the whole reason this article stays on the top page and gets so much discussion.
I don't know how much it should be worth, but at least there's a PR effect and it's also a message towards the dev community.
I see it the same way ridiculously low penalty for massive data breaches taught us how much privacy is actually valued.
If Google doesn't have the best reputation of any large tech company for security, it's in the top 3. This is not the nightmare scenario for Google that people think it is. It's a large payout for this bug class, so, if anything, what we're doing here is advertising for them.
It is a factor though. Most people will commit non-violent crime for a big enough pay off. Especially one where the individuals effected are hard to identify.
If my bug bounty is $10,000 and I can sell it for $20,000 then most people will take the legitimate cash. If it's $10,000 and some black market trader will pay $10,000,000 (obviously exaggerating) then there's a whole mess of people are going to take the ten million.
Except it's not "legitimate cash" and that's the point.
* Are you talking to someone legitimately interested in purchasing and paying you, or is this a sting?
* If you're meeting up with someone in person, what is the risk that the person will bring payment or try to attack you?
* If you're meeting with someone in person, how do you use $20k in cash without attracting suspicion? How much time will that take?
* If it's digital, is the person paying you or are the funds being used to pay you clean or the subject of an active investigation? What records are there? If this person is busted soon will you be charged with a crime?
There are a lot of unknowns and a lot of risks, and most people would gladly take a clean $10k they can immediately put in the bank and spend anywhere over the hassle.
It's not a crime to sell a bug. You can sell something like this to Crowdfense and receive money wired from the company (or cryptocurrency if you prefer anonymity).
It is not intrinsically a crime to sell a bug, but if you sell a bug and it can be demonstrated you reasonably knew the buyer was going to use it to commit a crime, you will end up with accessory liability to that crime. Selling vulnerabilities is not risk-free.
This is another reason why the distinction between well-worn markets (like Chrome RCEs) and ad-hoc markets is so important; there's a huge amount of plausible deniability built into the existing markets. Most sellers aren't selling to the ultimate users of the vulnerabilities, but to brokers. There aren't brokers for these Youtube vulnerabilities.
Say more. What do you mean by "platform exploit", and which brokers are you talking about? I am immediately skeptical, but it should be easy to knock me down on this.
Most people have an intuitive sense to ask themselves questions like "If I do this, will someone be harmed, who, how much harm, what kind of harm, etc.", that factors into moral decisions.
Almost everyone, even people without a moral sense, have a self-preservation sense- "How likely is it that I will get caught? If I get caught, will I get punished? How bad will the punishment be?" and these factor into a personal risk decision. Laws, among having other purposes, are a convenient way to inform people ahead of time of the risks, in hopes of deterring undesirable behavior.
But most people aren't sociopaths and while they might make fuzzy moral decisions about low-harm low-risk activities, they will shy away from high-harm or high-risk activities, either out of moral sense or self preservation sense or both.
"Stealing from rich companies" is a just a cope. In the case of an exploit against a large company, real innocent people can be harmed, even severely. Exposing whistleblowers or dissidents has even resulted in death.
> Most people have an intuitive sense to ask themselves questions like "If I do this, will someone be harmed
How much time do you spend asking yourself whether your paycheck is coming from a source that causes harm? Or whether the code you have written will be used directly or indirectly to cause harm? Pretty much everyone in tech is responsible for great harm by this logic.
I wish developers (and their companies, tooling, industry, etc.) creating such flaws in the first place would treat the craft with a higher degree of diligence. It bothers me that someone didn't maintain the segregation between display name / global identifier (in YouTube frontend*) or global identifier / email address (in the older product), or was in a position to maintain the code without understanding the importance of that intended barrier.
If users knew what a mess most software these days looks like under the hood (especially with regard to privacy) I think they'd be a lot less comfortable using it. I'm encouraged by some of the efforts that are making an impact (e.g. advances in memory safety).
(*Seems like it wouldn't have been as big a deal if the architecture at Google relied more heavily on product-encapsulated account identifiers instead of global ones)
> Bounty programs are very much not trying to compete with crime.
Nor did my post posit this.
Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.
Should this be true only for vulns, or all bugs? If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
Is there any evidence that OP feels that this payout was unfair?
> If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
No, but Google should understand that if they give a token payment, people will be less likely to help in future situations like this. And might be inclined to just instead tell ad buyers about the loophole quietly.
How do you propose to calculate "the downside saved by eliminating the bug" - ideally in general, but I'd be curious to see if you could do it even for the specific bug discussed in this article.
Prominent youtuber doxxed and killed; terrible press extended for an extended period by litigation. 1 in 5000 but very high cost.
Large scale data leak and need for data leak disclosure. 1 in 3, moderate cost.
Bug report saving engineering time by giving clear report of issue instead of having to dig through telemetry and figure out misuse and then identify what is going on, extents of past damage, etc. 3 in 4.
You think that being able to get someone's email address (most likely a business email but let's pretend it's a personal email) has a 1 in 5,000 chance of being turned into enough personal information to track down AND that someone would use it to kill someone?
Millions of usernames and emails are leaked every month; if this was the case you'd be seeing these murders in the news every week.
As mentioned by thread starter, you can also sell to some national security agency. That way, you're doing your patriotic duty and making a buck. So Google has an incentive to at least beat those offerings.
>Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
What you’re saying can be seen as tautological. The reason a gray/black market exists is precisely because the field is undercompensating (aka in disequilibrium)
They mentioned the grey market a couple time, although some of their examples did seem like applications that would be more useful for the black market.
Anyway, I’m not 100% sure what they meant by grey market. It looks like they were talking about maybe selling to “agencies” which, I guess, could include state intelligence agencies. If that’s what they meant, it wouldn’t be that surprising to find that the black market and grey market prices influence each other, right?
I mean we could ask our intelligence agencies why they are shopping in the same markets as criminals but I guess they will say something like “it is important that we <redacted> on the <redacted>, which will allow us to better serve the <redacted> and keep the <redacted> safe.”
Yep, I came to the same conclusion. The payments from bug bounties and the uncertainty of payment just isn't worth it. It's like taking a fixed prize contract and adding in a gambling element to get paid. Fixed prized I learned was bad enough if you want to make anything as a software engineer. This is even worse though.
I mean, the technical skills in the article here are basic. But the first finding was significantly good luck, and having the background to know to look towards old Google services for the ID to email part was non-obvious. You would need a lot of high-quality, guiding knowledge like that to make bug bounties work. Still, seems like a very high starting cost.
We already know what will happen. The US goods will be priced to match the price of foreign goods with tariffs and zero money will be spent investing in future production capacity in the US.
We know this will happen because it is what always happens when countries impose punitive tariffs on foreign goods. Later, the domestic industry collapses and the tariffs are lifted.
I've supported others that use RHEL. If you like software archeology, it's the OS for you:
> This bug was fixed in 2002, then regressed in 2005 and fixed again in 2007 in mainline, but in RHEL, they botched the '02 and '05 back port, so '02 breaks it, but '05 doesn't. Now, let me tell you about secondary effects of patches in unrelated subsystems. We have three interesting "type A" examples introduced in ...
> ... and that's why it's completely acceptable to run half the fortune 500 off of Linux 2.6.19-RHEL.... in 2025.
> What, you're running 2.6.20? What a hoot!!! We like to kid. You're not serious? You are? You work at the local nuclear plant?
> backs out of conference room slowly, then bolts down the hallway screaming "run for your lives!" once they have clear view of the elevator
Is a system that has been working fine for 10 years more, or less likely to have a mission critical bug than a system rebuilt on 4 month old code?
HN tends to think a lot about what's good for what's good practice for hyperscalers with massive profit margins and capital expenditures, and not as much about what's good for industries where margins are thin and downtimes have massive real-world consequences.
What kind of software architecture do you suggest for, say, the embedded OS on a bus-sized, $200 million ASML EUV lithography tool? Do you really think it's a great idea to pull every update without recertification to the control systems of that nuclear power plant, or the system that renders MRIs at the radiologist?
I'm not saying let them rot for decades, but caution is prudent sometimes.
FWIW I 100% concede that there are uses for LTS systems. For things where active development means releasing a new product that customers replace their old one with, go for it. For systems not under active development like a nuclear plant control system, go for it.
I don’t think those audiences make up a significant mass of HN readership, so my comments aren’t targeted at them. For your SaaS company with 20 services and growing? You will have less pain from constantly upgrading than you will from adopting LTS releases.
There was a similar effect during the dot com boom / crash.
Everyone and their dog got a CS degree, and the average quality of that cohort was abysmal. However, it also created a huge supply of extremely talented people.
The dot-com crash happened, and software development was "over forever", but the talented folks stuck around and are doing fine.
People that wanted to go into CS still did. Some of them used stack overflow and google to pass their courses. They were as unemployable as the bottom of the barrel during the dot com boom.
People realized there was a shortage of programmers, so CS got hot again for a bit. Now LLMs have hit and are disrupting most industries. This means that most industries need to rewrite their software. That'll create demand for now.
Eventually, the LLM bust will come, programming will be "over forever" again, and the cycle will continue. At some point after Moore's law ends the boom and bust cycle will taper off. (As it has for most older engineering disciplines.)
Imagine "The Innovator's Dilemma" was written in the Idiocracy universe:
1) We're in late stage capitalism, so no companies have any viable competition, customers are too dumb to notice they didn't get what they paid for, and with subsidies, businesses cannot fail. i.e., "Plants love electrolytes!"
2) Costs are completely decoupled from income.
3) Economic growth is pinned to population growth; otherwise the economy is zero sum.
4) Stocks still need to compound faster than inflation annually.
5) After hiking prices stops working, management decides they may as well fire all the engineers (and find some "it's different now" excuse, even though the real justification is 2).
6) This leads to a societal crisis because everyone forgot the company was serving a critical function, and now it's not.
7) A new competitor fills the gaps, takes over the incumbent's original role, then eventually adopts the same strategy.
Examples: Disney Animation vs. Pixar, Detroit vs. Tesla, Boeing vs. SpaceX.
You can no longer disable it without breaking CarPlay, and it’s started randomly activating when you press the power button on my phone when carplay is on.
My theory is that typing a GPS destination into my car dashboard at a stoplight is too dangerous, and typing it on a phone keyboard is also too dangerous, but unlocking the phone, frantically yelling “cancel” until you find the “STFU Siri” button on the steering wheel, dismissing random useless carplay displays and THEN typing the address into the phone is completely safe.
On a related note, they keep adding more distractions to the apple maps carplay screen. The other day, I was at an intersection, and the map rendered the sidewalks similarly to the road. It knew I was driving. Does it think using sidewalks as shortcuts is legal or something?
The trick is that the entity that owns the wires has to provide/upgrade the network at cost, and anyone has the right to run a telco on top of the network.
This creates competition for things like pricing plans, and financial incentives for the companies operating in the space to compete on their ability to build out / upgrade the network (or to not do that, but provide cheaper service).
reply