Slashdot Mirror

He is one of us - look at his linkedin profile
http://www.linkedin.com/in/derekkhanna

â C++, Backtrack, Python, Sql, Java, Dreamweaver/Photoshop, statistical modelling.
â Building computers and beta testing software (Microsoft Office 2013, Windows 8 etc.).

Unless, we stand up for him, no one else will ever dare write about copyright reform in the future.

This needs to be something like fight against SOPA.

http://www.linkedin.com/in/derekkhanna

I wrote it too in the past. Add me in my linked.in if you would like to have my contact. http://pt.linkedin.com/pub/rui-ribeiro/16/ab8/434/

so who was walking around piecing tiny bits of paper together in the middle of the parade?

Ethan Finkelstein .. apparently.

FTFA:

Nassau County Police Department Inspector Kenneth Lack said in a statement the department "is very concerned about this situation." "We will be conducting an investigation into this matter as well as reviewing our procedures for the disposing of sensitive documents," he said.

I'd guess this guy:

http://www.linkedin.com/pub/lack-kenneth/9/6b4/115

So apparent not a standard internet myth, but an especially well contrived internet myth.

I was in your position some years ago. I also know that our main operator wasted millions in Incognito software just to throw it away, and ended up paying millions to Microsoft. Obvious not the average "small ISP", but I hope you get across my point. Small/medium ISPs end up writing their own custom software, because there is not a specialized/vertical package that works as it should. I ended up doing that too, and connecting my software to a in-house developed ERP package. Check my profile in linked.in. Regards, http://pt.linkedin.com/pub/rui-ribeiro/16/ab8/434/

You can see all the companies she worked for here.

http://www.linkedin.com/in/estherschindler

https://twitter.com/estherschindler

all their employees are from finland according to linkedin
http://www.linkedin.com/search/fpsearch?companyId=2649185&sortCriteria=R&keepFacets=&facet_CC=2649185

So the founder and president [of] Taodyne submits a "story" extolling the virtues of Taodyne's latest program/thingie and this actually makes it onto Slashdot? Am I really expecting too much of Slashdot by thinking that this shouldn't happen? I mean the entire summary is blatantly written like an advert -- perhaps you could say the guy isn't trying to deceive anyone since it's obvious to anyone looking (eg. me) what's going on, but is that really a good direction to go in? Is even the barest of journalistic integrity a lost cause on this site?

How is the fact that I'm the founder of Taodyne making the story irrelevant to Slashdot readers? What would have been unethical would have been to ask a friend to submit the story for me.

Of course, I'm biased. I've put years of my life into creating what I believe is the first interactive 3D document description language. I think that this is relevant to Slashdot readers. Remember, "News for nerds"? Our first tag line was "3D presentation software for geeks", it's still in my Slashdot signature.

My idea of being a "nerd" is not "I will the (N+1)-th post to rant about how big corporations are evil". Mine is "I will create this bleeding edge 3D language so that uber-geeks can use live tweets as bullet points next time they talk about some hot topic." YMMV. Don't like what we did? Feel free to not use it.

So the founder and president [of] Taodyne submits a "story" extolling the virtues of Taodyne's latest program/thingie and this actually makes it onto Slashdot? Am I really expecting too much of Slashdot by thinking that this shouldn't happen? I mean the entire summary is blatantly written like an advert -- perhaps you could say the guy isn't trying to deceive anyone since it's obvious to anyone looking (eg. me) what's going on, but is that really a good direction to go in? Is even the barest of journalistic integrity a lost cause on this site?

There are several investor websites that have SCO/SCOX/DarlWatch forums, particularly in Utah. If you want to keep track yourself, either to drop him a note or make sure you never ever invest in anything he touches, here is his LinkedIn page. He describes himself and an Entrepreneur at Me, Inc. whose mission is to,"Incubate, design and build companies that deliver smart phone, social and cloud-based applications."

I disagree. My resume is very flowery, but Microsoft didn't dare to call me ;-)

You want to see an incumbent business model act like a pack of pissed-off wolverines? Watch the small-paper lobby go to town when a state legislature suggests that putting legal notices online might -- might! -- be more efficient.

That just happened in Texas. The newspapers won, this time.

In Illinois, there's a real battle. The newspapers have their own lobbying site. Several bills are pending in Virginia and the newspapers there are frantically lobbying.

... they would rather see you translate Jolla as "Lifeboat," rather than "Dinghy."

From Jolla's LinkedIn page:

"We're sorry but the company you are looking for does not exist."

From a life boat one would at least expect it to float.

Comments like the parent and the grandparent irk me... Information Assurance is not the personification of "Mordak, the preventer of information services." Sometimes IA policies really do make sense.

I have worked in the world of DoD information assurance (really, I have, see http://www.linkedin.com/in/ericgearhart), and I completely disagree with what you're saying. Your example is built on the premise that the guys on this ship will be connecting to DoD information systems... that's simply not what the original poster is asking.

Think about what you're saying... you wanted to set up a "private wifi" in order to allow instructors to to monitor simulations. Don't you think that's sensitive data? If someone brute forced or rainbow tabled that WiFi access point's WPA2 key (you're using WPA2 pre-shared keys, right?) and got onto that private wifi network, wouldn't the data they could siphon off be valuable?

No, there was no sensitive information that would have been transferred on that simulation. If you're familiar with DIS or HLA, you'll know that they have methods for handling networked simulations with various levels of classification. For instance, you could have an airline pilot flying in the same virtual environment as a B2 bomber, and they will filter the data he receives to prevent classified information from being divulged. And in this particular case, the information would have been limited to things like the lat/long of the aircraft, the weapons loadout, and other information that is not classified. In fact, most of the information we wanted to give to the instructor was the status of any hardware faults that had been introduced in the simulation and a student's action log, indicating what buttons were pressed in the crew station. Nothing classified whatsoever. Also, this particular network was in a fenced off area on the post, with a 1 mile drive from the security gate to the buildings.

I wasn't trying to say that the crew members should not be able to access the internet in their quarters, or that they would be able to access classified systems on such a network. I was saying that the network should go through the DoD and not some third party VPN company. I have nothing against IA. It is an important part of the security of the military, and the government as a whole. Which is why I do not believe that this person should continue with his plans.

Comments like the parent and the grandparent irk me... Information Assurance is not the personification of "Mordak, the preventer of information services." Sometimes IA policies really do make sense.

I have worked in the world of DoD information assurance (really, I have, see http://www.linkedin.com/in/ericgearhart), and I completely disagree with what you're saying. Your example is built on the premise that the guys on this ship will be connecting to DoD information systems... that's simply not what the original poster is asking.

Think about what you're saying... you wanted to set up a "private wifi" in order to allow instructors to to monitor simulations. Don't you think that's sensitive data? If someone brute forced or rainbow tabled that WiFi access point's WPA2 key (you're using WPA2 pre-shared keys, right?) and got onto that private wifi network, wouldn't the data they could siphon off be valuable?

Setting up a completely separate WiFI network *that does not have any DoD sensitive data flowing over it* and is only connected to via personal information systems (laptops, desktops, tablets, phones, whatever) is perfectly acceptable.

Even your original premise, that "wifi is the devil according to IA" is untrue - there are wireless STIGs (Security Technical Implemenation Guides - basically they define how information systems are to be implemented on DoD networks) that cover a variety of wireless situations... nevermind USB devices, there's even one that covers the use of wireless mice and keyboards!

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html
http://iase.disa.mil/stigs/net_perimeter/wireless/wireless_net.html

Mrs. Moore seems to be well educated in the political science of this era and her political outlook seems to be leftward leaning, perhaps a meaningful conversation could be had. If Mrs. Moore needs better information on how the Internet and in particular the FREE internet functions, perhaps some of you /.ers can provide her with the proper instruction. Also for those of you who have the desire to educate Congress, she could be the conduit. (This in no way implies any malicious acts or negative attention for Mrs. Moore.)

Stephanie Y. Moore, Minority Counsel, House Subcommittee on Intellectual Property, Competition, and the Internet
(202) 225-3951
Stephanie.Moore@mail.house.gov
LinkedIn Salary includes gifts and such gained via lobbying.

Education: Oberlin 1982 BA; Harvard 1985 JD
Career: Counsel, Committee on the Judiciary, United States House of Representatives; Counsel, Subcommittee on Commercial and Administrative Law, Committee on the Judiciary, United States House of Representatives, Subcommittee on Intellectual Property

From the title on her LinkedIn page, she most likely represents the establishment position.

WOW, you are a real asshole! You need to get laid, badly, but after seeing what you have to offer the ladies that just isn't going to happen. Suggest you go back to Russia and fuck yourself with a vodka bottle.

In my last job we used a guy to do the hair / mane for the horse. I found this work very rewarding

http://www.youtube.com/watch?v=6L8FsMJQaJs&

We also worked with Disney/Pixar to have Turtle Talk (from Finding Nemo) in several Disney theme parks.

http://www.youtube.com/watch?v=c-HfSSNSnFs

Often I would see something of the Disney Animation web site. Also check Dreamworks and other studios.

Disney (I see the CUDA coder need pop up once in a while)

https://careers.disneyanimation.com/job_groups/

nVidia themselves

http://www.linkedin.com/jobs?viewJob=&jobId=3012318&srchIndex=1&trk=njsrch_hits&goback=.fjs_CUDA_*1_*1_I_us_*1_50_1_R_true_*2_*2_*2_*2_*2_*2_*2_*2_*2

See LinkedIn here

http://www.linkedin.com/jobs?viewJob=&jobId=3169009&srchIndex=3&trk=njsrch_hits&goback=.fjs_CUDA_*1_*1_I_us_*1_50_1_R_true_*2_*2_*2_*2_*2_*2_*2_*2_*2

Keep looking for what will make you truly happy. Don't settle if you don't have to :-)

In my last job we used a guy to do the hair / mane for the horse. I found this work very rewarding

http://www.youtube.com/watch?v=6L8FsMJQaJs&

We also worked with Disney/Pixar to have Turtle Talk (from Finding Nemo) in several Disney theme parks.

http://www.youtube.com/watch?v=c-HfSSNSnFs

Often I would see something of the Disney Animation web site. Also check Dreamworks and other studios.

Disney (I see the CUDA coder need pop up once in a while)

https://careers.disneyanimation.com/job_groups/

nVidia themselves

http://www.linkedin.com/jobs?viewJob=&jobId=3012318&srchIndex=1&trk=njsrch_hits&goback=.fjs_CUDA_*1_*1_I_us_*1_50_1_R_true_*2_*2_*2_*2_*2_*2_*2_*2_*2

See LinkedIn here

http://www.linkedin.com/jobs?viewJob=&jobId=3169009&srchIndex=3&trk=njsrch_hits&goback=.fjs_CUDA_*1_*1_I_us_*1_50_1_R_true_*2_*2_*2_*2_*2_*2_*2_*2_*2

Keep looking for what will make you truly happy. Don't settle if you don't have to :-)

Because they admit that the accounts were compromised:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
and they blame the users (remember: they were compromised, not the users !):
http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/

While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.

Why should I change my password if I use it only on their site ?

A lot of sites implement new kinds of input boxes, where your browser cannot save the password !
It's humanly impossible to remember all passwords.

Because they admit that the accounts were compromised:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
and they blame the users (remember: they were compromised, not the users !):
http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/

While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.

Why should I change my password if I use it only on their site ?

A lot of sites implement new kinds of input boxes, where your browser cannot save the password !
It's humanly impossible to remember all passwords.

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

There's this DEFCON talk by this guy.

Ahhh but she also claims she is an attorney on her linkedin profile, which I submit she is not, as she is not a member of the bar, (look it up yourself, just punch in her name.) http://www.linkedin.com/in/candiceleonardschwager "Attorney / Consultant at The Schwager Law Firm" and "Bachelor of Arts, Psychology; Philosophy 1992 – 1994" and double major B.A.'s in 2 years? I highly doubt it.

Why should we or anyone else believe her claims? Does she offer legit proof of her claims? She just threatens? I can't find her listed as a member of the bar, but I have little knowledge on these issues. If someone would please clarify. I used info/claims from her linkedin profile, and just search her on the state bar website. I'm just thinking it is easier to make a bunch of websites claiming any what all you want and threaten people, than it is to do actual work. Maybe it is all true, and I'm a jerk for not believing it. By why should I? If i wanted sympathy disabled children is just ahead of orphan, blind puppies. And she is from Texas . . . http://www.linkedin.com/in/candiceleonardschwager Just my (reasoned, somewhat) speculations. -dr:u

Here is her linkedin page... http://www.linkedin.com/in/candiceleonardschwager

"It surprises me they are still working on Chrome OS"

Yea, they should stick to search and let OS design to the professionals, industry standards like Microsoft Windows 3, 4, 5, 6, 7, 8, Windows 95, 98, NT, Windows 2000, 2001, 2002, 2003, XP, Vista, Windows 7, Windows 8. I mean just how long is it going to take Google to get it right - huh !!

"Manage strategic Chrome OS partnership with large PC hardware manufacturers and network operators". link

this is just some unfounded rumor that has no basis on reality

It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

The PDF (found via xbox-experts.com:
Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

The relevant text shows that they just got a credit card hit from some forensics tool:

Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

The authors appeal to have credible prior experience in digital forensics:

Dr. Asley L. Podhradsky, Drexel University
Dr. Rob D'Ovidio, Drexel University
Cindy Casey, Drexel University

They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

Its going this way anyway. Change the app to show everyone and add all sorts of filters like distance, type of establishments shown, by birthday, by sex, interests, etc and this would have snuck past them all. This is what ambient social networking is all about. Giving you a way to find people locally with the same interests and equally willing to share those interests with the world. Already happening within a slightly more limited scope http://www.linkedin.com/groups?about=&gid=4260730&trk=anet_ug_grppro

Hahahahahahahahahahahaha! Turns out your an iPhone developer. Stockholm syndrome?

http://www.linkedin.com/in/danieljamesphillips

This guy?

http://www.linkedin.com/in/glennochsenreiter
https://plus.google.com/116872648979136579900/posts

He was an IT guy with no degree in CS (but he does have an education degree from Bob Jones University!). Probably not too many people less bright than him at JPL. Not that there is *anything* wrong with being an IT guy, or that you can't be a brilliant one, but he does not appear to be an example of such.

`Based on information provided by the CW, and based on a transcript of Internet chats recorded by the FBI, I know that on or about August 4, 2011, the CW and an individual using the online nickname "palladium" exchanged private chat messages over the Internet. During the chat, the CW and palladium discussed the theft of Palladium's online by another individual. Palladium inquired what he could do to prove his identity to the CW and stated, "I can post some info I have from really old opps," meaning prior computer hacking activity.

Palladium continued, "I can explain something about the sun" and "I can give you some info I still have from the first fox LFI [hack]." Later in the chat, the CW asked if certain IP address (the "Palladium Address") was used by palladium, to which palladium responded that the "ip [address] looks like a wifi I connect from." The CW also asked whether palladium uses "Perfect Privacy," a virtual private network service located in Germany, to which palladium responded, "Yes I use that vpn."' scribid

"Currently looking for internships / summer work in the InfoSec industry". linkedit

"I think a number of the engineers who end up working there do so out of an impression that Google represents the moral high ground in th software industry at the moment."

Well judging by the previous places he's worked this guy wouldn't know a moral high ground from a quagmire. Real name policy strikes again.

Jim Collison

http://www.linkedin.com/profile/view?id=1969179&authType=NAME_SEARCH&authToken=5lSS&locale=en_US&srchid=5e9b0d96-e6f2-4bff-983e-2e8430f65ec0-0&srchindex=6&srchtotal=37&goback=.fps_PBCK_jIM+COLLISON+_*1_*1_*1_*1_*1_*1_*2_*1_Y_*1_*1_*1_false_1_R_*1_*51_*1_*51_true_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2&pvs=ps&trk=pp_profile_name_link

http://www.businessinsurance.com/article/20111206/NEWS07/111209935

"Employers should not fear the EEOC warning. In fact, employers should use it to focus their attention on identifying the actual essential qualifications needed to perform a job...and how to assess whether or not a candidate has these qualifications. Because education has been so dumb-downed in the last 50 years, a high school graduation diploma or a high school equivalency certification simply is not evidence that an individual possesses the essential qualifications to perform a job. The same is true for many if not most post high school degrees. Check out the new book "Academically Adrift: Limited Learning on College Campuses" by Richard Arum and Josipa Roksa. Also check out the new Skills Gap research report from A.C.T. showing that just having a diploma or certificate is no evidence an applicant possesses the foundational skills of reading for information, locating information, and applied math needed for almost every job today. Jim Collison, President, Employers of America, Inc."

Is MS to stingy to pay for good liars?

Apparently not: David Sell, Senior Software Engineer, Microsoft.

Not that I'm saying he's a good liar. Or is he a bad truth-teller? I'm confused now - which is the more litigious or offensive? Anyway, it's a heck of a coincidence. So don't buy a Windows phone if you want to fuck about with it. Or buy one because it's a challenge. Choices, choices...

Since this is Slashdot, I expect the above well-written post to be marked flamebait within 10 minutes, because it dared to speak well of Microsoft.

I wonder if it's David Sell that typed that...


M.

I think it's actually two women. I think this is one of them: http://www.linkedin.com/profile/view?id=858297

The other doesn't appear to have a LinkedIn account.

Is this his LinkedIn presence? I wonder if people will rush to disassociate from him now...

http://www.linkedin.com/pub/paul-christoforo/1/295/835

Feel free to use his LinkedIn page to contact those he knows to bring attention to this situation.

If gaming is the distraction, perhaps the better way to hook the kids would be through game-based learning - see http://www.linkedin.com/groups?gid=155852

And it looks like his was last year: http://www.linkedin.com/in/sjhillman

Interesting, from the CFO's LinkedIn profile

MOZILLA - 2005 - present
--CFO
--Called in to create the financial structure for Mozilla Corporation (

Business Week's profile of them:

Mozilla Corporation provides Internet solutions. It offers Firefox, a Web browser; Thunderbird 2, an email application; Raindrop, a prototype messaging tool, which enables users to manage a stream of messages coming from sources, such as Twitter and Facebook into their email; and Rainbow, a developer prototype that brings video and audio recording to Firefox 4. The company also provides Bugzilla, a bug tracking system that helps users to manage software development; Camino, a Web browser; and SeaMonkey, an application containing a Web browser, HTML editor, and Web development tools, as well as solutions for mobile phones. In addition, it operates an online store that provides apparel. The company is based in Mountain View, California. Mozilla Corporation operates as a subsidiary of Mozilla Foundation.

Dunno, I guess they're keeping those 500 people busy, but like a lot of things in this space, I just don't quite get it. Maybe I just don't do the things they're trying to address...

The Distrowatch page hit rankings are very misleading. When I was using PCLinuxOS 2007 (and the two releases before it), it was ranked #1 on the PHRs for almost a year. But, Ubuntu had significantly more downloads during that period and I consistantly encountered more Linux users using Ubuntu than any other distro. On their forum individuals would occasionally post messages encouraging users to goto Distrowatch and click on PCLOS. Dittos for the Mandriva forum, which I used after PCLOS. I prefer the KDE desktop and I switched to Ubuntu's orphan brother, Kubuntu, in Feb of 2009.

Since its release Ubuntu has been the most downloaded, most installed and most used version of Linux. And, it remains so today, despite the feelings of some Gnome users who dislike Unity. The reasons are simple.

First, Shuttlesworth has invested about $10M/year of his own money into Ubuntu's development, marketing and support. It's been pre-installed by OEM more than any other Linxu distro. I don't know of any other distro maker who is investing that kind of money in their product.

Second, until recently, Shuttleworth paid for the cost of mailing an install CD to anyone who asked for it, and he's supports the Ubuntu forum, which has a message volume several times larger than any other forum, regardless of the distro it supports. Compared to Ubuntu, all other distros are literally on welfare, in terms of their financial support, except for Fedora and SUSE, and who knows how long SUSE will last. Mandriva can't sell enough commercial boxed sets or ISOs to keep their doors open.

Third, with Natty and beyond, Canonical has Ubuntu offering more than just a distro, they have added content and services as well. While I don't run a Unity desktop I am using Ubuntu One's equivalent of DropBox, which I also use. Canonical has done more marketing and published more ads than any other distro maker. And, Canonical has and is doing advertising in Linux magazines as well as on several very popular Linux blogs. BUT, Canonical is now advertising for a "Product Marketing Manager, "to lead the marketing charge of establishing Ubuntu as a core piece of technology in businesses and supporting the efforts to provide for-pay services to those users." IF Shuttlesworth wants Ubuntu to be more than self-supporting and actually make a profit that is something they have to do.

Fourth, these are difficult economic times. The market is trending toward tablets and smartphones, at the expense of desktops and laptops, although neither of those two will disappear any time soon. But, supporting the development and maintenance of distros for each of those platform is costly, time consuming and over lapping. The current solution appears to be to create a desktop GUI which automatically detects the hardware it is being installed on (nothing new there) and then configure a common desktop interface so that regardless of what is before the user: desktop, laptop, notebook, netbook, tablet or smartphone, the user experience will be the same. This approach will end up releasing an ISO which is small enough to install on a smartphone, but with the aid of a network connection will download additional utilities and applications to fit the larger devices.

While problems often get a lot of press time because the press likes controversy, the Gnome vs Unity blow out will resolve itself the same way the KDE 3.x vs KDE 4.x did, and for the same reasons: software technology advances with the hardware. Now, you hear little from those who whined a lot about KDE 4, because KDE 4.7.x has made believers out of the majority of them. I am now running KDE 4.7.3, and it is far more powerful and easier to use than any previous desktop I've ever run, since I bought an Apple ][+ in the summer of 1978. When I am called upon by some XP, VISTA or Win7 users to help them out of their computer problems I immediately feel shackled in what I am allowed t

... from a corporate whore, bought and paid for? Look up her LinkedIn profile. Furthermore, her daddy is a prominent, Big Business-friendly judge. 'Nuff said.

TFA doesn't even mention Mark Langsdorf. His LinkedIn profile still shows him employed at AMD, and so does his homepage. So where did the news that he's been sacked come from?

(my professors words "Google has made the investigators life so much easier, 15 years ago you needed high level access to gather this kind of information, now it's just the right search terms")

Professors are famous for making sound bite pronouncements like this. They try to sound dramatic and relevant.

Andrew (Drew) Fabbro. Took a little bit (15-20 minutes) but I finally got you. Here's your LinkedIn, complete with your name, picture, and every job you've worked at for the last twenty years. I'm sure there's plenty more info on you out there. I looked for "afabbro" on the web, but too many hits came up, and that was just a dead-end. So, I started looking through your slashdot comments, and noticed the preponderance of Oracle posts, and did some search terms with "afabbro" and "oracle" and eventually found your LinkedIn profile, which matches your slashdot profile. I even matched your LinkedIn photo with this video from your Youtube account that I had found earlier. Oh, and here's your MySpace account, as well. You also live near the Glendoveer Golf Course, judging by the editorial you sent into your neighborhood paper.

And I've never even taken the course.

Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...

Seems there's really not much information on this "Movie Rights Group" - a website with an anonymous host with minimal functionality and some buttons not working (and according to wayback, barely touched since created last year), a spokesman who's linkedin profile jumps from "Australian Air Force - 1980" directly to "VP Sales & Marketing Movie Rights Group - 2010", a head office in a suite off broadwater on the gold coast (not exactly the bustling commercial hub of Australia!).

Interestingly, the original website has this wonderful snippet (god I love wayback)

"If, however, you decide not to settle and wish your matter to be heard in Court, we strongly suggest you engage a lawyer as soon as possible. Be aware that you may be exposing yourself to civil damages of up to USD$150,000 plus costs, per infringement."

However I guess when this story broke they thought it would be safer to change it to

"If, however, you decide not to settle and wish your matter to be heard in Court, we strongly suggest you engage a lawyer as soon as possible."

I guess my internet investigation skills are not l33t enough to find much real information on the company :)

It would be interesting to know if this is a proactive launch by the MPAA into Australia, or is this just some guy who saw what was going on in America, set up a website, flew over there and shopped around until he got a client who thought "why not, this guy wants to take the risk, we know nothing of Australia" - he's not even a law firm as far as I can tell (he's using a Brisbane one).....the website claims "the directors" have been working in IT for over 15 years, anyone from Brisbane/Gold Coast worked with this guy or know the directors?