On the one hand, Mangham definitely didn't have prior authorization. His actions were illegal, regardless of his intentions.
On the other hand, Facebook's long-term security has been dramatically weakened. Now, anybody who finds a vuln in Facebook isn't going to report it for fear of doing jail time.
Sounds like a fuck-up for everyone involved.
Or you know you follow Facebook's procedure for their bug-bounty program:
https://www.facebook.com/whitehat/bounty/
Paying special attention to the following section:
Exclusions
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
Security bugs in third-party applications (e.g., http://apps.facebook.com/%5Bapp_name%5D)
Security bugs in third-party websites that integrate with Facebook
Security bugs in Facebook's corporate infrastructure
Denial of Service Vulnerabilities
Spam or Social Engineering techniques
If you want to test any of those, you do what practically any book on "ethical hacking" ever states and you get prior authorization.
1. He's not at trial yet; this is an Article 32 hearing.. basically a grand jury hearing/pre-trial.
2. At Trial, he would have a jury of his peers; far more so than you'd find in a civilian courtroom. He's and enlisted soldier, so if his defense team opted, they can have a jury full of enlisted soldiers.
3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.
which really only works if the only thing the person did was unlock the phone.. if the phone was actually used, you'd have indistinguishable smear marks all over the screen.
So if I disclose all your bank password, would that make me immune ?
I agree in part, but it is a problem.
If as a delivery dude, I find your key under the front door mat, can I make a 1000 copies and drop them off all over the city with your address to teach you to be safer ?
I am genuinely asking, I don't have the answer.
If I simply return your key, and you keep putting it under the mat, then what do I do.
That's not what he meant;
If you disclose the vulnerability that exposes his passwords, you're immune. If you exploit the vulnerability and disclose the passwords than you're not immune from the action of disclosing data improperly. You don't have to disclose the passwords to prove the vulnerability.
In your little example, the vulnerability would be the key under the front door mat. The exploit would be using that key and/or making copies of the key. Proper disclosure would dictate that you notify him that his key is under the front door mat and give him time to respond and remedy the situation after a period of time (say 30 days) if he ignores the vulnerability or the vulnerability is remedied, than disclose the vulnerability. Improper disclosure would be letting the public at large know the day you found the key; you don't need to make copies of the key to prove or disclose the vulnerability.. it adds nothing and just makes you a dick.
In the reality of this case; the guy didn't disclose any customer data to the public at large (at least from what I gather), and he stated that he will delete any data resulting from the breach and would even allow the company to verify as such. Following the whole "Disclosure Guarantees Immunity" philosophy this guy should be in the clear. Data access is going to occur at times in vulnerability research, what you do with that data is what should determine whether you get immunity or not.
Last thing I read on it was from April in this article:
http://www.businessinsider.com/next-xbox-may-be-profitable-on-day-one-2011-4
Seems like the business segment containing Xbox is down 5.5 billion over its lifetime, but has been turning a profit for each of the last 11 quarters.. they may be down overall, but they're going to break even here pretty quickly; even more so if they decide not to go the hardware loss route with the next xbox.
As already stated.. this is precisely how it works now. You've practically described it to a T. In fact, we further segregate networks based on the level of classified information they carry; all of which are airgapped.
The Space Station is in a Low Earth Orbit (LEO) and will fall to the Earth without its regular altitude boosts
The ISS is in LEO because NASA was INCAPABLE of building a space shuttle that could achieve higher orbit! Because it had to have WINGS so it could land with secret military payloads at designated airfields in the continental USA.
So the AMERICANS crippled the INTERNATIONAL Space Station. It should have been in higher orbit to start with then it would last longer, but NO the Americans had to have it their way. Hopefuly the Chinese won't make the same dumb mistakes.
Nobody said the other partners had to take NASA's money... they were free to build a space station on their own. Don't bitch when the biggest financial and technical partner mandates its way; especially when the next closest partner barely surpassed 1/10th of the AMERICAN cost on the project.
Interesting that this is not a NASA announcement...
Despite the fact that most American news media refer to it as 'The NASA Space Station" It is, in fact, not exclusively a NASA space station. Its correct title is "ISS" which stands for "International Space Station".
NASA is just one partner of many on this project.
What american news media refer to it as 'The NASA Space Station'? I'm curiously interested, as I have never seen it referred as such.
And it wouldn't be news at all... given that LPSL its primarily meant to access DoD systems not for general browsing/playing around (In fact the primary point of it is for accessing webmail which requires CAC authentication, and configuring CAC authentication on home systems has generally been a PITA for IT Support), and given nearly every DoD system has the following disclaimer:
THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM.
This computer system, including all related equipment, networks and
network devices (specifically including Internet access), are provided
only for authorized U.S. Government use. DoD computer systems may be
monitored for all lawful purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection
against unauthorized access, and to verify security procedures,
survivability and operational security. Monitoring includes active
attacks by authorized DoD entities to test or verify the security of
the system. During monitoring, information may be examined, recorded,
copied and used for authorized purposes. All information, including
personal information, placed on or sent over this system may be
monitored.
Use of this DoD computer system, authorized or unauthorized, constitutes
consent to monitoring of this system. Unauthorized use may subject you
to criminal prosecution. Evidence of unauthorized use collected during
monitoring may be used for administrative, criminal or adverse action.
Use of this system constitutes consent to monitoring for these purposes.
I think it's fairly safe to say that people already know their stuff is being monitored...
They are for the most part (Packet switching over shared lines for certain networks being the obvious case of non-isolation physically). Hitting internet connected servers nets you some unclass/fouo maybe confidential level stuff. If you're lucky and hit the right place at the right time, you might get some info that was accidentally uploaded that's classified higher and hasn't yet been cleansed. Keep in mind we have whole groups of people dedicated solely to finding classified info uploaded to NIPR/Public Internet facing systems and to investigate the cause and clean the affected systems.
This is why I always take the 'We've hacked NATO's public facing servers and netted some juicy info!!!' type stories with a very big grain of salt. Remember none of the Bradley Manning/Wiki-leaks stuff came from a internet connected network.
What gives you the impression that Energy Efficient Vehicles are lighter than Gas Guzzlers?
A Chevy Volt is 3781 lbs
A Nissan Leaf is 3354 lbs
A Ford Mustang is 3655 lbs
A Chevy Corvette is 3350 lbs
Granted you'll have differences between different variations of the same model; but just use those as generalized examples. Now if you're comparing a Leaf to a Suburban that's a whole other ballgame and is like comparing apples to oranges.
Except for that whole period of time from the mid/late 80's to late 90's where Apple was on the verge of being bought about by Sun for $5 a share and doing absolutely nothing to make a mark on the consumer market in any fashion.
And this article wasn't talking about the space shuttle. In fact the word "shuttle" doesn't exist in either the summary or the article.
Really? Damn.. i guess I just imagined reading this line:
Ordinarily, this plasma absorbs and reflects radio waves at communications frequencies, leading to a few tense minutes during the re-entry of manned vehicles such as the shuttle.
I'm surprised you actually expect such an announcement to come from them. Why in the hell would they ever open themselves to a potential lawsuit by announcing it publicly. That's not to say it hasn't been done, particularly since depending on what the PS3 cluster is being used for, the NSA and/or DISA has almost assuredly broken the PS3 down to find out its flaws security wise.
Not a search and seizure (as already mentioned), but you also neglected to read the full passage particular the part referring to how it can't impair the government when it comes to 'if the offense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data under the provisions of section 793, 794, 797, or 798 of title 18, or section 2274, 2275, or 2277 of this title, or section 783 of title 50,'
So basically it's not applicable anyhow, because like it or not.. Wikilieaks is clearly in possession of classified information.
Out of all that, that's the one thing in his post you wanted to highlight? Really is it that hard of a concept to swap out 'LEO busting organized crime'' and put 'Intelligence Agent undercover in foreign terror cell' or shit even a 'LEO undercover inside domestic terror cell'. This distinction between 'Law-enforcement agency' and 'Government business' isn't as clear cut as you'd like it to be; in fact the lines are highly highly blurred. But you know that's because Law enforcement is apart of the government. You did realize that right?
Because Milling != 3D printing; even though they both use CNC. Milling involves starting with a raw material and cutting/machining away at it to achieve the desired end product. 3D printing involves printing the final product layer by layer. There are plenty of Videos out there for you to look up to see the difference.
Dream on. Did you realize that there is still stuff from the frelling Spanish-American war that is classified? If I had ten grand in spare change lying around I might spend it on a lawyer for a FOIA query to see what's there, but let's face it, I don't so it's just going to stay that way.
Have you seen the process for a FOIA request? You need to know the exact title and location of the document that you want. You can't just ask for documents relating to the cover-up of the bombing of a wedding party, you need to ask for US Army Action Report 172047a, CIA Predator Flight 2491 Operator Transcripts, and NATO After Action Report 1772-Q42. If the information that you actually need is in Flight 2490 Operator Transcript instead you need to start the process all over again (if you ever find out where it really is). Making things worse, generally the indexes themselves are classified, and if you manage to get access to one it will be so highly redacted as to be useless.
That's absolutely not true at all; FOIA requests can be/have been/generally are in the form of 'generalized' requests; is it better if you are specific about your request? absolutely, it will save you money seeing how they generally charge by time used in the search and by page. You can literally request :
"This is a request under the Freedom of Information Act.
I request that a copy of the following documents concerning the following subject matter be provided to me: Any and all reports concerning the actions at Abu Ghraib Prison from 1 JAN 2004 - 30 APR 2004."
Still missing the point.. There's a fee associated for selling a title on a console.. outside of any production costs; Microsoft/Sony/Nintendo all charge a specific amount of money so that games can be played on their systems; these are called 'Publisher License Agreements' here's an example of one for the Xbox360 between Microsoft and THQ:
http://legal.realdealdocs.com/index.php/2008/04/18/xbox-360-publisher-license-agreement/
Basically Microsoft gets royalties for every 360 title sold; Sony gets royalties for every PS3 title sold; Nintendo gets royalties for every Wii title sold.
It's not the New York State government doing this, it's the New York City government.
But it begs the question.. how much of the city's transportation budget is coming from the State and Federal government and how much of it is from locally generated taxes? I'd bet money that a large portion of that budget like most localities is funded off State & Federal taxes.
Hubble - Could have been Launched without the Shuttle
All other satellites - Could have been launched without the Shuttle
The Shuttle was actually a hinderance for launching some satellites - some where too bit, the wrong shape, or needed to be launched in another orbit.....
Hubble - Pretty difficult to repair without a shuttle; and up until the last servicing mission, couldn't be serviced or returned to earth intact without a shuttle.
Nothings confirmed...
on
UVB-76 Explained
·
· Score: 5, Informative
Uhh.. wikipedia only states that it's speculation; like everything else about UVB-76, this is unconfirmed.. so in reality it still isn't explained. What a crappy submission.
Exactly where in the 'article' is the information about Comcast charging? It's not.
Last time I used cable, the box came free with the service. If you wanted a better box, you paid more. ($10 more for HD, or DVR, or HD-DVR. Yeah, they were all the same.)
Right around here:
"They told me they have been putting these boxes on every TV in each classroom in each school. I laughed when I heard that. I said, 'Do you know how much electricity is going to be needed for each box?' They didn't know the answer. I was bumped up to the next guy in the Comcast hierarchy, who said there was no other solution and I had to pay $3 per month for each box. Being a municipality, we are entitled to free expanded basic cable as a part of the franchise agreement back in 1982.
Slashdot Mirror
On the one hand, Mangham definitely didn't have prior authorization. His actions were illegal, regardless of his intentions.
On the other hand, Facebook's long-term security has been dramatically weakened. Now, anybody who finds a vuln in Facebook isn't going to report it for fear of doing jail time.
Sounds like a fuck-up for everyone involved.
Or you know you follow Facebook's procedure for their bug-bounty program: https://www.facebook.com/whitehat/bounty/ Paying special attention to the following section:
Exclusions The following bugs aren't eligible for a bounty (and we don't recommend testing for these): Security bugs in third-party applications (e.g., http://apps.facebook.com/%5Bapp_name%5D) Security bugs in third-party websites that integrate with Facebook Security bugs in Facebook's corporate infrastructure Denial of Service Vulnerabilities Spam or Social Engineering techniques
If you want to test any of those, you do what practically any book on "ethical hacking" ever states and you get prior authorization.
1. He's not at trial yet; this is an Article 32 hearing.. basically a grand jury hearing/pre-trial. 2. At Trial, he would have a jury of his peers; far more so than you'd find in a civilian courtroom. He's and enlisted soldier, so if his defense team opted, they can have a jury full of enlisted soldiers. 3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.
which really only works if the only thing the person did was unlock the phone.. if the phone was actually used, you'd have indistinguishable smear marks all over the screen.
So if I disclose all your bank password, would that make me immune ? I agree in part, but it is a problem. If as a delivery dude, I find your key under the front door mat, can I make a 1000 copies and drop them off all over the city with your address to teach you to be safer ? I am genuinely asking, I don't have the answer. If I simply return your key, and you keep putting it under the mat, then what do I do.
That's not what he meant; If you disclose the vulnerability that exposes his passwords, you're immune. If you exploit the vulnerability and disclose the passwords than you're not immune from the action of disclosing data improperly. You don't have to disclose the passwords to prove the vulnerability. In your little example, the vulnerability would be the key under the front door mat. The exploit would be using that key and/or making copies of the key. Proper disclosure would dictate that you notify him that his key is under the front door mat and give him time to respond and remedy the situation after a period of time (say 30 days) if he ignores the vulnerability or the vulnerability is remedied, than disclose the vulnerability. Improper disclosure would be letting the public at large know the day you found the key; you don't need to make copies of the key to prove or disclose the vulnerability.. it adds nothing and just makes you a dick. In the reality of this case; the guy didn't disclose any customer data to the public at large (at least from what I gather), and he stated that he will delete any data resulting from the breach and would even allow the company to verify as such. Following the whole "Disclosure Guarantees Immunity" philosophy this guy should be in the clear. Data access is going to occur at times in vulnerability research, what you do with that data is what should determine whether you get immunity or not.
Last thing I read on it was from April in this article: http://www.businessinsider.com/next-xbox-may-be-profitable-on-day-one-2011-4 Seems like the business segment containing Xbox is down 5.5 billion over its lifetime, but has been turning a profit for each of the last 11 quarters.. they may be down overall, but they're going to break even here pretty quickly; even more so if they decide not to go the hardware loss route with the next xbox.
As already stated.. this is precisely how it works now. You've practically described it to a T. In fact, we further segregate networks based on the level of classified information they carry; all of which are airgapped.
The Space Station is in a Low Earth Orbit (LEO) and will fall to the Earth without its regular altitude boosts
The ISS is in LEO because NASA was INCAPABLE of building a space shuttle that could achieve higher orbit! Because it had to have WINGS so it could land with secret military payloads at designated airfields in the continental USA.
So the AMERICANS crippled the INTERNATIONAL Space Station. It should have been in higher orbit to start with then it would last longer, but NO the Americans had to have it their way. Hopefuly the Chinese won't make the same dumb mistakes.
Nobody said the other partners had to take NASA's money... they were free to build a space station on their own. Don't bitch when the biggest financial and technical partner mandates its way; especially when the next closest partner barely surpassed 1/10th of the AMERICAN cost on the project.
Interesting that this is not a NASA announcement...
Despite the fact that most American news media refer to it as 'The NASA Space Station" It is, in fact, not exclusively a NASA space station. Its correct title is "ISS" which stands for "International Space Station".
NASA is just one partner of many on this project.
What american news media refer to it as 'The NASA Space Station'? I'm curiously interested, as I have never seen it referred as such.
THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. This computer system, including all related equipment, networks and network devices (specifically including Internet access), are provided only for authorized U.S. Government use. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
I think it's fairly safe to say that people already know their stuff is being monitored...
They are for the most part (Packet switching over shared lines for certain networks being the obvious case of non-isolation physically). Hitting internet connected servers nets you some unclass/fouo maybe confidential level stuff. If you're lucky and hit the right place at the right time, you might get some info that was accidentally uploaded that's classified higher and hasn't yet been cleansed. Keep in mind we have whole groups of people dedicated solely to finding classified info uploaded to NIPR/Public Internet facing systems and to investigate the cause and clean the affected systems. This is why I always take the 'We've hacked NATO's public facing servers and netted some juicy info!!!' type stories with a very big grain of salt. Remember none of the Bradley Manning/Wiki-leaks stuff came from a internet connected network.
Unfortunately some of us are still stuck with Exchange 2003, so we're still SOL for the most part.
What gives you the impression that Energy Efficient Vehicles are lighter than Gas Guzzlers? A Chevy Volt is 3781 lbs A Nissan Leaf is 3354 lbs A Ford Mustang is 3655 lbs A Chevy Corvette is 3350 lbs Granted you'll have differences between different variations of the same model; but just use those as generalized examples. Now if you're comparing a Leaf to a Suburban that's a whole other ballgame and is like comparing apples to oranges.
Except for that whole period of time from the mid/late 80's to late 90's where Apple was on the verge of being bought about by Sun for $5 a share and doing absolutely nothing to make a mark on the consumer market in any fashion.
And this article wasn't talking about the space shuttle. In fact the word "shuttle" doesn't exist in either the summary or the article.
Really? Damn.. i guess I just imagined reading this line:
Ordinarily, this plasma absorbs and reflects radio waves at communications frequencies, leading to a few tense minutes during the re-entry of manned vehicles such as the shuttle.
I'm surprised you actually expect such an announcement to come from them. Why in the hell would they ever open themselves to a potential lawsuit by announcing it publicly. That's not to say it hasn't been done, particularly since depending on what the PS3 cluster is being used for, the NSA and/or DISA has almost assuredly broken the PS3 down to find out its flaws security wise.
Not a search and seizure (as already mentioned), but you also neglected to read the full passage particular the part referring to how it can't impair the government when it comes to 'if the offense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data under the provisions of section 793, 794, 797, or 798 of title 18, or section 2274, 2275, or 2277 of this title, or section 783 of title 50,' So basically it's not applicable anyhow, because like it or not.. Wikilieaks is clearly in possession of classified information.
Out of all that, that's the one thing in his post you wanted to highlight? Really is it that hard of a concept to swap out 'LEO busting organized crime'' and put 'Intelligence Agent undercover in foreign terror cell' or shit even a 'LEO undercover inside domestic terror cell'. This distinction between 'Law-enforcement agency' and 'Government business' isn't as clear cut as you'd like it to be; in fact the lines are highly highly blurred. But you know that's because Law enforcement is apart of the government. You did realize that right?
Because Milling != 3D printing; even though they both use CNC. Milling involves starting with a raw material and cutting/machining away at it to achieve the desired end product. 3D printing involves printing the final product layer by layer. There are plenty of Videos out there for you to look up to see the difference.
Dream on. Did you realize that there is still stuff from the frelling Spanish-American war that is classified? If I had ten grand in spare change lying around I might spend it on a lawyer for a FOIA query to see what's there, but let's face it, I don't so it's just going to stay that way. Have you seen the process for a FOIA request? You need to know the exact title and location of the document that you want. You can't just ask for documents relating to the cover-up of the bombing of a wedding party, you need to ask for US Army Action Report 172047a, CIA Predator Flight 2491 Operator Transcripts, and NATO After Action Report 1772-Q42. If the information that you actually need is in Flight 2490 Operator Transcript instead you need to start the process all over again (if you ever find out where it really is). Making things worse, generally the indexes themselves are classified, and if you manage to get access to one it will be so highly redacted as to be useless.
That's absolutely not true at all; FOIA requests can be/have been/generally are in the form of 'generalized' requests; is it better if you are specific about your request? absolutely, it will save you money seeing how they generally charge by time used in the search and by page. You can literally request : "This is a request under the Freedom of Information Act. I request that a copy of the following documents concerning the following subject matter be provided to me: Any and all reports concerning the actions at Abu Ghraib Prison from 1 JAN 2004 - 30 APR 2004."
Still missing the point.. There's a fee associated for selling a title on a console.. outside of any production costs; Microsoft/Sony/Nintendo all charge a specific amount of money so that games can be played on their systems; these are called 'Publisher License Agreements' here's an example of one for the Xbox360 between Microsoft and THQ: http://legal.realdealdocs.com/index.php/2008/04/18/xbox-360-publisher-license-agreement/ Basically Microsoft gets royalties for every 360 title sold; Sony gets royalties for every PS3 title sold; Nintendo gets royalties for every Wii title sold.
It's not the New York State government doing this, it's the New York City government.
But it begs the question.. how much of the city's transportation budget is coming from the State and Federal government and how much of it is from locally generated taxes? I'd bet money that a large portion of that budget like most localities is funded off State & Federal taxes.
Hubble - Could have been Launched without the Shuttle All other satellites - Could have been launched without the Shuttle
The Shuttle was actually a hinderance for launching some satellites - some where too bit, the wrong shape, or needed to be launched in another orbit .....
Hubble - Pretty difficult to repair without a shuttle; and up until the last servicing mission, couldn't be serviced or returned to earth intact without a shuttle.
Uhh.. wikipedia only states that it's speculation; like everything else about UVB-76, this is unconfirmed.. so in reality it still isn't explained. What a crappy submission.
Youtube is just fine on my FiOS connection...
Exactly where in the 'article' is the information about Comcast charging? It's not.
Last time I used cable, the box came free with the service. If you wanted a better box, you paid more. ($10 more for HD, or DVR, or HD-DVR. Yeah, they were all the same.)
Right around here:
"They told me they have been putting these boxes on every TV in each classroom in each school. I laughed when I heard that. I said, 'Do you know how much electricity is going to be needed for each box?' They didn't know the answer. I was bumped up to the next guy in the Comcast hierarchy, who said there was no other solution and I had to pay $3 per month for each box. Being a municipality, we are entitled to free expanded basic cable as a part of the franchise agreement back in 1982.