I think that's a really risky ploy. (I interviewed applicants for tech positions at my company for a while, and some people had similar responses.)
First, for this to work you'd really have to strike a chord with your interviewer as you're delivering this line -- the problem is, tech guys aren't usually the type who would cry a river for you.
Second, it makes you seem desperate. You might as well say to me "gee, can't you give me a job? no one else will." And if no one else will give you a job, why the hell would I? An under-emphasized point in the article is "You want to look like you're good enough to be in heavy demand." Would a GREAT candidate for the job who LOVES the kind of work it entails be complaining about not getting paid? No, because a qualified and talented candidate *knows* he's going to be getting paid a lot of money SOMEWHERE, it's just a matter of *where*.
Third, it emphasizes the wrong things. You should be getting across what you can do for the company (i.e. your talents and what you can DO) rather than your desperate need to get money.
THINK FROM THE EMPLOYER'S PERSPECTIVE. That is the only 'trick' or 'secret' you need. Most other 'clever' tips are simply ways to make the employer's life easier when evaluating you. I'm going to sound like a dick here, and whine about "oh i wouldn't work for you if you don't care about me" but this is pretty much how it is:
* There is shit that needs to get done and not enough people to do it; I would be doing some of that shit but am spending time NOT doing that shit to interview you. Realize I just wasted 10 hours this week interviewing some other dipshits who sucked and tediously plowing through shitty resumes from idiots.
* Frankly I/my company wants to hear how you will get that shit done, not some sob story. (Sounds cruel, but if the aforementioned shit doesn't get done, then it's MY ass on the line.)
So instead of relying on some cheesy hook, you should have RESEARCHED the job and the company and should at LEAST say something like "I have seen your product X and the technology behind upcoming project Y seems really interesting. I've done a lot of work with Z and it sounds like I will be able to do a lot for you with that, and I can't wait to learn about Q" and HOPEFULLY something more compelling than even that.
being slashdot, i'm sure a bunch of fellow it/dev hiring managers have seen some funny shit...
how many people have seen emails like this? they always crack me up:
Dear Mr. Peter McDermott,
I saw your recent job posting and think i would be an excellent fit for Linux (Full-time) Administrator/Sysadmin . I am a very hard worker and a quick learner. My experience with IIS and ASP is extensive......
of course, there was no peter mcdermott at our company, nor did our jobs@ email have any name linked to it. the jackass forgot to remove it when he cut and pasted from some other job posting response.
in the words of strongbad...DELETED!
anyone else's gag reflex triggered whenever getting an email beginning with Dear Sir/Madam from @yahoo.com?
Exactly. Many of the current failures can be attributed to poor communication between the US-based company and the India software firms; the communication bandwidth needed for a project manager and architect and the developers is extremely high, and if the manager/architect are on another continent it's just not going to work.
However, I'm sure US companies will be simply able to send project leads/managers/designers/architects (I'm sure some are doing this already) who understand EXACTLY what the business needs are and who will be able to go ON-SITE in India to manage the design and development of the product. A competent on-site project manager will help eliminate the major communication breakdowns(schedule slips, requirements runarounds, etc), and a competent on-site architect will take care of design issues and quality control from a technical standpoint. This is how the power of inexpensive developers will be leveraged, and this is the big threat.
However, it is naive (and fairly racist) to think "Oh, we'll always need to send American designers; Indians will never be competent at this skill." They are highly skilled, the work ethic over there is ridiculous -- as a high-school age kid, to get into an Indian Institute of Technology, imagine the level of competition to get into MIT times 10.
It's true that the design skill yada yada is hard/dumb to outsource (i.e. designing architectures, systems, creating/choosing algorithms), but a lot of software IMPLEMENTATION (e.g. GUIs, parsers, web services) is somewhat routine and can be done by (interchangeable!) mid-level developers, which is exactly what India would provide and at much lower prices.
It's a pretty big threat to low- and mid- level developers, but if there's any consolation the prices that the currently-underpaid Indian developers will command will increase to the point that outsourcing is too much of a hassle to deal with when there is a large population of slightly higher-paid but local Americans willing to do the work, without all the communication/culture barriers or need to fly a bunch of highly-priced project leads/specialists all over the place.
well, if you want a family, or your kids to be educated, etc etc.. you can't exactly suddenly switch gears and move into a cardboard box -- your family depends on that paycheck.
and nice cheesy straw man at the end by the way, but most of these situations are a lot more subtle, and might only involve certain practices within a company, or certain individuals, or the employee in question might be completely unrelated, etc.
you're passing isdigit a char pointer (char*), not an int or char -- so you're comparing a memory location (a large value like 0x40xxxx in windows, or 0xbffxxxxx if on the linux stack for example. it doesn't really matter.) to a const char ('0', and '9' -- integer values 0x30 and 0x39 respectively), which will first of all generate a compiler warning or error since you're comparing a char* to a const char -- and even if you cast it, first you're a dipshit, and second it'll probably return false since the memory location probably won't be between those two values.
and if you use the clumsy first version where x or whatever is referred to twice (as opposed to using a temp variable or something), you'll increment the pointer twice, and if you use the typical c library version of isdigit, the pointer will be incremented once.
little bit of overkill there, but hey, the more you know (cue nbc jingle and shooting star:P), right?
if you think about the target market for these devices, they're for small businesses that probably don't have a very experienced IT staff (or none at all.) everyone knows how to use a browser though and an ssl-encrypted https session is a secure way to manage. and most non-computer types freak out at CLIs and conversely love shiny graphics and buttons. gotta understand people that would buy this thing just want to see it at staples or compusa, grab it, unwrap it, and have it just _work_.
Wild conjecture, but maybe it's just because they have such a strong brand name (kid wants an *iPod* for xmas, not an mp3 player) that they feel that their product is unique and that sales wouldn't drastically increase if they cut their prices (or conversely sales wouldn't drop that much if they kept prices high, because their customers don't see the cheapo competing mp3 players as valid substitutes for an iPod.)
Kinda like toy fads -- what kid would want to accept a cheap knockoff "Fondle Me Herbert" doll when all their little pals have "Tickle Me Elmos"?:P
I did the TopCoder contests for a while a year or two ago (back when they gave cash prizes.) There's the "Single Round Matches", which are what most of us would recognize as typical "coding competitions", and then they have some "component design" contests, or rather have an ongoing list of software components (for example, an FTP module or a module that accesses a database) that they wish to have developed and contract out to rated TopCoder members, including design/implementation.
The little components are the software they're apparently selling, but the coding competitions (like this Code Jam) don't generate any saleable technology/IP. Competitors in the coding contests are therefore not being scammed, and those involved in developing the components do so voluntarily (and are compensated, although not compensated that much.)
Wrong. It's not a creative contest -- all competitors are given the same contest problems (check out TopCoder's site) which are reasonably small (most of the seasoned experts can sling through the set of 3 problems in an hour/hour and a half or so) and usually need to be solved with efficient algorithms (knowledge of graph theory, efficient search techniques, dynamic programming, etc. helps.) They have nothing to do with Google's product or technology.
I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.
The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.
The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).
Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)
Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.
Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.
Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.
Not really that I've seen. Honestly since coming here (I'm a junior, undergrad, comp sci dept.) I've been kind of disappointed -- there are plenty of intelligent (book smart) people, but there aren't really that many truly talented and passionate hacker types (well, at least not that I've met in like the software engineering class [6.170] or other course 6 [comp sci] classes.) Well, there are a couple, but they are REALLY, uh, eccentric or arrogant. The most "innovative" hacks I've seen are like the freaking bathroom/laundry monitors, and those aren't really that impressive (who gives a shit anyway.)
It's too bad. Mostly everyone is so damn busy with the workload that they rarely have time to pursue cool independent projects in their spare time. Which sucks because one would expect that revolutionary new sociological/technological inventions like Napster (northeastern) or Friendster or even cool hacks like BuddyZoo (caltech) etc would be coming out of MIT but from what I've seen that's sadly not the case because everyone is so stressed and maxed out with work.
somehow i don't really buy it about the 'kaleidoscope' wading through thousands of streams of content,
people have enough difficulty using a remote control:P
i think instead of flipping through hundreds/thousands of numeric channels a la directv, you'll simply type a url like espn.com or hbo.com into your tv/satellite/digital whatever and get a tv stream instead of a web page.
that's retarded -- don't be afraid of that scenario.
as the author of the open source package, you're not only an expert in the material but also since you're intimately familiar with every detail you can begin contributing immediately whereas some new hire would take a good deal of time (both his own and possibly a supervisor's time for training) to get up to speed and end up costing a great deal more (especially if a specialist is needed for that position.)
don't be afraid to ask for whatever is fair. probably more than 25 an hour but not more than 50 or 60 if it's not a project that requires extremely specialized knowledge.
well, the whole rationale and underlying spirit of the gpl is that the whole community should benefit from their modifications/improvements since they benefited from the preexisting gpl'ed code, and then we should be able to turn around and integrate our own improvements and do whatever we want with the new source. (hence 'open' source)
and secondly, the thing is probably flashable by software, so you could theoretically add new features to the firmware by taking their source, modifying it, compiling it, and flashing it to the device.
i think a more potentially dangerous outcome is that this could become a vehicle for worms to spread;
lots of vulnerabilities have been discovered (in IE, etc) in the past that run arbitrary code when you visit a web page.
so, if we have all these [identical] email clients set to automatically follow links and that there's some kind of known buffer overrun within the html parsing code (or if they use the IE rendering engine and some similar vulnerability has been discovered) then if a malicious link is sent then all of these clients will follow it and get compromised. (witness the paranoia now in most email clients which disable javascript, attachments, etc by default).
at that point, if tons of machines are compromised, they could be turned into open proxies or could turn around and forward the email to everyone in their address book, etc.
yes, this might sound like a farfetched scenario, but i think even if this case didn't happen, the obvious counter for spammers is to distribute the web load over a bunch of compromised open proxies or something or to throw up temporary web pages on random web hosts until they get shut down.
the bottom line is that in the end the pain of this countermeasure will be simply passed onto innocent third parties.
furthermore, it's unlikely that any major mail client will include this feature by default (outlook or eudora) since there's so much room for abuse, and the whole idea relies on a critical mass of users to actually have an effect.
man, this idea comes up over, and over, and over again..
the problem is it's virtually impossible to design a hackproof system -- nearly all modern mmorpgs have had instances of bugs where people dupe items or otherwise illegally generate money. eventually word gets out about them because everyone wants that advantage, but it's really different when $ is involved; if someone on one of these games found an exploit like that then they could embezzle practically unlimited amounts of $. and even worse, if an exploit became widespread then the whole economy could be totally screwed up, and people would be losing *real money*.
so the problem always ends up that no developer could reasonably shoulder that much liability -- it's bad enough with people bitching about losing imaginary items but if someone gets cleaned out of actual assets and $ then (ianal, but i believe) they can sue and the developer could actually be found liable.
Slashdot Mirror
No.
I think that's a really risky ploy. (I interviewed applicants for tech positions at my company for a while, and some people had similar responses.)
First, for this to work you'd really have to strike a chord with your interviewer as you're delivering this line -- the problem is, tech guys aren't usually the type who would cry a river for you.
Second, it makes you seem desperate. You might as well say to me "gee, can't you give me a job? no one else will." And if no one else will give you a job, why the hell would I? An under-emphasized point in the article is "You want to look like you're good enough to be in heavy demand." Would a GREAT candidate for the job who LOVES the kind of work it entails be complaining about not getting paid? No, because a qualified and talented candidate *knows* he's going to be getting paid a lot of money SOMEWHERE, it's just a matter of *where*.
Third, it emphasizes the wrong things. You should be getting across what you can do for the company (i.e. your talents and what you can DO) rather than your desperate need to get money.
THINK FROM THE EMPLOYER'S PERSPECTIVE. That is the only 'trick' or 'secret' you need. Most other 'clever' tips are simply ways to make the employer's life easier when evaluating you. I'm going to sound like a dick here, and whine about "oh i wouldn't work for you if you don't care about me" but this is pretty much how it is:
* There is shit that needs to get done and not enough people to do it; I would be doing some of that shit but am spending time NOT doing that shit to interview you. Realize I just wasted 10 hours this week interviewing some other dipshits who sucked and tediously plowing through shitty resumes from idiots.
* Frankly I/my company wants to hear how you will get that shit done, not some sob story. (Sounds cruel, but if the aforementioned shit doesn't get done, then it's MY ass on the line.)
So instead of relying on some cheesy hook, you should have RESEARCHED the job and the company and should at LEAST say something like "I have seen your product X and the technology behind upcoming project Y seems really interesting. I've done a lot of work with Z and it sounds like I will be able to do a lot for you with that, and I can't wait to learn about Q" and HOPEFULLY something more compelling than even that.
Hope this helps --
-fren
how many people have seen emails like this? they always crack me up:
of course, there was no peter mcdermott at our company, nor did our jobs@ email have any name linked to it. the jackass forgot to remove it when he cut and pasted from some other job posting response.in the words of strongbad...DELETED!
anyone else's gag reflex triggered whenever getting an email beginning with Dear Sir/Madam from @yahoo.com?
*sigh*
-fren
let us have a moment of silence. (seriously).
that was such a kick in the nuts.
-fren
I'm sure it would not.
Steam's download servers are very likely hosted at some colo facility on some serious backbone.
Corporate offices are usually some little T1 from a local ISP, at least for a small company (valve probably has better than a t1, but still.)
Not to mention the bonehead move it would be to have a dev environment on or near a highly public, visible network like Steam.
-fren
The "Rice Rocket".
*ducks*
-fren
Exactly. Many of the current failures can be attributed to poor communication between the US-based company and the India software firms; the communication bandwidth needed for a project manager and architect and the developers is extremely high, and if the manager/architect are on another continent it's just not going to work.
However, I'm sure US companies will be simply able to send project leads/managers/designers/architects (I'm sure some are doing this already) who understand EXACTLY what the business needs are and who will be able to go ON-SITE in India to manage the design and development of the product. A competent on-site project manager will help eliminate the major communication breakdowns(schedule slips, requirements runarounds, etc), and a competent on-site architect will take care of design issues and quality control from a technical standpoint. This is how the power of inexpensive developers will be leveraged, and this is the big threat.
However, it is naive (and fairly racist) to think "Oh, we'll always need to send American designers; Indians will never be competent at this skill." They are highly skilled, the work ethic over there is ridiculous -- as a high-school age kid, to get into an Indian Institute of Technology, imagine the level of competition to get into MIT times 10.
It's true that the design skill yada yada is hard/dumb to outsource (i.e. designing architectures, systems, creating/choosing algorithms), but a lot of software IMPLEMENTATION (e.g. GUIs, parsers, web services) is somewhat routine and can be done by (interchangeable!) mid-level developers, which is exactly what India would provide and at much lower prices.
It's a pretty big threat to low- and mid- level developers, but if there's any consolation the prices that the currently-underpaid Indian developers will command will increase to the point that outsourcing is too much of a hassle to deal with when there is a large population of slightly higher-paid but local Americans willing to do the work, without all the communication/culture barriers or need to fly a bunch of highly-priced project leads/specialists all over the place.
-fren
well, if you want a family, or your kids to be educated, etc etc.. you can't exactly suddenly switch gears and move into a cardboard box -- your family depends on that paycheck.
and nice cheesy straw man at the end by the way, but most of these situations are a lot more subtle, and might only involve certain practices within a company, or certain individuals, or the employee in question might be completely unrelated, etc.
-fren
babababa, mod parent up! :P
-fren
sigh, crowning myself king dork with this one :P
:P), right?
(nerd alert!)
you're passing isdigit a char pointer (char*), not an int or char -- so you're comparing a memory location (a large value like 0x40xxxx in windows, or 0xbffxxxxx if on the linux stack for example. it doesn't really matter.) to a const char ('0', and '9' -- integer values 0x30 and 0x39 respectively), which will first of all generate a compiler warning or error since you're comparing a char* to a const char -- and even if you cast it, first you're a dipshit, and second it'll probably return false since the memory location probably won't be between those two values.
and if you use the clumsy first version where x or whatever is referred to twice (as opposed to using a temp variable or something), you'll increment the pointer twice, and if you use the typical c library version of isdigit, the pointer will be incremented once.
little bit of overkill there, but hey, the more you know (cue nbc jingle and shooting star
-fren
(Insert DNF joke here)
Did Not Finish
*sigh* and i've reached a new low...
-fren
if you think about the target market for these devices, they're for small businesses that probably don't have a very experienced IT staff (or none at all.) everyone knows how to use a browser though and an ssl-encrypted https session is a secure way to manage. and most non-computer types freak out at CLIs and conversely love shiny graphics and buttons. gotta understand people that would buy this thing just want to see it at staples or compusa, grab it, unwrap it, and have it just _work_.
-fren
Wild conjecture, but maybe it's just because they have such a strong brand name (kid wants an *iPod* for xmas, not an mp3 player) that they feel that their product is unique and that sales wouldn't drastically increase if they cut their prices (or conversely sales wouldn't drop that much if they kept prices high, because their customers don't see the cheapo competing mp3 players as valid substitutes for an iPod.)
:P
Kinda like toy fads -- what kid would want to accept a cheap knockoff "Fondle Me Herbert" doll when all their little pals have "Tickle Me Elmos"?
-fren
We tried reaching him for comment, but his face was in the middle of falling off, and he was having difficulty breathing.
You're a bit misinformed.
I did the TopCoder contests for a while a year or two ago (back when they gave cash prizes.) There's the "Single Round Matches", which are what most of us would recognize as typical "coding competitions", and then they have some "component design" contests, or rather have an ongoing list of software components (for example, an FTP module or a module that accesses a database) that they wish to have developed and contract out to rated TopCoder members, including design/implementation.
The little components are the software they're apparently selling, but the coding competitions (like this Code Jam) don't generate any saleable technology/IP. Competitors in the coding contests are therefore not being scammed, and those involved in developing the components do so voluntarily (and are compensated, although not compensated that much.)
-fren
Wrong. It's not a creative contest -- all competitors are given the same contest problems (check out TopCoder's site) which are reasonably small (most of the seasoned experts can sling through the set of 3 problems in an hour/hour and a half or so) and usually need to be solved with efficient algorithms (knowledge of graph theory, efficient search techniques, dynamic programming, etc. helps.) They have nothing to do with Google's product or technology.
Nice troll though.
-fren
I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.
The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.
The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).
Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)
Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.
Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.
Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.
I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) would be more fitting, and funnier.
-fren
Not really that I've seen. Honestly since coming here (I'm a junior, undergrad, comp sci dept.) I've been kind of disappointed -- there are plenty of intelligent (book smart) people, but there aren't really that many truly talented and passionate hacker types (well, at least not that I've met in like the software engineering class [6.170] or other course 6 [comp sci] classes.) Well, there are a couple, but they are REALLY, uh, eccentric or arrogant. The most "innovative" hacks I've seen are like the freaking bathroom/laundry monitors, and those aren't really that impressive (who gives a shit anyway.)
It's too bad. Mostly everyone is so damn busy with the workload that they rarely have time to pursue cool independent projects in their spare time. Which sucks because one would expect that revolutionary new sociological/technological inventions like Napster (northeastern) or Friendster or even cool hacks like BuddyZoo (caltech) etc would be coming out of MIT but from what I've seen that's sadly not the case because everyone is so stressed and maxed out with work.
-fren
somehow i don't really buy it about the 'kaleidoscope' wading through thousands of streams of content,
:P
people have enough difficulty using a remote control
i think instead of flipping through hundreds/thousands of numeric channels a la directv, you'll simply type a url like espn.com or hbo.com into your tv/satellite/digital whatever and get a tv stream instead of a web page.
-fren
Bring on the yankees baby!!!
-fren
that's retarded -- don't be afraid of that scenario.
as the author of the open source package, you're not only an expert in the material but also since you're intimately familiar with every detail you can begin contributing immediately whereas some new hire would take a good deal of time (both his own and possibly a supervisor's time for training) to get up to speed and end up costing a great deal more (especially if a specialist is needed for that position.)
don't be afraid to ask for whatever is fair. probably more than 25 an hour but not more than 50 or 60 if it's not a project that requires extremely specialized knowledge.
-fren
well, the whole rationale and underlying spirit of the gpl is that the whole community should benefit from their modifications/improvements since they benefited from the preexisting gpl'ed code, and then we should be able to turn around and integrate our own improvements and do whatever we want with the new source. (hence 'open' source)
and secondly, the thing is probably flashable by software, so you could theoretically add new features to the firmware by taking their source, modifying it, compiling it, and flashing it to the device.
-fren
YOU ARE A HUGE NERD STOP.
;)
(sorry, couldn't resist
-fren
i think a more potentially dangerous outcome is that this could become a vehicle for worms to spread;
lots of vulnerabilities have been discovered (in IE, etc) in the past that run arbitrary code when you visit a web page.
so, if we have all these [identical] email clients set to automatically follow links and that there's some kind of known buffer overrun within the html parsing code (or if they use the IE rendering engine and some similar vulnerability has been discovered) then if a malicious link is sent then all of these clients will follow it and get compromised. (witness the paranoia now in most email clients which disable javascript, attachments, etc by default).
at that point, if tons of machines are compromised, they could be turned into open proxies or could turn around and forward the email to everyone in their address book, etc.
yes, this might sound like a farfetched scenario, but i think even if this case didn't happen, the obvious counter for spammers is to distribute the web load over a bunch of compromised open proxies or something or to throw up temporary web pages on random web hosts until they get shut down.
the bottom line is that in the end the pain of this countermeasure will be simply passed onto innocent third parties.
furthermore, it's unlikely that any major mail client will include this feature by default (outlook or eudora) since there's so much room for abuse, and the whole idea relies on a critical mass of users to actually have an effect.
-fren
man, this idea comes up over, and over, and over again..
the problem is it's virtually impossible to design a hackproof system -- nearly all modern mmorpgs have had instances of bugs where people dupe items or otherwise illegally generate money. eventually word gets out about them because everyone wants that advantage, but it's really different when $ is involved; if someone on one of these games found an exploit like that then they could embezzle practically unlimited amounts of $. and even worse, if an exploit became widespread then the whole economy could be totally screwed up, and people would be losing *real money*.
so the problem always ends up that no developer could reasonably shoulder that much liability -- it's bad enough with people bitching about losing imaginary items but if someone gets cleaned out of actual assets and $ then (ianal, but i believe) they can sue and the developer could actually be found liable.
my 2c
-fren