Slashdot Mirror


User: mysidia

mysidia's activity in the archive.

Stories
0
Comments
13,354
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 13,354

  1. Re:Unjust Enrichment on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    If my neighbor hires a painter, and the painter paints my house instead of my neighbor's house, and I stand by and watch the painter work on my house without informing the painter he is working on the wrong house, then I am obligated to pay the painter the amount he would have charged my neighbor for the work performed.

    Wait: no. There's a problem with that. You can't have part of your house painted, and then have the painter stop: that would look horrible.

    I have a right to not have my house painted against my will. But if someone starts painting my house; I have a right to not have a combination of discolored old paint and patches of new paint.

    The painter owes me to make it right. He's got to complete the job, or pay me to have someone fix it.

  2. Re:This is so bad on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.

    Why bother disclosing the flaw at all?

    They'll probably just anonymously announce that they found it; hint that it might be available for the right price, if someone is sufficiently interested.

  3. Re:$500 is a lot of money on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    Have you looked at Facebook's stock recently? It's getting close to the IPO price.

    Its recent stock price is full of hot air; hopes, dreams, and other imaginary stuff, and cannot be justified based on either the company's current, anticipated, or remotely likely future growth at massive levels, let alone based on their intrinsic value.

    I expect them to have a 50% or greater haircut, when the market comes to grips with their irrational exuberance in regards to FB.

    They can do everything right and still "plummet", because their pricing is pie in the sky. FB is in no danger of become bankrupt, and they certainly do have a non-zero intrinsic value; it's just not 1000 times earnings.

  4. Re:Not securing a service is criminal too. on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    It's illegal but not criminal. The recourse is civil.

  5. Well, therein lies [a] problem. Any such law is completely bogus in the first place.

    Hacking into an account is not. Gaining access to a computer system without authorization, or utilizing access in excess of your authorized privilege might be.

    Most hacking crimes would be Denial of Service, Wire Fraud, or Theft of service.

    On the other hand, if you find some person's private intimate details buried in the trash, by some company's employee that carelessly threw out a printout, Name, Address, Social security, etc -- and you just gather that information, store it in a database, to leverage for marketing purposes --- have you committed a crime? Probably not.

  6. Your analogy is completely wrong: it would be correct if my house had a very fancy security system, there is a note on the front that says "I will give $500 to anyone who detects a problem with my security", you rang to tell me you found one vulnerability but I decided to ignore you because I don't want to pay you and then you broke into my house and left a polite note apologizing for it but mentioning that you do

    Naw... it's more like you have a Hotel that offers a bounty if you can find a bug in their electronic lock system securing all the hotel rooms.

    You report a bug, and they ignore you, so you take it upon yourself to find one of the Hotel owner's rooms protected by the electronic locking system... you defeat it, and you use the defeat just to slip a little sign in the window, where the whole world can see it, and run off.....

  7. The only ethical thing to do if you discover a security vulnerability is to inform the owner of the system. Any other action (reveling the vulnerability to the public, using the vulnerability for your own profit, using the vulnerability to "make a point", etc.) is at best a jerk move and at worst illegal.

    Facebook not paying the bounty is a jerk move. Personally, I think the next step in response to that, is to try to shame Facebook into treating people more responsibly --- one way of doing so would be to leverage the vulnerability using any legal method that would embarrass Facebook, or show them that their behavior has unintended consequences.

  8. Re:Take it public on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    'scuse me, but 500 bucks is peanuts for a 0day full-access security hole in FB. Tack a few 0s to that and we'll start talking.

    Posting a message to someone else's timeline isn't exactly a 0day full-access hole.

    It's more like a potentially spam/malicious link-facilitating bug.

  9. Re:Take it public on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    Maybe they just don't have the technology to request additional info from the reporter. Maybe that's not part of the protocol there. If it were my job to handle bug reports and I didn't want to be hassled with work, I'd require a complete bug description, including exact description of systems used and all steps to reproduce reported in exactly the format I'm expecting.

    This is why good companies implement some form of separation of duties when deciding how employees will execute their job.

    The person who specifies the conditions under which a bug report can be rejected, should not be the same as the person responsible for handling the reports, OR at least someone else with the project's interests and customer's interests at heart above and beyond the developers' desire to be as "efficient", "lazy", or have as little work as possible --- should be involved in the process of setting the rules and approving them, and on occassion -- reviewing the performance and compliance of the bug handlers.

  10. Re:Take it public on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    that "that's the way the community works. If you want a bug fixed then you have to be willing to work on it yourself."

    Any developer who is worth their salt, would tell you that's bullshit.

    Software defects are not only the concern of the person who encounters them. The project is doomed to failure if the developers won't take responsibility for their work and going the extra mile to ensure its quality.

    In a professional setting, the developer who responded to a user, IT admin's bug report or another programmer's bug report like that would be fired.

  11. Re:Take it public on Security Researcher Makes His Point By Hacking Into Zuckerberg's Facebook Page · · Score: 1

    I'm a programmer too. You ALWAYS respond to issues, even if it's just, "Can't Reproduce: Not enough info in bug report."

    Status: Open -> Closed: Wontfix
    Resolution: -> Invalid
    Notes: Can post on random other users' timelines, contrary to privacy settings -- not a bug, it's a feature.

  12. Re:Hey look at us, we are still relevant! on Wikileaks Releases A Massive "Insurance" File That No One Can Open · · Score: 1

    The cracking time today is irrelevant. How many years until a reasonable sized quantum computer comes out that can decode it in seconds? 10? 20 at the most?

    A quantum computer of sufficient size would be a disaster for RSA, but not AES -- the quantum crypto attacks against AES essentially halve the key length, so AES256 becomes like AES128.

    I expect it will be 50 years or longer, before AES256 today is reduced to a little less than what the strength of what AES128 is today.

    Unless you are a nation state, it will be 100 years before you could crack it; without stealing or being given the key.

  13. Better becareful posting that stuff on Why the NSA Can't Replace 90% of Its System Administrators · · Score: 4, Funny

    Don't you dare try to get rid 90% of system admins.

    Better back off, or I will replace your management team with a 5 line shell script, and sell it to Obama as a way of demonstrating that he is serious about more efficient government.

  14. Re:Hey look at us, we are still relevant! on Wikileaks Releases A Massive "Insurance" File That No One Can Open · · Score: 1

    The guys running wikileaks and risking their lives to get this info out aren't making any money out of it.

    How do you know this? Perhaps they are, but have not told you about it.

    Surely they must believe they are getting some benefit out of it, or advancing some agenda that they believe benefits them; otherwise they wouldn't be doing it.

  15. Re:Hey look at us, we are still relevant! on Wikileaks Releases A Massive "Insurance" File That No One Can Open · · Score: 1

    Wikileaks are non-profit, and risking personal safety to get this stuff out. The US Government and cronies are very much FOR profit.

    You really think there is noone to profit from Wikileaks' work, and that Wikileaks isn't about profit? The foundation itself may be non-profit, but there are entities outside Wikileaks who will stand to profit from whatever they reveal - or profit from notoriety or from writing books and casting various media about the subject --- there will be winners and losers, AND the people who have some notion about what Wikileaks will reveal may be positioning themselves to be financial winners, and people who think they will be the winners may be helping Wikileaks.

    It's not as simple as Government = supporting profit, and Wikileaks = supporting no profit.

    Of course destroying profit or having no profit is anti-capitalist, anti-urban, and pro-agrarian and substinence farming society.

    To that I say... if you don't like profits: then run out to the wilderness, and build yourself a farming commune, in which nobody owns anything.

    As for the rest of us... we live in a world where economic gain influences every activity in life -- including political activism, and including organizations such as Wikileaks.

    Hint: If you know Wikileaks is about to release something damaging to some enterprise... then foreign investors can enter into various options, futures positions, and other trades, that will net them billions if Wikileaks discloses the right thing on the right day.

  16. Re:If you program it correctly on Colorado Teen Designs Robotic Arm With 3D Printing · · Score: 1

    There's the problem, making something that looks like a prosthetic arm is the easy part. Programming it to make it work, as well as ensuring that it is durable enough for an arm is the remaining 90% of the work he has to do.

    3D Printer: $1000
    CAD Setup for designing the models: $2995
    Plastic filament: $100
    Servo mechanism and electronics for arm: $150

    Licensing of the software required to make the arm do what it's supposed to do: Priceless.

  17. Re:Since when are digital projectors thousands? on The Death of the American Drive-in · · Score: 1, Informative

    Well, good news then. A SMALL drive-in screen is only 60 feet by 30 feet, so your 150 dots-per-inch requirement would only necessitate a projector with a resolution of 108,000 by 54,000. How much is that unit?

    The DPI as a measure of video dot density for video projection is not a measure of density on the physical screen.

    This has to be measured from the position of the viewer, who is not standing directly in front of this 60' x 30' screen -- they are in fact some distance away from it. So this "60' x 30'" screen appears to be much smaller than its actual size --- the farther away the screen is from the viewer, the smaller the screen will appear.

    The video DPI or samples per inch, is measured as the density of the dots on the virtual screen directly in front of the viewer, after accounting for the distances, which is a small fraction of the size of the physical screen.

  18. Re:Hey look at us, we are still relevant! on Wikileaks Releases A Massive "Insurance" File That No One Can Open · · Score: 4, Insightful

    If their "mission" is openness - and the info is that damning - shouldn't they be publishing it? I mean, isn't that sort of the point of Wikileaks? Or just attention whoring?

    I suspect they will expend a lot of hours working with outside entities to redact the documents of information that would threaten their sources or private citizens or anyone's life before releasing them, and getting their fans to mirror encrypted files is an "Insurance policy" ---- where powerful forces working against Wikileaks may become aware of the leak; Wikileaks folks have probably designed some elaborate scheme, contingency plan, or something strange of that nature to get the keys released in case of emergency: corporate or government interference, coercion, arrest, or kidnapping of the Wikileaks folks working to release redacted documents.

    Getting 400 gigabytes of data uploaded to the internet in a pinch is no easy task.

    But posting a 100 KB key far and wide to unlock 400 gigabytes of pre-distributed data, is a trivial thing.

  19. Re:Since when are digital projectors thousands? on The Death of the American Drive-in · · Score: 1

    Your 30 quid projector can display 300GB JPEG2000 files at 4096 x 1260 video at 24 frames per second with 12 bits each of red, green, and blue per pixel, and 16 channels of uncompressed audio at 24 bits and 48 kHz or 96 kHz sampling?

    You have to pay two to three times as much, but not 20 times as much for a higher end unit that can do all that.

    I dont believe a drive-in needs more than 150dpi on the screen

  20. Re:Since when are digital projectors thousands? on The Death of the American Drive-in · · Score: 1

    boiled down to MPEG-4 on an encrypted harddrive — is how the films are being sent to theatres.

    it occurs that if the projectorion changes are so expensive, and so many theatres did not upgrade; perhaps there is a market for a company to receive the MPEG4 hard drives; play the content -- convert it to 35mm, and ship them both back to the theatre....?

  21. Re:Eliminating 20% time not the answer on The Decline of '20% Time' at Google · · Score: 1

    This is already part of their regularly scheduled work. It's easy to sell research and enhancements to an existing product, and there's staff to do it. This is a non-issue.

    If Google's like most companies -- there will be some small closely-knit team maintaining or "owning" each product or project, with a limited world view, unquestioningly following some arbitrarily selected leader (or "boss") who has come up with some cloudy vision for what the product should become that might or might not in reality be a good thing -- and might or might not in reality make the product more appealing to the customer.

    Team making only the changes to the product "approved" (and therefore required) by management. And aggressively defending their territory -- no one off their team dare tinker around a bit trying to find enhancements to their part of the sandbox.

    The project team may even if sometimes those changes aren't so useful - counterproductive in fact -- or might be at odds with what the customer actually wants; despite that, as long as their changes match what management has approved, they win their performance gold stars.

    If real innovation is to happen, there must be more freedom for ideas to be tested out by anyone in the company, not just the Gmail team improving gmail as part of their regularly scheduled work.

  22. Since when are digital projectors thousands? on The Death of the American Drive-in · · Score: -1

    I do believe I picked up a brand new digital projector not too many years ago, and the charge from the online retailer was about 30 quid.

    So why do they say tens of thousands?

  23. Re:Eliminating 20% time not the answer on The Decline of '20% Time' at Google · · Score: 1

    No because they are busy just keeping afloat and putting out fires to match the MBA's metrics. If you spend time developing Chrome or Gmail then you get a poor performance review of your work on Google Gears/Search/etc and get shown the door.

    It sounds like those MBAs are leeches on a successful engineering company.

    You can run a profitable engineering business without MBAs; so I would say fire the lot of them, and put engineers on the management team to make the decisions about performance.

  24. Re:Eliminating 20% time not the answer on The Decline of '20% Time' at Google · · Score: 2

    Chrome and gmail never would have become a reality with that mindset.

    Why not? A minimum of 1% of any profit that would not exist without Gmail every year should be reserved for the folks who did meaningful work on it using their 20% time; even if they are no longer Google staff.

    That sort of incentive structure would make efforts by employees to develop products like Chrome and Gmail a practical certainty.

  25. Re:What you can be sure it will include on IPTV Providers To Pay Same Regulatory Fees As Cable Companies · · Score: 1

    FCC licensees, not people who happen to have random content licenses with third parties.

    What comes to mind then is that ATT could just create a new company who won't be a FCC licensee. Transfer the content licenses to the new company

    Setup an exclusive agreement with a cross-marketing deal and a piggybacking arrangement.

    Update the uverse product and the fine print -- so you have uVerse including a broadband service provided by ATT

    An IP (Internet protocol) service provided by an exclusive contracter of the other company using ATT's broadband network; with a cross-marketing deal for the IP service, and a service level assurance (A percentage of each subscriber's broadband connection reserved for IP traffic exclusive to the provider).

    And finally, the product includes video service on top of the IP network; again with a company that has a deal with the company buying the IP service from ATT.

    And through some complicated network of contractual framework, a 3rd party "service company" provides the installation services for the product on behalf of all 3 companies.

    And most of the benefits get transferred back to ATT shareholders.

    Thus you wind up with a video service that looks exactly like cable: provided by a company who is not a FCC licensee.