Ah... so you're saying that Megaupload would have legitimate grounds to sue the RIAA and MPAA then? That'd be an interesting thing to see.
Yes... only more interesting thing I could think of is that if evidence came to light very publicly that would give massive numbers of individuals legitimate grounds to sue the RIAA.
For example, if evidence could emerge showing that the RIAA lied to congress, bribed officials, and falsified essential evidence and illegally obtained evidence for every single lawsuit, that both the RIAA management and their attorneys were aware of it, fully complicit, and went to great lengths to keep it secret.
Where is Wikileaks when you need them?
Apparently no leaks at the **AA, or WL is too busy trying to create a diplomatic incident, by publishing Diplomat A's opinion of Country B's ambassador.
Quite frankly, Megaupload's response to this looks to me more like whining than anything else because getting MC to not honor payments to them probably has impacted their business in noticeable ways.
I have two words to describe what an organization pressuring MC to stop conducting business with another company would be called:
Tortious Interference with business relationships.
Yeah we do this on self checkouts here. It seems obvious that it's the most efficient method.
I think the analysis is incomplete for the supermarket situation however.
Consider the case where you have a very large number of people going through the system and 10 or 11 registers.
Consider how much floor space it takes to have 10 or 11 registers.
Consider that a "single queue" to go to all the registers has to live somewhere.
That will mean that there is some non-trivial distance to be travelled from the queue to the next available register.
Eventually the non-trivial distance, means a closer register gets freed up before the shopper can reach the farthest register.
The result.... as the distance the shopper's wagon has to be pushed to reach the farthest register increases,
the less efficient the usage of that farthest register, with there always being a free register that is closer, it will never be used.
Some places yes but I wouldn't say its "the norm" - certainly none of the supermarkets does it and that's where it pisses me off. Stand for 15 minutes in a queue only for someone to open a new till for someone who's hasn't waited at all.
I bet that one person who doesn't have to wait thinks that method is the most efficient.
Keep shopping until an opportunity comes up to get in a short line and be done with it; while the sheep and inattentive continue to wait in line for long periods of time, which means they're not interfering with your ability to get checked out and done quickly.
A good application wouldn't allow a user to create a "weak" password. It would check that it had X character, a few upper cases, some symbols, some numbers
Because Abc123. is a great password? And users will never write down complex hard to remember passwords that they have to change frequently?
Trying to make up for a poor authentication method by externalizing a burden upon users of the software is bad design.
Kind of like the plumber who designed your house's piping saying... "Oh, by the way, make sure to always keep a pan under this sink and periodically dump it outside. Otherwise it will fill up with water seeping from the sink's drain pipe."
And then somehow claiming when the pan overflows that it's the user's fault, not bad plumbing.
it would also disable the account after the user failed to enter the password a few times, completely eliminating the ability to brute force the passwords.
Because legitimate users always remember their strong passwords perfectly never typo their strong password a few times?
Because bad guys never take advantage of account lockout mechanisms to annoy the legitimate user?
Okay then. What should they use to rebuild the compiler?
This is called the 'bootstrap'. A couple pieces of software written in machine language whose sole purpose is to compile the compiler.
The alternative is to hand-compile the compiler, by having a human read off the source code and manually translate by hand each function into machine language. A very time consuming process, and only feasible with fairly simple compilers.
However, you can use a very simple compiler to compile a more complex compiler.
For example, you can write your C compiler in a subset of C that can be compiled by a more primitive compiler.
If they can get a backdoor built into the compiler used to build the binaries for the general releases, the backdoor doesn't have to be anywhere in the source.
This is why they should rebuild the compiler from source for every release, and make sure to publish the source code to that compiler, as well as the low-level code used to bootstrap that compiler, and always use a boot CD from the previous release to verify that the bootstrap compiler binary has not changed from the original version.
The initial bootstrap for the system compiler is the real problem -- a backdoor hidden there could propagate itself into all binaries generated by it.
And since it basically has to be written in machine language, whether the binary bootstrap is an assembler or lightweight C compiler, it is the perfect place to hide code.
I hope that he's right, but without a thorough audit, who can say?
The whole scare behind crypto backdoors is they can include sidechannel leakage, and they can include subtle leakage through the underlying drivers. Which can amount to elaborate timing vulnerabilities and other types of vulnerabilities intentionally introduced that are poorly understood by developers in general.
Remember... even though the crypto in the SSH protocol was perfectly sound, as you were typing a password in SSH; a timing attack could be used to assist an attacker in guessing the password typed. For example, the minute timing between keystrokes can identify some passwords that are much more likely to have been typed than others, reducing the attack required to something much easier than brute force.
You can have a backdoor without even revealing the key material or having an obvious vulnerability; all the 3 letter agencies need is a mechanism of reducing the work to crack the key to something much less than brute force.
If the operation of the cryptosystem in any way makes the key easier to get than brute force, then the attacker's work is massively reduced.
In other words, it's so subtle that even a thorough audit cannot say, and a complete rewrite of the code would be required to guarantee no intentionally backdoors by the original authors (though it won't guarantee no backdoors by the new authors. and it definitely won't guarantee no subtle vulnerabilities)
It's possible can be no visible error for an audit to discover, and yet, the way the code is structured, could cause information to still be vulnerable through essentially a form of compromising virtual emissions.
Sneaky Reveal is their own proprietary encryption algorithm.
Which you should not trust, because it has not been through cryptanalytic rigor and attack attempts by the community at large.
They can publish their "Sneaky Reveal" algorithm details, and then, maybe we can take a look at it and see if the algorithm is cryptographically strong, or if it's just smoke and mirrors.
So all you have to do is scrape the paint, and wire in a little LED and resistor, and you have a free lit case? Thanks Amazon !
I'm still working out how I can use this feature to attach a strip of metal to the outside of my cover, so if someone tries to steal my Kindle, they'll get zapped when they try to touch the case.
I'm also trying to work out a method of stuffing some higher-capacity SLA or Lithium ION batteries in the case, so I can keep the Kindle running for longer, and make sure it can deliver the mAh required to stun a would-be thief
I understand the right to face my goddamned accuser(s) and that includes people looking at evidence and saying "This is illegal."
As an employee fed, non-elected official, the public has no 'right to see his face'. Which in fact can compromise undercover work agents sometimes perform and put their lives at risk.
If you are charged with a crime, and you go to trial, then you have a right to face your accusers in court. There is no right of an accused to personally face their accuser outside the courtroom; even attempting to do so anyways might be a criminal act, in some cases.
Also, the identity of witnesses may be concealed or masked from the accused in some rare cases, at the discretion of the court.
*ANY* respectable college would have sussed the integrity of this person, found it to be lacking, and immediately have rejected him.
That is rather presumptuous. There is perhaps just about as much evidence that the integrity of this person in college was lacking as he had to would have judge the activities illegal.
Falsification of evidence. Try again.
Reliance on inaccurate information, misinformation, and misunderstanding is not falsification of evidence.
Not, it's entirely his fault for not having the integrity to do some real research instead of relying upon some 'handlers.'
The fault still lies with his superiors for granting him discretion he was not qualified to have. The supervisor owns the results of what their charges do, and I would say the supervisor should perhaps be fired.
The private sector is not much better, we have RI** and the MP** who both share the worst characteristics of three of those federal agencies, and have their own negative characteristics such as greed to add to the equation.
I want to know the identity of this rookie college moron.
Sorry, as a fed law enforcement officer, he has special privacy protections, against having identity info published. You do understand... there are too many risks, related to what criminals could do if they got ahold of police officers' private real-life identity details.
I also want to know which college trained him, so I can make sure to tell everybody to avoid that garbage establishment.
Slander against his college?
Next, since this was based upon false evidence, I want to see him, and those responsible for handling him, sued into oblivion.
He is not personally liable for such errors he makes on the job, due to limited liability.
Government officers can't be sued personally for decisions they make in their government capacity; there are only very limited circumstances in which he would actually be personally subject to suit under the current system.
This shit is getting to a breaking point.
I agree. However, it's not his fault; its the fault of bureaucrats, his superiors, and others who allowed the system to exist in its current form, where one newbie could so easily be allowed to innocently cause such a huge breach of the public trust..
So why the hell don't they just charge back the transfer to the scammer???
In reality, probably because the scammer convinced the victim to pay them using a faster transfer method than cheque, or one that had fewer protections, such as an international next-day wire. By the time the banks realized something was wrong, the payment was already unable to be recovered.
If the victim wrote a cheque and signed it, the instrument is valid, and could not be charged back on the basis of being altered or forged, because it was not.
Check charge-backs are not as liberal as CC charge backs. A check cannot be dishonored due to defective merchandise, for example.
Checks can be dishonored because the instrument was forged, not signed by the correct person, or not endorsed properly.
Checks cannot be dishonored after the fact because the signer had a change of heart and wants the money bank, or found out they don't have the money to pay after all.
Facebook allows way too much communication and freedom. Both are dangerous to their regime.
With enough money to be made: I am sure FB will find ways of adapting to meet China's requirements or at least reach a compromise, probably involving FB taking definitive actions to assist government spying and government censorship.
I don't tweet about going to the bathroom, nor do I feel it makes any sense to push links out and let people know what I've tagged. But I might pull them - I know that Jim Somebody does vaguely what I do so I check out what he might have tagged as X and Y.
Ok... well, you using a local flatfile, or local software application for your bookmarks certainly does not exclude you using another site for pull; obviously SOMEONE has to share bookmarks for you to be able to pull them. You probably don't have too much control of how your friends store/publish their bookmarks, either.
You will just need to convince your friends to use the same Delicious alternative, or pulling the information could be quite a pain.
Except delicious isn't bookmarks. Outlook has folders and mail goes in to folders, gmail has tags and mail gets tagged. In the same way, bookmarks have a hierarchy, delicious tags do not.
The concept of "Bookmarks" is not an organizational scheme. You can find software to organize them hierarchically or not.
I for one use bookmarks, apply tags to them, and they all get left in the Firefox "Unsorted Bookmarks" store anyways, all 3000 of them.
doesn't mean what practically the entire non-bank employed population thinks it does goes a long way to showing that banks are becoming a cancer.
Practically all the population will never submit a check that provisionally clears but then gets dishonored instead of being paid.
Most people are just interested in knowing they have access to the money, so they can make withdrawls.
It's kind of like going to the doctor for a checkup and having him tell you "You have a clean bill of health". Of course that's no guarantee you have no dormant disease and won't get sick the next day.
I assume the outliers are so rare that the banks would deem it a waste of time to try to clear up a misconception that has such a highly technical inaccuracy that rarely matters, assuming the bank employees that talk to the customers even understand.
Because it can take the account holder weeks to get their statement, see that someone has presented a fake check against their account, and cause the transaction to be dishonored. If this happens, the depositor who deposited the bad check doesn't have the right to the money, even if their account had been credited.
Being "totally clear" is not about moving money permanently; that is final settlement,
when the bank says your check cleared they mean it has passed provisional settlement.
Being totally clear is about agreeing to move money, and there being no issues.
Since it can take days before a review occurs or issues are reported, 10 seconds is not reasonable for settlement to occur. Even credit card transactions do not make provisional settlement so quickly, it takes 24 hours,
and of course is not final until approximately 60 days, before that time the CC issuer has CHARGE-BACK rights, just as the bank paying a cheque has a CHARGE-BACK right.
There is nothing at all in the law that prevented the bank from telling him it was "cleared" but still subject to being pulled back.
Of course it would be nice customer service... but he should not rely on it.
Bank customer service went down the toilet a long time ago when regional banks started getting consolidated by these faceless national conglomerates.
If you want to be safe legally, you need to know something about the law, or consult with your lawyer.
If 500,000 grand is on the line, it seems appropriate to at least have a quick conversation with one.
Bank tellers definitely are not required to inform you of all your legal rights, or warn you about any risk(s) you might be running into.
If you read the article you will notice the victim tried to be cautious. He deposited the check into his bank account. He later verified with the bank that the check had cleared.
The problem is that's not "being cautious" or the victim does not understand what "cleared" means; "cleared" items are only really certain to go through if they are bonafide, and the paying bank is solvent. If he were being cautious, he would have required a bank wire or certified funds, or he would have understood the paying bank has a RIGHT of CHARGE-BACK, and waited longer.
He would at the very least understood the "cleared" merely means the check was presented for payment and payment acknowledged by the paying bank, does not mean the funds are guaranteed, or that no issues are going to be raised, if the item is reviewed, or fraud is suspected.
The paying bank can change their decision and reject the transaction at any time during the settlement period according to local laws, after the check cleared.
Under the law, banks are not responsible for negligence, errors, misconduct, or default, by the other bank or other parties to the transaction.
The unavailability of funds to cover the invalid instrument is not the depositor bank's responsibility,
it is up to the victim to seek recourse against the writer of the invalid check, and the initial "clearance" of the item does not relieve the depositor of liability.
Obviously, as can be seen here, "Cleared" means only that the transaction has cleared the banks' books, and provisional settlement of the transaction is completed; in his haste, he neglected to wait the longer waiting period, to ensure the item dispute period had sunsetted, and obtain confirmation of final settlement of the transaction.
Ah... so you're saying that Megaupload would have legitimate grounds to sue the RIAA and MPAA then? That'd be an interesting thing to see.
Yes... only more interesting thing I could think of is that if evidence came to light very publicly that would give massive numbers of individuals legitimate grounds to sue the RIAA.
For example, if evidence could emerge showing that the RIAA lied to congress, bribed officials, and falsified essential evidence and illegally obtained evidence for every single lawsuit, that both the RIAA management and their attorneys were aware of it, fully complicit, and went to great lengths to keep it secret.
Where is Wikileaks when you need them? Apparently no leaks at the **AA, or WL is too busy trying to create a diplomatic incident, by publishing Diplomat A's opinion of Country B's ambassador.
Quite frankly, Megaupload's response to this looks to me more like whining than anything else because getting MC to not honor payments to them probably has impacted their business in noticeable ways.
I have two words to describe what an organization pressuring MC to stop conducting business with another company would be called:
Tortious Interference with business relationships.
Have you sworn off shopping at Home Depot and Best Buy as well? Because they do the exact same thing.
Which is what exactly?
I shopped at those places, and never encountered any employee showing evidence of an "every customer is a criminal" mindset.
Yeah we do this on self checkouts here. It seems obvious that it's the most efficient method.
I think the analysis is incomplete for the supermarket situation however.
Consider the case where you have a very large number of people going through the system and 10 or 11 registers.
Consider how much floor space it takes to have 10 or 11 registers.
Consider that a "single queue" to go to all the registers has to live somewhere.
That will mean that there is some non-trivial distance to be travelled from the queue to the next available register.
Eventually the non-trivial distance, means a closer register gets freed up before the shopper can reach the farthest register.
The result.... as the distance the shopper's wagon has to be pushed to reach the farthest register increases, the less efficient the usage of that farthest register, with there always being a free register that is closer, it will never be used.
Some places yes but I wouldn't say its "the norm" - certainly none of the supermarkets does it and that's where it pisses me off. Stand for 15 minutes in a queue only for someone to open a new till for someone who's hasn't waited at all.
I bet that one person who doesn't have to wait thinks that method is the most efficient.
Keep shopping until an opportunity comes up to get in a short line and be done with it; while the sheep and inattentive continue to wait in line for long periods of time, which means they're not interfering with your ability to get checked out and done quickly.
The only thing the masses have against a determined attacker is to be one among the herd.
The problem is the "herd" doesn't use encryption.
Using encryption separates you from the herd.
The herd sends sensitive documents over unencrypted e-mail. The herd sends passwords over unencrypted IM.
The herd uses FTP and WebDAV over HTTP to store/collaborate on documents.
Can't win, I am afraid. Unless your encryption is completely passive and undetectable.
A good application wouldn't allow a user to create a "weak" password. It would check that it had X character, a few upper cases, some symbols, some numbers
Because Abc123. is a great password? And users will never write down complex hard to remember passwords that they have to change frequently?
Trying to make up for a poor authentication method by externalizing a burden upon users of the software is bad design. Kind of like the plumber who designed your house's piping saying... "Oh, by the way, make sure to always keep a pan under this sink and periodically dump it outside. Otherwise it will fill up with water seeping from the sink's drain pipe."
And then somehow claiming when the pan overflows that it's the user's fault, not bad plumbing.
I would suggest you go read So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. and listen to Security Now, Episode #229
it would also disable the account after the user failed to enter the password a few times, completely eliminating the ability to brute force the passwords.
Because legitimate users always remember their strong passwords perfectly never typo their strong password a few times?
Because bad guys never take advantage of account lockout mechanisms to annoy the legitimate user?
Passwords are cheap and easy to understand..
And still the weakest link, even if strong ones are chosen -- they can still be captured on public computers by keyloggers.
Not only that, but 2012 will be the Year of the Linux Desktop also. And that is not a contradiction
It is the year of the Linux desktop.
It has always been the year of the Linux desktop.
Okay then. What should they use to rebuild the compiler?
This is called the 'bootstrap'. A couple pieces of software written in machine language whose sole purpose is to compile the compiler.
The alternative is to hand-compile the compiler, by having a human read off the source code and manually translate by hand each function into machine language. A very time consuming process, and only feasible with fairly simple compilers.
However, you can use a very simple compiler to compile a more complex compiler.
For example, you can write your C compiler in a subset of C that can be compiled by a more primitive compiler.
If they can get a backdoor built into the compiler used to build the binaries for the general releases, the backdoor doesn't have to be anywhere in the source.
This is why they should rebuild the compiler from source for every release, and make sure to publish the source code to that compiler, as well as the low-level code used to bootstrap that compiler, and always use a boot CD from the previous release to verify that the bootstrap compiler binary has not changed from the original version.
The initial bootstrap for the system compiler is the real problem -- a backdoor hidden there could propagate itself into all binaries generated by it.
And since it basically has to be written in machine language, whether the binary bootstrap is an assembler or lightweight C compiler, it is the perfect place to hide code.
I hope that he's right, but without a thorough audit, who can say?
The whole scare behind crypto backdoors is they can include sidechannel leakage, and they can include subtle leakage through the underlying drivers. Which can amount to elaborate timing vulnerabilities and other types of vulnerabilities intentionally introduced that are poorly understood by developers in general.
Remember... even though the crypto in the SSH protocol was perfectly sound, as you were typing a password in SSH; a timing attack could be used to assist an attacker in guessing the password typed. For example, the minute timing between keystrokes can identify some passwords that are much more likely to have been typed than others, reducing the attack required to something much easier than brute force.
You can have a backdoor without even revealing the key material or having an obvious vulnerability; all the 3 letter agencies need is a mechanism of reducing the work to crack the key to something much less than brute force. If the operation of the cryptosystem in any way makes the key easier to get than brute force, then the attacker's work is massively reduced.
In other words, it's so subtle that even a thorough audit cannot say, and a complete rewrite of the code would be required to guarantee no intentionally backdoors by the original authors (though it won't guarantee no backdoors by the new authors. and it definitely won't guarantee no subtle vulnerabilities)
It's possible can be no visible error for an audit to discover, and yet, the way the code is structured, could cause information to still be vulnerable through essentially a form of compromising virtual emissions.
Sneaky Reveal is their own proprietary encryption algorithm.
Which you should not trust, because it has not been through cryptanalytic rigor and attack attempts by the community at large.
They can publish their "Sneaky Reveal" algorithm details, and then, maybe we can take a look at it and see if the algorithm is cryptographically strong, or if it's just smoke and mirrors.
So all you have to do is scrape the paint, and wire in a little LED and resistor, and you have a free lit case? Thanks Amazon !
I'm still working out how I can use this feature to attach a strip of metal to the outside of my cover, so if someone tries to steal my Kindle, they'll get zapped when they try to touch the case.
I'm also trying to work out a method of stuffing some higher-capacity SLA or Lithium ION batteries in the case, so I can keep the Kindle running for longer, and make sure it can deliver the mAh required to stun a would-be thief
It looks like a flaw on the part of the cover maker. Amazon could put some amperage limiting circuitry, but I imagine it would raise the cost.
And it would still hurt the battery life. How about a little switch on the Kindle to "turn the light off" that is set to 'off' by default?
I understand the right to face my goddamned accuser(s) and that includes people looking at evidence and saying "This is illegal."
As an employee fed, non-elected official, the public has no 'right to see his face'. Which in fact can compromise undercover work agents sometimes perform and put their lives at risk.
If you are charged with a crime, and you go to trial, then you have a right to face your accusers in court. There is no right of an accused to personally face their accuser outside the courtroom; even attempting to do so anyways might be a criminal act, in some cases.
Also, the identity of witnesses may be concealed or masked from the accused in some rare cases, at the discretion of the court.
*ANY* respectable college would have sussed the integrity of this person, found it to be lacking, and immediately have rejected him.
That is rather presumptuous. There is perhaps just about as much evidence that the integrity of this person in college was lacking as he had to would have judge the activities illegal.
Falsification of evidence. Try again.
Reliance on inaccurate information, misinformation, and misunderstanding is not falsification of evidence.
Not, it's entirely his fault for not having the integrity to do some real research instead of relying upon some 'handlers.'
The fault still lies with his superiors for granting him discretion he was not qualified to have. The supervisor owns the results of what their charges do, and I would say the supervisor should perhaps be fired.
The private sector is not much better, we have RI** and the MP** who both share the worst characteristics of three of those federal agencies, and have their own negative characteristics such as greed to add to the equation.
I want to know the identity of this rookie college moron.
Sorry, as a fed law enforcement officer, he has special privacy protections, against having identity info published. You do understand... there are too many risks, related to what criminals could do if they got ahold of police officers' private real-life identity details.
I also want to know which college trained him, so I can make sure to tell everybody to avoid that garbage establishment.
Slander against his college?
Next, since this was based upon false evidence, I want to see him, and those responsible for handling him, sued into oblivion.
He is not personally liable for such errors he makes on the job, due to limited liability. Government officers can't be sued personally for decisions they make in their government capacity; there are only very limited circumstances in which he would actually be personally subject to suit under the current system.
This shit is getting to a breaking point.
I agree. However, it's not his fault; its the fault of bureaucrats, his superiors, and others who allowed the system to exist in its current form, where one newbie could so easily be allowed to innocently cause such a huge breach of the public trust..
So why the hell don't they just charge back the transfer to the scammer???
In reality, probably because the scammer convinced the victim to pay them using a faster transfer method than cheque, or one that had fewer protections, such as an international next-day wire. By the time the banks realized something was wrong, the payment was already unable to be recovered.
If the victim wrote a cheque and signed it, the instrument is valid, and could not be charged back on the basis of being altered or forged, because it was not.
Check charge-backs are not as liberal as CC charge backs. A check cannot be dishonored due to defective merchandise, for example.
Checks can be dishonored because the instrument was forged, not signed by the correct person, or not endorsed properly.
Checks cannot be dishonored after the fact because the signer had a change of heart and wants the money bank, or found out they don't have the money to pay after all.
Facebook allows way too much communication and freedom. Both are dangerous to their regime.
With enough money to be made: I am sure FB will find ways of adapting to meet China's requirements or at least reach a compromise, probably involving FB taking definitive actions to assist government spying and government censorship.
I don't tweet about going to the bathroom, nor do I feel it makes any sense to push links out and let people know what I've tagged. But I might pull them - I know that Jim Somebody does vaguely what I do so I check out what he might have tagged as X and Y.
Ok... well, you using a local flatfile, or local software application for your bookmarks certainly does not exclude you using another site for pull; obviously SOMEONE has to share bookmarks for you to be able to pull them. You probably don't have too much control of how your friends store/publish their bookmarks, either.
You will just need to convince your friends to use the same Delicious alternative, or pulling the information could be quite a pain.
Except delicious isn't bookmarks. Outlook has folders and mail goes in to folders, gmail has tags and mail gets tagged. In the same way, bookmarks have a hierarchy, delicious tags do not.
The concept of "Bookmarks" is not an organizational scheme. You can find software to organize them hierarchically or not.
I for one use bookmarks, apply tags to them, and they all get left in the Firefox "Unsorted Bookmarks" store anyways, all 3000 of them.
doesn't mean what practically the entire non-bank employed population thinks it does goes a long way to showing that banks are becoming a cancer.
Practically all the population will never submit a check that provisionally clears but then gets dishonored instead of being paid. Most people are just interested in knowing they have access to the money, so they can make withdrawls.
It's kind of like going to the doctor for a checkup and having him tell you "You have a clean bill of health". Of course that's no guarantee you have no dormant disease and won't get sick the next day.
I assume the outliers are so rare that the banks would deem it a waste of time to try to clear up a misconception that has such a highly technical inaccuracy that rarely matters, assuming the bank employees that talk to the customers even understand.
Why the hell should it take weeks?
Because it can take the account holder weeks to get their statement, see that someone has presented a fake check against their account, and cause the transaction to be dishonored. If this happens, the depositor who deposited the bad check doesn't have the right to the money, even if their account had been credited.
Being "totally clear" is not about moving money permanently; that is final settlement, when the bank says your check cleared they mean it has passed provisional settlement. Being totally clear is about agreeing to move money, and there being no issues.
Since it can take days before a review occurs or issues are reported, 10 seconds is not reasonable for settlement to occur. Even credit card transactions do not make provisional settlement so quickly, it takes 24 hours, and of course is not final until approximately 60 days, before that time the CC issuer has CHARGE-BACK rights, just as the bank paying a cheque has a CHARGE-BACK right.
There is nothing at all in the law that prevented the bank from telling him it was "cleared" but still subject to being pulled back.
Of course it would be nice customer service... but he should not rely on it.
Bank customer service went down the toilet a long time ago when regional banks started getting consolidated by these faceless national conglomerates.
If you want to be safe legally, you need to know something about the law, or consult with your lawyer. If 500,000 grand is on the line, it seems appropriate to at least have a quick conversation with one.
Bank tellers definitely are not required to inform you of all your legal rights, or warn you about any risk(s) you might be running into.
If you read the article you will notice the victim tried to be cautious. He deposited the check into his bank account. He later verified with the bank that the check had cleared.
The problem is that's not "being cautious" or the victim does not understand what "cleared" means; "cleared" items are only really certain to go through if they are bonafide, and the paying bank is solvent. If he were being cautious, he would have required a bank wire or certified funds, or he would have understood the paying bank has a RIGHT of CHARGE-BACK, and waited longer.
He would at the very least understood the "cleared" merely means the check was presented for payment and payment acknowledged by the paying bank, does not mean the funds are guaranteed, or that no issues are going to be raised, if the item is reviewed, or fraud is suspected.
The paying bank can change their decision and reject the transaction at any time during the settlement period according to local laws, after the check cleared.
Under the law, banks are not responsible for negligence, errors, misconduct, or default, by the other bank or other parties to the transaction.
The unavailability of funds to cover the invalid instrument is not the depositor bank's responsibility, it is up to the victim to seek recourse against the writer of the invalid check, and the initial "clearance" of the item does not relieve the depositor of liability.
Obviously, as can be seen here, "Cleared" means only that the transaction has cleared the banks' books, and provisional settlement of the transaction is completed; in his haste, he neglected to wait the longer waiting period, to ensure the item dispute period had sunsetted, and obtain confirmation of final settlement of the transaction.