To add to the discussion regarding 18 U.S.C. 1030, I will note that this website does not affirmatively note anywhere that these photos are to be considered private.
Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.
Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what you are doing as well as the appearance of what you are doing. A comment from Greyfox below illustrates perfectly, "so why don't we take the dick-detection algorithm from Chat Roulette and then plug that into a batch Curl against this Artisan State, and then...". Obviously that was facetious, but you need to avoid certain lines of thinking... "well I know this thing, and I could tell everyone, but they wouldn't want that, and then they have lots of money...".
At the end of the day, you need to have clear intentions and don't inflate your ego by thinking they are more interested in fixing the problem than you are.
Obviously the photos aren't that private (the Asian girl), since I put them on Slashdot's front page. But the others ones (now seeing the lax security) it will be worth for me to invest in a good printer and print on my own.
I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.
> Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].
Any time I have deviated from this process even a little the results have been much worse.
Speaking with experience on the receiving side of DARPA contract negotiations.
DARPA projects are not like kickstarter (BYO vision and get money) or like NIH (have reputation and get money); rather they do require actual competency and demonstrated ability to win them. The projects are managed like real engineering projects, requiring lots of documentation up front, thorough project planning, and plenty of checkpoints. However, aside from this good accountability, they do not exert direction on the projects, prescribe technical solutions or gain direct contact to your engineers for day-to-day operations.
Water scarcity in California is a political problem with a political solution.
To better understand why a pipeline is a non-starter...
From the perspective of the cashew farmer: would you rather buy cheap water from the local utility or expensive water from the Great Lakes?
From the perspective of the pipeline investor: would you invest in a project to send water to CA when the people most likely to buy it will have ever more restrictions on water use?
And now for the solution to this and many problems...
Simply remove use restrictions and let the market properly set the price of this scarce product.
If you won't let me hire foreign workers and bring them here to work on mutually beneficial terms, then I will simply keep them offshore and pay them to work from there.
Americans are SO uncompetitive for certain types of labor. A few laws wont bridge the chasm.
I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.
FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.
You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.
The difference is that corporations (US C Corporations) are the imaginary invention of people, and this is also why they should not be taxed.
I imagine that all my corporations are in tax-friendly, business-friendly domicile. And if such a domicile does not exist, then imagine harder! This is the present state of corporate earnings management.
People, on the other hand, receive all the benefits of corporations. These benefits accrue as transactions, wages, dividends. Transactions and, to a degree, wages and dividends, are real, tangible things.
This is why taxing transactions (i.e. sales tax) can strive to meet standards of fairness and smartness, but taxing corporate profits will always lead to ridiculous outcomes.
The one in my house displays a pop-up when shoes go on sale that my wife wants or whenever a commit hits any of my GitHub projects. Multiply that by about 50 installed apps and this quickly become a device that is not fun for anyone.
But sure, for business users and single people, it is just a big phone.
Slashdot Mirror
To add to the discussion regarding 18 U.S.C. 1030, I will note that this website does not affirmatively note anywhere that these photos are to be considered private.
Thank you, this is the discussion I hoped would come out of this article. Fact is, people on Slashdot are definitely going to stumble onto this type of stuff over and over. I'm glad to run into other people to compare scruples with.
Hackers (good word) have an instinct. If they run into an awesome API, the first thought is: how do I maximize this across all the limits and make something amazing? But with vulnerabilities, and unintended code paths, you need to step back and understand the consequences of what you are doing as well as the appearance of what you are doing. A comment from Greyfox below illustrates perfectly, "so why don't we take the dick-detection algorithm from Chat Roulette and then plug that into a batch Curl against this Artisan State, and then...". Obviously that was facetious, but you need to avoid certain lines of thinking... "well I know this thing, and I could tell everyone, but they wouldn't want that, and then they have lots of money...".
At the end of the day, you need to have clear intentions and don't inflate your ego by thinking they are more interested in fixing the problem than you are.
Obviously the photos aren't that private (the Asian girl), since I put them on Slashdot's front page. But the others ones (now seeing the lax security) it will be worth for me to invest in a good printer and print on my own.
I have come across vulnerabilities in consumer products, banks, and governments (though no airplanes). Here is a policy I use and I have not yet gone to jail, have gotten all problems fixed quickly, and usually gotten credit or some reward even if not requested.
> Hello, I have inadvertently found a security issue in your product, it allows you to do XXX which is not expected. I am publishing this on my security blog in [48 hours / 5 days / 2 weeks].
Any time I have deviated from this process even a little the results have been much worse.
Is there a way that I can download en masse apps on the app store to find which libraries they contain and perform other analysis of them?
Here's the response I gave when coworkers at the office ask if I drink coffee:
> They don't pay me enough to take performance enhancing drugs.
Speaking with experience on the receiving side of DARPA contract negotiations.
DARPA projects are not like kickstarter (BYO vision and get money) or like NIH (have reputation and get money); rather they do require actual competency and demonstrated ability to win them. The projects are managed like real engineering projects, requiring lots of documentation up front, thorough project planning, and plenty of checkpoints. However, aside from this good accountability, they do not exert direction on the projects, prescribe technical solutions or gain direct contact to your engineers for day-to-day operations.
Water scarcity in California is a political problem with a political solution.
To better understand why a pipeline is a non-starter...
From the perspective of the cashew farmer: would you rather buy cheap water from the local utility or expensive water from the Great Lakes?
From the perspective of the pipeline investor: would you invest in a project to send water to CA when the people most likely to buy it will have ever more restrictions on water use?
And now for the solution to this and many problems...
Simply remove use restrictions and let the market properly set the price of this scarce product.
Guess what, senators?
If you won't let me hire foreign workers and bring them here to work on mutually beneficial terms, then I will simply keep them offshore and pay them to work from there.
Americans are SO uncompetitive for certain types of labor. A few laws wont bridge the chasm.
I've never seen a massively large Google logo rolling down any street.
I have seen real live, taxable Google employees walking down streets.
Yes... trucks driving on empty roads at midnight
90%+ of comments here have been regarding lack of onboard pilots with commercial passenger flights.
Naturally, the first offboard pilot flights would be with cargo only. And that is way more relevant and less sexy discussion.
Better solution: include an iPhone and backup battery in the shipment. Use Find my iPhone.
Or just use FedEx's or UPS's real time tracking :-)
I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.
FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.
You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.
On iOS, this app is labeled for "kids 5 and under". ... so after 5 it's just rickrolling, goatse and downhill from there?
Holy shitsnacks. There are more Archer seasons? I need to step up my piracy.
We are talking about Archer, right?
GNU is abandonware, which is fine in and of itself. However, abandonware under a GPL license discourages corporate sponsorship.
End result: the nix systems we know and love from 10 years ago will be the same exact systems we know and love 20 years from now.
Related: see also apps that detect whether a photo has been photoshopped. https://itunes.apple.com/us/ap...
The difference is that corporations (US C Corporations) are the imaginary invention of people, and this is also why they should not be taxed.
I imagine that all my corporations are in tax-friendly, business-friendly domicile. And if such a domicile does not exist, then imagine harder! This is the present state of corporate earnings management.
People, on the other hand, receive all the benefits of corporations. These benefits accrue as transactions, wages, dividends. Transactions and, to a degree, wages and dividends, are real, tangible things.
This is why taxing transactions (i.e. sales tax) can strive to meet standards of fairness and smartness, but taxing corporate profits will always lead to ridiculous outcomes.
iPad is a single-player device.
The one in my house displays a pop-up when shoes go on sale that my wife wants or whenever a commit hits any of my GitHub projects. Multiply that by about 50 installed apps and this quickly become a device that is not fun for anyone.
But sure, for business users and single people, it is just a big phone.
This is lip service to people complaining about the real problem.
And the real problem can be solved by the existing anticompetition and racketeering rules we have.
> So why isn't every website I browse in plaintext presented with a gigantic red warning page which requires 3 clicks to get through?
They do, it's called advertisements injected into your page by Comcast when browsing on xfinitywifi wifi hotspots
> And please do not tell me that I should worry about the NSA knowing that I was looking at restaurants.
Ettercap
"more intended for situations where someone is on the run and unlocatable or in a hostile country with no extradition treaty"
Don't forget, the US legal system put copyright and security theater offenses near the same level as more traditional capital offenses.
Download the record everything app from the Google App store and keep every call when you dial Comcast. Then post all calls onto sound cloud