Why does everyone keep calling him "the kid"? He's 26 years old. Just because he's a student doesn't make him some naive, innocent minor - he clearly knew what he was doing...
I think it was pretty much the definition of naive for him to think that he could keep doing this vigilante white-hat stuff without some corp with too many lawyers eventually coming down on his ass as hard as possible.
You clearly didn't read my entire post. The security hole has to be fixed either way. But now there is a 'data hole' as well.
That's where your safe analogy falls down. The "data hole" is there either way too - just because they caught him doesn't mean they would necessarily have caught a black-hat.
If the real-world safe isn't obviously broken in to then you can be reasonably confident it was not compromised - no such assumption can be made about electronic records. Incidentally this is the same class of problem that exists with electronic voting fraud - unlike most forms of physical vote fraud it is entirely possible that any sort of electronic vote tampering will leave no telltale trace behind.
There is a common sentiment on Slashdot that whatever good intentions a company may have, its gathering of data without permission constitutes both a violation and a risk. That risk being the potential for the data in their hands to be compromised by yet another party. Can this logic not also apply to this Glenn and his company as well?
I believe you have misstated the problem that many here have with massive data collection policies - it isn't specifically the policy of collection that is the problem, it is the imbalance of power.
The megacorps doing the collecting already have disportionate power compared to the individuals whose data they are collecting and the more data they collect the more power they can exert specificly over those people being surveilled. One ostensibly white-hat hacker has basically no power over facebook, even if he uses some sort of failure in their system security to multiply his leverage - a million times nearly nothing is still barely anything.
This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.
While that may be true, that doesn't appear to be the judge's rational for convicting the kid.
It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.
Sounds like a good reason for a decentralized name resolution system.
While GoDaddy are a bunch of scummy toadies, they aren't the real problem. The real problem is the tendency of those in power to abuse their power. Today it is the secret service and godaddy, tomorrow it could easily be some other government and some other DNS provider.
Ultimately the only solution is to decentralize name resolution. Sure that comes with a whole host of problems on its own, starting with trust and reliability. But the current hierarchal DNS is just such an easy single-point-of-choking that it is inevitable that the powerful will abuse it.
Ultimately, it would be easy to get freaked out by all this, but let's remember what this information is used for: to send you coupons you'd actually want to use. That's the whole thing. Dial back the paranoia a bit.
See, that's the thing. Once they've collected all this data and made all these cross-references there isn't anything preventing the data from being used for other reasons. Kind of like the way drivers licenses and social security numbers were not initially inteded to be a form of identification. Yet once they became widespread it was just soo easy to repurpose them.
Same thing with all of these marketing-driven data collection systems - once they've got a ton of data in them it is pretty much inevitable that someone is going trying and use them for something else. It is just too valuable for people to ignore.
Have you ever checked your mail? Notice how it's literally full of completely untargeted advertising? If that's profitable, how could this possibly not be?
The question is if it is more profitable and more profitable enough to justify all the overhead. At $100B valuation for facebook obviously some people think that is true. But I wouldn't be surprised at all if it turns out to be yet another case of regression to the mean. That once we've all been inculcated to massive personalized advertising campaigns they will lose most of their effectiveness.
Pay cash. That ends their data mining at Target (and Walmart, and everyone else).
Don't count on it. For one thing Target has been installing license plate scanners in all their parking lots - ostensibly for "customer safety." But if you are in the habit of purchasing the same combination of products on most of your trips to the store all they need to do is compare that "purchase fingerprint" with the list of cars in the parking lot at the time and after a few iterations they will be able to link your license plate with your purchasing habits.
So the retailer loaded up on all the wacko, high mark-up accessory pieces for my wife's china pattern and every time my aunt came into the store she would get the sales pitch for a soup tureen or something. This went on for years.
I think that's a great illustration of the problem here - Target and all the other companies that are using "targeted advertising" are going beyond simply providing a service to actively trying to manipulate people. Advertising to inform is good, advertising to convince people spend money on products they wouldn't otherwise purchase is bad.
911 calls have always required the relaying of location otherwise the system would be wireless.
I think you mean "worthless" not wireless.
The thing is, before ~1995 few if any phones had location functionality, but you could still call 911 and tell them where you were. I would very much like to see a report of the number of 911 calls where the caller could not tell the operator his location (they always ask in case the computer is wrong). At which point we could have a debate over whether that number of cases justifies the extended cost in both dollars and privacy risk of the system. I've looked for such information in the past and strangely enough it doesn't seem to be made public.
You have forgotten that the vast majority of criminals are utter and complete morons. I have a friend who is a RCMP officer and you'd be amazed with his stories of criminal idiots.
The thing about that argument is that those guys would almost certainly be caught with current methods since they are idiots after all chances are they screed up in plenty of other ways too.
Seems pretty obvious to me that the biggest result will be that people who are actual criminals will take pains to either turn off their cell phones, use stolen phones or just go without any time they are doing something criminal.
Meanwhile all the regular people are now even more at risk of the government or anyone else with access to this information like ex-boyfriends at the telco using this information against them.
You can embed JPEG album covers in an MP3. I seem to recall at least one historical bug in libjpeg that allowed a pathological jpeg file to cause a buffer overflow and execute arbitrary code. So in, the admittedly unlikely, case of mp3 software with an old version of libjpeg trying to display a malicious album cover it could be made to happen.
Obviously the best (and only) way to push back is to use as much data as possible on an unlimited plan, driving the ceiling upwards.
Somebody should write an app for that -- once you get to that point where you throtttled, it just burns as much bandwidth as it can 24x7 for the rest of the billing cycle.
The darwinism works as long as facebook or another of its ilk becomes the single-sign-on of choice, then it becomes a lot easier for average people to always get the "logged in" experience.
I don't think people truly realize how much money will dry up without targeted advertising.
Necessity is the mother of invention. If all that stuff is worthwhile, then someone will come up with a way to make it work.
For years I've been saying that advertising has destroyed any chance of getting a functional micro-payment system in widespread use. For all intents and purposes, targeted ads are micro-payments, the only part missing is where we pay with money rather than our privacy.
If targeted ads go away, maybe we'll get a system in its place that makes it feasible to pay fractional pennies to websites we frequent. That might even be better for them compared to the way its now where people like me block all ads and all trackers and thus the only good I do by reading a website is to recommend it via word of mouth to my friends who I have not yet taught to run ad-block.
If a site wants to track me all they need to do is offer me a compelling feature that requires that I sign in.
Be careful, that sort of thing can lead to websites deliberately suckifying their non-logged in version.
For example, a few years ago IMDB dumbed down the way people can read their discussion forums. If you don't log in, all you can do is see the posts linearly. Log in and now you can see them in other formats, like threaded. The exact same URL for threaded mode goes to linear mode if you don't log in. It used to be that anyone could read the discussions in threaded mode, but IMDB arbitrarily took that away in (which I presume) was an attempt to convince people to log in.
To a marketing sycophant, arbitrarily holding back functionality is the same thing as providing extra features to "members" no matter how petty it appears to regular people. I wouldn't want to see the web in general go the way of IMDB's pettiness.
Yes, it is somewhat different because none of the following stories will lead to state executions, but it's a little surprising how easily a tweet or something like that can get you imprisoned in the US.
Where there is far too high of a chance you will be subjected to prison rape, get infected with AIDS and ultimately die a slow painful death. So it may not be a pro forma state execution, but it may still be a state execution.
I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.
FWIW, Bruce Schneier has said, on multiple occasions, that he doubts that Apple's "walled garden" approach will do anything much to improve computer security. I think this is one good illustration of why he's probably right.
Muslims who live in countries where they don't have the majority, and hence can't define the laws, are not "crazy"
That's circular reasoning. It is misleadingly easy to single out one characteristic and focus on just that. Look at the rwandan genocides - the country is roughly 95% christian and still that crazy shit happened because it served the purpose of the people with power.
(and even then, "honor killings" for apostasy still happen).
You are mixing up two different concepts there - "honor killings" aren't about apostasy, they are about perserving the perceived honor of men. And they are associated with backwater tribalism rather than being specificly islamic - hindu, kurdish even latino cultures all have problems with honor killings, usually committed against women who are considered property.
What relation does this have to the issue at hand?
My point is that when the people in power have an interested in promoting the crazy, much of the population ends up accepting the crazy as normal. Doesn't matter what specific flavor of crazy.
Slashdot Mirror
Uh no, I'm citing the judge's own words supporting his opinion as to why the crime was egregious. Take up your analogy with him.
TL;DR Woooosh!
Why does everyone keep calling him "the kid"? He's 26 years old. Just because he's a student doesn't make him some naive, innocent minor - he clearly knew what he was doing...
I think it was pretty much the definition of naive for him to think that he could keep doing this vigilante white-hat stuff without some corp with too many lawyers eventually coming down on his ass as hard as possible.
You clearly didn't read my entire post. The security hole has to be fixed either way. But now there is a 'data hole' as well.
That's where your safe analogy falls down. The "data hole" is there either way too - just because they caught him doesn't mean they would necessarily have caught a black-hat.
If the real-world safe isn't obviously broken in to then you can be reasonably confident it was not compromised - no such assumption can be made about electronic records. Incidentally this is the same class of problem that exists with electronic voting fraud - unlike most forms of physical vote fraud it is entirely possible that any sort of electronic vote tampering will leave no telltale trace behind.
There is a common sentiment on Slashdot that whatever good intentions a company may have, its gathering of data without permission constitutes both a violation and a risk. That risk being the potential for the data in their hands to be compromised by yet another party. Can this logic not also apply to this Glenn and his company as well?
I believe you have misstated the problem that many here have with massive data collection policies - it isn't specifically the policy of collection that is the problem, it is the imbalance of power.
The megacorps doing the collecting already have disportionate power compared to the individuals whose data they are collecting and the more data they collect the more power they can exert specificly over those people being surveilled. One ostensibly white-hat hacker has basically no power over facebook, even if he uses some sort of failure in their system security to multiply his leverage - a million times nearly nothing is still barely anything.
This guy had no business doing what he did. AFAIK you need a signed agreement with the company in question to perform penetration testing, otherwise it's illegal, no matter what your motivations are.
While that may be true, that doesn't appear to be the judge's rational for convicting the kid.
It sure sounds like the judge is rationalizing the ostrich strategy when he says that the kid's actions had 'real consequences and very serious potential consequences' for Facebook. Those consequences existed not because of the kid's actions but because of facebook's security failings. Even if the kid had done nothing, those vulnerabilities would still be there and facebook (and more importantly facebook's users) would have faced just as much, if not more, risk than they did if the kid had done nothing.
Sounds like a good reason to leave GoDaddy, IMO.
Sounds like a good reason for a decentralized name resolution system.
While GoDaddy are a bunch of scummy toadies, they aren't the real problem. The real problem is the tendency of those in power to abuse their power. Today it is the secret service and godaddy, tomorrow it could easily be some other government and some other DNS provider.
Ultimately the only solution is to decentralize name resolution. Sure that comes with a whole host of problems on its own, starting with trust and reliability. But the current hierarchal DNS is just such an easy single-point-of-choking that it is inevitable that the powerful will abuse it.
I've been waiting for resolutions and refresh rates to catch up to what they were a decade ago ever since we made the switch to widescreen flatpanels.
Me too. Too bad for me that the year it finally starts to happen is the year I start needing to wear glasses in order to see fine detail up close.
Ultimately, it would be easy to get freaked out by all this, but let's remember what this information is used for: to send you coupons you'd actually want to use. That's the whole thing. Dial back the paranoia a bit.
See, that's the thing. Once they've collected all this data and made all these cross-references there isn't anything preventing the data from being used for other reasons. Kind of like the way drivers licenses and social security numbers were not initially inteded to be a form of identification. Yet once they became widespread it was just soo easy to repurpose them.
Same thing with all of these marketing-driven data collection systems - once they've got a ton of data in them it is pretty much inevitable that someone is going trying and use them for something else. It is just too valuable for people to ignore.
I don't have the original article that tipped me off, but here is one from 2008 that talks about the early stages of the program.
http://newsbuster.com/pages/Mar08/03_14_08_target_creates.html
Have you ever checked your mail? Notice how it's literally full of completely untargeted advertising? If that's profitable, how could this possibly not be?
The question is if it is more profitable and more profitable enough to justify all the overhead. At $100B valuation for facebook obviously some people think that is true. But I wouldn't be surprised at all if it turns out to be yet another case of regression to the mean. That once we've all been inculcated to massive personalized advertising campaigns they will lose most of their effectiveness.
Pay cash. That ends their data mining at Target (and Walmart, and everyone else).
Don't count on it. For one thing Target has been installing license plate scanners in all their parking lots - ostensibly for "customer safety." But if you are in the habit of purchasing the same combination of products on most of your trips to the store all they need to do is compare that "purchase fingerprint" with the list of cars in the parking lot at the time and after a few iterations they will be able to link your license plate with your purchasing habits.
So the retailer loaded up on all the wacko, high mark-up accessory pieces for my wife's china pattern and every time my aunt came into the store she would get the sales pitch for a soup tureen or something. This went on for years.
I think that's a great illustration of the problem here - Target and all the other companies that are using "targeted advertising" are going beyond simply providing a service to actively trying to manipulate people. Advertising to inform is good, advertising to convince people spend money on products they wouldn't otherwise purchase is bad.
911 calls have always required the relaying of location otherwise the system would be wireless.
I think you mean "worthless" not wireless.
The thing is, before ~1995 few if any phones had location functionality, but you could still call 911 and tell them where you were. I would very much like to see a report of the number of 911 calls where the caller could not tell the operator his location (they always ask in case the computer is wrong). At which point we could have a debate over whether that number of cases justifies the extended cost in both dollars and privacy risk of the system. I've looked for such information in the past and strangely enough it doesn't seem to be made public.
You have forgotten that the vast majority of criminals are utter and complete morons. I have a friend who is a RCMP officer and you'd be amazed with his stories of criminal idiots.
The thing about that argument is that those guys would almost certainly be caught with current methods since they are idiots after all chances are they screed up in plenty of other ways too.
Seems pretty obvious to me that the biggest result will be that people who are actual criminals will take pains to either turn off their cell phones, use stolen phones or just go without any time they are doing something criminal.
Meanwhile all the regular people are now even more at risk of the government or anyone else with access to this information like ex-boyfriends at the telco using this information against them.
You can embed JPEG album covers in an MP3.
I seem to recall at least one historical bug in libjpeg that allowed a pathological jpeg file to cause a buffer overflow and execute arbitrary code.
So in, the admittedly unlikely, case of mp3 software with an old version of libjpeg trying to display a malicious album cover it could be made to happen.
Obviously the best (and only) way to push back is to use as much data as possible on an unlimited plan, driving the ceiling upwards.
Somebody should write an app for that -- once you get to that point where you throtttled, it just burns as much bandwidth as it can 24x7 for the rest of the billing cycle.
I meant "don't become the single-sign-on of choice"
The darwinism works as long as facebook or another of its ilk becomes the single-sign-on of choice, then it becomes a lot easier for average people to always get the "logged in" experience.
I don't think people truly realize how much money will dry up without targeted advertising.
Necessity is the mother of invention. If all that stuff is worthwhile, then someone will come up with a way to make it work.
For years I've been saying that advertising has destroyed any chance of getting a functional micro-payment system in widespread use. For all intents and purposes, targeted ads are micro-payments, the only part missing is where we pay with money rather than our privacy.
If targeted ads go away, maybe we'll get a system in its place that makes it feasible to pay fractional pennies to websites we frequent. That might even be better for them compared to the way its now where people like me block all ads and all trackers and thus the only good I do by reading a website is to recommend it via word of mouth to my friends who I have not yet taught to run ad-block.
If a site wants to track me all they need to do is offer me a compelling feature that requires that I sign in.
Be careful, that sort of thing can lead to websites deliberately suckifying their non-logged in version.
For example, a few years ago IMDB dumbed down the way people can read their discussion forums. If you don't log in, all you can do is see the posts linearly. Log in and now you can see them in other formats, like threaded. The exact same URL for threaded mode goes to linear mode if you don't log in. It used to be that anyone could read the discussions in threaded mode, but IMDB arbitrarily took that away in (which I presume) was an attempt to convince people to log in.
To a marketing sycophant, arbitrarily holding back functionality is the same thing as providing extra features to "members" no matter how petty it appears to regular people. I wouldn't want to see the web in general go the way of IMDB's pettiness.
That sort of thing happens in the real world often enough too it is a, maybe even the, classic con.
Yes, it is somewhat different because none of the following stories will lead to state executions, but it's a little surprising how easily a tweet or something like that can get you imprisoned in the US.
Where there is far too high of a chance you will be subjected to prison rape, get infected with AIDS and ultimately die a slow painful death. So it may not be a pro forma state execution, but it may still be a state execution.
I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.
FWIW, Bruce Schneier has said, on multiple occasions, that he doubts that Apple's "walled garden" approach will do anything much to improve computer security. I think this is one good illustration of why he's probably right.
Muslims who live in countries where they don't have the majority, and hence can't define the laws, are not "crazy"
That's circular reasoning. It is misleadingly easy to single out one characteristic and focus on just that. Look at the rwandan genocides - the country is roughly 95% christian and still that crazy shit happened because it served the purpose of the people with power.
(and even then, "honor killings" for apostasy still happen).
You are mixing up two different concepts there - "honor killings" aren't about apostasy, they are about perserving the perceived honor of men. And they are associated with backwater tribalism rather than being specificly islamic - hindu, kurdish even latino cultures all have problems with honor killings, usually committed against women who are considered property.
What relation does this have to the issue at hand?
My point is that when the people in power have an interested in promoting the crazy, much of the population ends up accepting the crazy as normal. Doesn't matter what specific flavor of crazy.