I am aware of that discussion. What I meant by "known" is "the binaries and signatures are in the public" and that means everybody can find out whether an AV product detects it or not. The negative fallout of not detecting it in that situation would be disastrous for any AV company. Sure, initially, they could claim ignorance, but if they insist on non-detection, that would be another story. Also, somebody has to try the malware against the AV products. Not really difficult, one upload to VirusTotal is enough for that.
Of course, as long as the binaries/signatures are not publicly available, AV vendors may get away cooperating with criminally-minded governments.
And there is a lot of mistakes you can make in Java, JavaScript, etc. The point is that errors that the compiler can catch because of a type system violation turn out to be mostly inconveniences that then give you typically non-exploitable run-time errors (except for DoS). Sure, that is not true for all of them, but in the greater scheme of things, static type safety does not lead to more reliable or more secure code. The problem is, as so often, that the more help you give the coder, the less skilled they become and then they overlook more and more bad things that the compiler cannot catch. So any small gain in security and reliability tends to get offset by that, possibly making things worse overall. Or to put it differently: If you leave the training-wheels on the bike, the cyclist will never really learn how to drive that thing.
That test he should have done in a fashion they could not have traced back to him. What he should have given them in evidence (clearly attributable to him) should have had him paying more. The problem is that making a hacking charge stick is a lot easier if the hacker gained something, however small.
They all cooperate to some degree with all larger governments. They do not have a choice, governments have far too much power simply because they are large customers. Assuming otherwise is exceptionally naive. Of course, there are limits. No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through. They cannot afford that. Making it easier for unknown malware is a different thing. In the end, as long as the exposure-risk for them is small, AV vendors will cooperate with the criminally-minded government agencies that modern governments seem to treasure so much. Governments, unfortunately, are yet again in the process of becoming the enemy of not only their own citizens, just like history never happened.
The one thing we can now be reasonably sure of is that Kaspersky will now stop cooperating with the US government, which, in my book, makes their products better than what the competition has.
That way, no accusation of getting financial gain from the "hack" would have been possible.
As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.
Got to love the utter stupidity of some people here. I will not tell you where you fail, because you and the OP would make a nice addition to the permanent prison population.
Of course, almost none of those that fail that introduction course once and none that fail it several time will ever get those six figures. Looks like "The Non-Programming Programmer" will turn into the same type of classic as "The Mythical Man Month": Describes the problems very well, does so early and gets mostly ignored.
Good luck with that. All you need is a prosecutor out for blood and a stupid jury. Both are easy to come by. And, incidentally, US law is not the only on the planet and there may well be some where this is criminal.
That is my reading also. Local part has to be syntactically valid as to RFC2822, but how I interpret it on my MTA is completely up to me. I do not even need to interpret it at all, I can deliver all mail to one mailbox if I like.
Agree on the stupid. It is really staggering what levels of non-understanding some people reach.
I do bounce emails though, it is the right thing to do. Let them threaten. The ones that are not morons will actually be glad that they got that email back were they mistyped the domain. I know that I am.
That may make you look pretty stupid when they file a criminal complaint against you. The proxy does not help, or have you forgotten that they have your email address?
I second that. Only thing that will help long-term and that will not cause additional problems. Might be a good opportunity to improve your mail-filtering though.
You probably have not looked right. There are basically no "C coder" jobs, but there are a lot of "expert in xyz and can also code c". Jobs that primarily ask for coding skills in one language are just for code-monkeys that will go unemployed in the not-too-distant future when the next hype comes along.
Very much this. A competent coder understands that tabs are not defined the same everywhere and just cause problems, and hence just disables them in the editor used. It is also extremely easy to replace them with proper spaces if you know how wide they are supposed to be in a piece of code.
Anybody that really has a problem with this should not be let near program code as they are just incompetent.
That comment just shows you have no clue. Statically typed languages are not superior to dynamically typed ones ones. Statically typed is a bit better for beginners, but then it stands in your way. Static type safety is just an older hype from the "lets make a language that any moron can code in" crowd, and it basically never delivered on most of its promises.
Kind of tells you whether you should use it now. And kind of makes checking all the fantastic statements made by the fanbois pretty hard. (Not that it is unclear that most are alternate facts....)
I am aware of that discussion. What I meant by "known" is "the binaries and signatures are in the public" and that means everybody can find out whether an AV product detects it or not. The negative fallout of not detecting it in that situation would be disastrous for any AV company. Sure, initially, they could claim ignorance, but if they insist on non-detection, that would be another story. Also, somebody has to try the malware against the AV products. Not really difficult, one upload to VirusTotal is enough for that.
Of course, as long as the binaries/signatures are not publicly available, AV vendors may get away cooperating with criminally-minded governments.
And there is a lot of mistakes you can make in Java, JavaScript, etc. The point is that errors that the compiler can catch because of a type system violation turn out to be mostly inconveniences that then give you typically non-exploitable run-time errors (except for DoS). Sure, that is not true for all of them, but in the greater scheme of things, static type safety does not lead to more reliable or more secure code. The problem is, as so often, that the more help you give the coder, the less skilled they become and then they overlook more and more bad things that the compiler cannot catch. So any small gain in security and reliability tends to get offset by that, possibly making things worse overall. Or to put it differently: If you leave the training-wheels on the bike, the cyclist will never really learn how to drive that thing.
That test he should have done in a fashion they could not have traced back to him. What he should have given them in evidence (clearly attributable to him) should have had him paying more. The problem is that making a hacking charge stick is a lot easier if the hacker gained something, however small.
They all cooperate to some degree with all larger governments. They do not have a choice, governments have far too much power simply because they are large customers. Assuming otherwise is exceptionally naive. Of course, there are limits. No AV vendor will allow known government malware (US, Chinese, Russian, etc.) through. They cannot afford that. Making it easier for unknown malware is a different thing. In the end, as long as the exposure-risk for them is small, AV vendors will cooperate with the criminally-minded government agencies that modern governments seem to treasure so much. Governments, unfortunately, are yet again in the process of becoming the enemy of not only their own citizens, just like history never happened.
The one thing we can now be reasonably sure of is that Kaspersky will now stop cooperating with the US government, which, in my book, makes their products better than what the competition has.
That way, no accusation of getting financial gain from the "hack" would have been possible.
As to the site, these people are the worst of the worst of incompetents. Even an ElCheapo pen-test would have found that problem. Likely the hugely inflated price for system maintenance goes to some equally incompetent and thoroughly corrupt friend or relative of the CEO and that would also explain the brain-dead reaction.
Got to love the utter stupidity of some people here. I will not tell you where you fail, because you and the OP would make a nice addition to the permanent prison population.
Of course, almost none of those that fail that introduction course once and none that fail it several time will ever get those six figures. Looks like "The Non-Programming Programmer" will turn into the same type of classic as "The Mythical Man Month": Describes the problems very well, does so early and gets mostly ignored.
It is not. There are just a lot of people around too stupid to read and understand it.
Good luck with that. All you need is a prosecutor out for blood and a stupid jury. Both are easy to come by. And, incidentally, US law is not the only on the planet and there may well be some where this is criminal.
Depends on the spam-filter, really.
Indeed. I run my own mail server, but if I were not, I would still pay for an account and probably a domain for my email.
That is my reading also. Local part has to be syntactically valid as to RFC2822, but how I interpret it on my MTA is completely up to me. I do not even need to interpret it at all, I can deliver all mail to one mailbox if I like.
I agree to that. Incompetence is the only thing the human race has in unlimited supply.
This does not go to court. It goes to ICANN arbitration. And unless it is a valid complaint, it will just get rejected directly.
Agree on the stupid. It is really staggering what levels of non-understanding some people reach.
I do bounce emails though, it is the right thing to do. Let them threaten. The ones that are not morons will actually be glad that they got that email back were they mistyped the domain. I know that I am.
That may make you look pretty stupid when they file a criminal complaint against you. The proxy does not help, or have you forgotten that they have your email address?
Why bother. Just mark it as spam.
I second that. Only thing that will help long-term and that will not cause additional problems. Might be a good opportunity to improve your mail-filtering though.
You probably have not looked right. There are basically no "C coder" jobs, but there are a lot of "expert in xyz and can also code c". Jobs that primarily ask for coding skills in one language are just for code-monkeys that will go unemployed in the not-too-distant future when the next hype comes along.
Very much this. A competent coder understands that tabs are not defined the same everywhere and just cause problems, and hence just disables them in the editor used. It is also extremely easy to replace them with proper spaces if you know how wide they are supposed to be in a piece of code.
Anybody that really has a problem with this should not be let near program code as they are just incompetent.
That comment just shows you have no clue. Statically typed languages are not superior to dynamically typed ones ones. Statically typed is a bit better for beginners, but then it stands in your way. Static type safety is just an older hype from the "lets make a language that any moron can code in" crowd, and it basically never delivered on most of its promises.
AT least Python has PCRE. Even if the interface is not nearly as nice as in Perl. One of my few gripes with Python.
Kind of tells you whether you should use it now. And kind of makes checking all the fantastic statements made by the fanbois pretty hard. (Not that it is unclear that most are alternate facts....)
It is also very nice as glue-code, as it has a pretty good interface for embedding C code.
Get an editor that can indent and un-indent blocks and you are fine.
Indeed. It does take a bit to get used to, but not excessively so and I do like that it makes code compacter vertically.