I think saying that he "warned them" is a bit dishonest. He said the following as a side note 4 years ago:
I've just checked and you can obtain the password through an API call
after you register a new API user.
They designed this functionality so they clearly knew it was possible, what he didn't do was explain the impact (take public key from app -> request user password) and if he hasn't notified them since that post it's entirely possible that they never had a reason to reconsider that (awful) decision. That post 4 years ago can't really be considered "responsible disclosure".
I hope they don't. Last.fm is an app inside Spotify right now, and scrobbling is integrated. All I wish they did is better integration (love tracks, recommendations coming from last.fm instead of whatever they have, etc.), all of which can be done without having to buy last.fm. Last.fm as a standalone service for discovery is good as it is.
Codeigniter has been all but abandoned by EllisLab, the community is giving up on it and there are far better frameworks available now. For example Laravel, the growth that Laravel is experiencing right now is huge, it has overtaken Codeigniter as the most popular PHP framework on GitHub and has a growing and active community. Anyone even thinking about Codeigniter any more is doing themselves a disservice, Laravel is leaps and bounds ahead of Codeigniter. Laravel is on its way to being the Rails of PHP.
A couple of years ago a server management application called HyperVM had a 0day due to some questionable programming, hundreds of thousands of websites were lost along with a lot of money... the next day the creator took his own life. A lot of people are going to be in a very bad position right now (both customers and people inside mtgox), let's hope it doesn't come to that.
There were no suicides associated with the 1987 Black Monday crash. You're thinking of Black Tuesday in 1929, a much bigger event. Even so, nobody jumped out any windows on Black Tuesday -- it was an urban legend. There were a handful of suicides but nothing statistically significant.
I'm having trouble understanding what you think the relevance of that might be. Obviously, when someone commits suicide, that decision ultimately rests on their shoulders and is borne of their experience/history/state/what-have-you. GP was trying to make a broader point about the difference in levels of significance between a catastrophic business fuck-up and the wasting of human life, a conflation that people without family histories of suicide make all the time.
Quick feedback: Don't commit vendor packages to your repository, make use of Composer (http://getcomposer.org). Separate out your application core from the public folder, that way you don't need to rely on your web server for security: if someone uses nginx your set up leaves them vulnerable. Look into MVC, you have logic and display mixed together.
You are right. The application does not belong to public folder. My goal is to make installation as easy as possible. Just copy the code and start to blog. Another reason is, that you can't easily run the application in subdirectory for example /blog/ if put the application code behind public folder.
Composer is a good Idea, but with first version we wanted to deliver one single package for the end users. We would use composer for the next releases.
If you absolutely cannot separate out the public portion of the application from the core -- which should be possible because even the worst shared hosts allow for folders above public_html -- then you'll need to use a PHP solution for protection the files. For example if you define a constant in index.php and then check for that constant in included files you can prevent access, eg:
defined('BASEPATH') OR exit('No direct script access allowed');
You are right again. But I will complicate the installation.
The PHP files are secure, they are classes ore arrays.
if you execute them nothing happens. We have an .htaccess file in core applications folder. The .htacces file rejects all requests.
We would provide security tips also for nginx users.
Just to repeat all files except index.php are classes ore arrays
and and they don't execute any code.
The Minecraft brand and IP are constantly being misappropriated by others for commercial gain, the Minecraft IP is owned by Notch and he has every moral and legal right to protect it. There are numerous deals that are in place that allow third parties to make use of the Minecraft IP for commercial gain, Jinx, Think Geek, Lego, Danilo, 57Digital, 2PP, Sony, Microsoft, deal after deal after deal... Notch has set a clear precedent: If you want to make a commercial venture with the Minecraft IP, work with his company and if they can make it work, they will. This is not a "creative work", it's a commercial work. The creator of this project has previously made creative works involving the Minecraft IP and posted them on Youtube with no opposition from Notch, here's one: http://www.youtube.com/watch?v=uPFD2PVtKQE
This is incorrect. The CEO of PayPal David Marcus has already denied these claims:
To clarify: we have no policies against using PayPal to sell Bitcoin mining rigs.
We don't support any currency txn whether fiat or BTC for a host of regulatory
issues. But we treat BTC and any FX txn the same way. We're believers in
Paypal is banning any account which deals in currency exchange. They are still allowing hardware such as Bitcoin mining devices. The gray area are Casascius Coins which they are banning because it involves currency exchange even though it is sold with a physical item.
By the way, my post title was changed by someone else. Paypal is NOT banning anything Bitcoin related, they are only banning Bitcoin exchanges for fiat currencies.
Although that open letter received a lot of attention, nothing has changed since then: No transparency which admin "corrected" the title, not even an indication that this kind of manipulation happened at all. So you as the submitter receive all complaints about the crappy title.
@pg: Note that I fully understand that we HN submitters should not be encouraged to use link-baity names for our submissions. And that we should prefer the original title wherever feasible. But some articles' titles are crap. Some are uninformative, some are misleading, and some titles are even wrong. If it is recommened to remove link-baity numbers from titles ("10 Ways To Do X" -> "How To Do X"), why isn't it equally feasible to replace misleading/wrong titles with informative/correct titles?
I doubt they're lying, what they are doing is mislabelling their experience as representative. Low level PayPal employees have previously made mistakes that has resulted in people who are selling mining equipment finding their accounts suspended, however these are misinterpretations of the rules by the lowest level of PayPal employees. The David Marcus statement was in response to a story (almost identical to the story of the bitcointalk poster) from a couple of weeks ago.
Neither the bitcointalk poster nor Paypal's CEO were lying, although the poster's conclusion is now proven to be incorrect.
The OP was selling casascius coins, which contain bitcoin private keys (digital currency) and are therefore against the terms of service. The CS rep the OP talked to incorrectly communicated that ALL bitcoin related items were banned. Later Paypal and their CEO issued a statement clarifying that only digital currencies themselves were banned.
I guess David Marcus didn't (nor anyone else at Paypal) read the FinCEN regs because Bitcoin exchange is not considered "currency exchange" for regulatory purposes because FinCEN says it's not a "currency."
They likely did, you clearly did not: "... a person is an exchanger and a money transmitter if the person accepts such de-centralized convertible virtual currency from one person and transmits it to another person as part of the acceptance and transfer of currency, funds, or other value that substitutes for currency"[emphasis mine]
I didn't say you get out of money transmitter rules. Just that Paypal's "currency exchange" reading and analogy is wrong - see: "...a person who accepts real currency in exchange for virtual currency, or vice versa, is not a dealer in foreign exchange under FinCEN's regulations."
You're still not getting it. Paypal isn't subject to the foreign currency rules of the FinCEN regulations because virtual currencies aren't foreign currencies. Paypal is still subject to the other rules that apply to money transmitters.
As the other responder pointed out, Paypal would be a money transmitter under FinCEN regulations. What FinCen was saying is that Bitcoin and other digital currencies aren't "currencies" in the legal sense because they have no government backing. However, they are "virtual currencies" in the sense that they otherwise function and behave as true currencies. Consequently, the FinCEN regulations apply to Bitcoin and other digital currencies.
FinCEN further stated that miners and persons who are using Bitcoin in non-currency transactions(i.e., paying for services, physical goods, or non-digital-currency intangible goods) are not subject to the FinCEN regulations because they aren't exchanging one currency for another, directly or indirectly, and they aren't functioning as commercial money transmitters.