If I understand correctly, companies cannot say "we have received X (let's say 9) requests".
So, is it possible for them to say "We have NOT received 8 or 10 requests"? This clearly doesn't say how many they have received but gives a clue that they might have received 9.
It's not silly but it won't work. People in the tech community typically don't see that you can't "hack the law" like it's machine or program. Judges just don't put up with it. They're adept at augmenting the law with case law that covers the loopholes.
Totally, when I first started learning and caring more about the law I came up with all these clever hacks around various legal agreements and laws... Luckily for me I had friends who went to Law School to explain to me that the law is primarily about intent and most of my hacks weren't loopholes but instead plainly in the wrong and would be dealt with in court if they hadn't already through case law. I think its pretty common for hackers to look at legal agreements like a series of boolean statements that can be solved... sadly it doesn't work that way. Law is complicated :/
Law works the way we want computer programming to work. That is to say, "Do what I meant, not what I coded".
I think we get the impression that it's not that way based on our perception of corporations driving money-filled trucks through legal loopholes, but it's just not the same thing to a judge. Regardless of whether it is to you and I.
>I think we get the impression that it's not that way based on our perception of corporations driving money-filled trucks through legal loopholes
I get the impression that not everyone is playing by the same set of rules, not that they have particularly clever lawyers (although, most of them probably have that as well).
Well, as a good software-engineer-and-qualified-lawyer friend of mine has said, "the power of the law is in its capacity for vagueness".
I often wish law was written more like a computer program, with lots of unit tests up front. But I have no idea how to actually achieve that. Real life is so much more complex than input to any computer program that an attempt to formalise law even more than it already is formalised would just result in it being totally incomprehensible to the people who have to follow it (as opposed to mostly). Plus the man on the street tends to get very angry when people who are "obviously" guilty get off on a technicality.
I've always thought a good starting point would be to hook up Watson or similar software up to LexisNexis or Westlaw. Would be lovely to run a new ToS or Privacy Policy through such software and see where it breaks down.
And those signs aren't even what was intended. "Motor vehicle"? Oh, okay, then my Nissan Leaf is not allowed because it has an electric motor, but my motorcycle is okay because it uses an gasoline engine, not a motor.
But I know what they meant, and keep my motorcycle off the bicycle trail. However, the pedant and software developer in me is bothered just a little when I read those signs.
You can probably find an online copy of the city ordinances that specify exactly what "motor vehicle" means in that context. An interesting thing I noticed in one city is that it's technically illegal to drive certain (stock, unmodified) models of car above 3000RPM due to noise ordinances prohibiting exhaust bypass systems.
I.e. put up a cryptographically signed and timestamped statement that you haven't received a request, then don't update it (or simply take it down) once you receive a request.
Common law systems really aren't as simple as "only intent matters, absolutely nothing clever is tolerated", as many suggest. The problem is mostly that, whenever computers are involved, people involved in the justice system seem to have their sensibilities bizarrely warped. Removing the technological element is likely the best way to get people to think about things sensibly. It is not so much "legal trickery" as it is "framing the matter in terms that the court already understands".
It's not as sophisticated as the blockchain, etc., but about as good - if you pick sensitive pieces of financial news it's clear you could not have known about them in advance. Or sports results.
"Sketch's file format has changed; documents are now truly single files and can be safely emailed or shared via Dropbox and other services without having to zip them up first"
Love this. No distractions, no internet, no spellcheck fixing things for you all the time, no other applications, no stupid notifications trying to steal your attention. Only him and his words.
Update:
I misunderstood, I'm sorry. I wasn't trying to attack but trying to show my concern because I thought he saved some id/keys for himself. Please ignore my comment below.
--
"Still managed to get a few dozen AWS keys though"
Good for you! What a nice person you are. Please abuse more small projects like this. Even if they say they say it was "was only meant for friends to test out".
Oh I see, you just found a security hole and trying to get some reputation? Cute. Please do it by abusing the small power you found and hurting innocent users. That's really, really nice of you.
"Still managed to get a few dozen AWS keys though"
Wow. Just wow.
You sir, just ruined my night. Thank you.
Ps. I am really concerned about your company and its users. If you can do something like this, I wonder what else you could do (or doing) at your current company. I hope, I'm assuming wrong.
Perhaps you're misunderstanding my course of action.
1. I didn't disclose how to do it, merely that it was possible.
2. By "get" I in no way mean harvested. I just manually incremented the ID in the URL by hand in my web browser to see how many users could be affected.
3. Since I never saved any of the information (just viewed the pages) I no longer have it since the flaw was patched.
It's massively important that people bring security issues into the open. Talking about these things creates pressure on developers to build secure web apps. Not talking about them because people like you get 'upset' about "hurting 2 nerds' inspiration" means we get poor information security policies all over the Internet.
As it stands we don't know whether hostile agents (silently) got copies of the AWS keys of every user on the site. That should be incredibly concerning for you, but apparently it's not.
Thank you, yes I'm aware of these. I was trying to focus on the fact that the person who found this security hole used it to get some of this data to himself. But apparently I wasn't clear enough.
I'm still trying to improve my English. Next time I'll try to be more clear. Thank you.
I'm sorry man, but this kind of mistake is unacceptable even for a prototype. This is basic authentication and access control stuff. You'd at least expect this to be implemented if you're giving them your email, needless to say amazon token.
The problem with this is that people become more skeptical in general about new products/companies, which is bad for the community as a whole.
The issue here is how do you deal with this kind of thing? Assuming it is in fact bad for others who are trying to get people to test their prototypes, how do we help avoid basic pitfalls like this one? This could be a service...
Why are you upset with him, at least he informed people. You should be more upset with an insecure app. A less talkative person would just keep it and use the AWS accounts for bitmining.
You can find a security hole and report it. That's nice and good behavior. But when you say "I have compromised the data with me", then you are being evil.
I signed up to the app because I liked the idea and wanted to support them. I knew that their app was in alpha stage yet.
I'm upset about his behavior.
I'm upset that his behavior might hurt 2 nerds' inspiration.
I'm not upset about he got my keys.
But you are right. His behavior is still better than not saying anything.
If anything, he did you a favor. You're probably going to create new keys now, whereas you might have written it off as a hypothetical vulnerability otherwise.
